File name: | Aug PO (Damen).doc |
Full analysis: | https://app.any.run/tasks/186c34d6-4e9d-4600-8154-0e34d8588a45 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | July 17, 2019, 13:17:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | D093FD38B6D21C49D5DB84938D81C79E |
SHA1: | 53E5D688E70B5DAFBC019A13FAB488D34C80EAA1 |
SHA256: | 09ADF940019F652180F070F44030D227F30A5E76C4B6835995BB275A454F4929 |
SSDEEP: | 3072:q7fcofgjDN/ITZ92+OcLfgjDNbITZ92+/cnfgjDNxITZ92+Bt:xofK5/ITbtjLfK5bITbt0nfK5xITbtBt |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 107 |
---|---|
CharactersWithSpaces: | 78 |
Characters: | 68 |
Words: | 11 |
Pages: | 1 |
TotalEditTime: | - |
RevisionNumber: | 1 |
ModifyDate: | 2019:07:17 04:03:00 |
CreateDate: | 2019:07:17 04:03:00 |
LastModifiedBy: | Administrator |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2844 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Aug PO (Damen).doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1260 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
1516 | "C:\Users\admin\AppData\Local\Temp\ntjupsb.exe" | C:\Users\admin\AppData\Local\Temp\ntjupsb.exe | — | EXCEL.EXE |
User: admin Company: Saab Integrity Level: MEDIUM Description: Platformer Exit code: 0 Version: 1.0.0.0 | ||||
2804 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2948 | "C:\Users\admin\AppData\Local\Temp\ntjupsb.exe" | C:\Users\admin\AppData\Local\Temp\ntjupsb.exe | — | EXCEL.EXE |
User: admin Company: Saab Integrity Level: MEDIUM Description: Platformer Exit code: 0 Version: 1.0.0.0 | ||||
3932 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3588 | "C:\Users\admin\AppData\Local\Temp\ntjupsb.exe" | C:\Users\admin\AppData\Local\Temp\ntjupsb.exe | — | EXCEL.EXE |
User: admin Company: Saab Integrity Level: MEDIUM Description: Platformer Exit code: 0 Version: 1.0.0.0 | ||||
2824 | "C:\Program Files\Microsoft Office\Office14\excelcnv.exe" -Embedding | C:\Program Files\Microsoft Office\Office14\excelcnv.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
876 | "C:\Users\admin\AppData\Local\Temp\ntjupsb.exe" | C:\Users\admin\AppData\Local\Temp\ntjupsb.exe | ntjupsb.exe | |
User: admin Company: Saab Integrity Level: MEDIUM Description: Platformer Version: 1.0.0.0 | ||||
2264 | "C:\Users\admin\AppData\Local\Temp\ntjupsb.exe" | C:\Users\admin\AppData\Local\Temp\ntjupsb.exe | ntjupsb.exe | |
User: admin Company: Saab Integrity Level: MEDIUM Description: Platformer Exit code: 4294967295 Version: 1.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2844 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD08E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1260 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRD85E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2804 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRE474.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3932 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVREB2B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2824 | excelcnv.exe | C:\Users\admin\AppData\Local\Temp\CVRF230.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2824 | excelcnv.exe | C:\Users\admin\AppData\Local\Temp\~DF7D2F8CF929BA428E.TMP | — | |
MD5:— | SHA256:— | |||
2844 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFB97CEC19075A1058.TMP | — | |
MD5:— | SHA256:— | |||
2824 | excelcnv.exe | C:\Users\admin\AppData\Local\Temp\~DFB85D08B0ECDCEBA6.TMP | — | |
MD5:— | SHA256:— | |||
2844 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF1B627C6FA3EAF689.TMP | — | |
MD5:— | SHA256:— | |||
2824 | excelcnv.exe | C:\Users\admin\AppData\Local\Temp\~DFCE86D3934294A19B.TMP | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2804 | EXCEL.EXE | GET | 304 | 165.22.253.11:80 | http://165.22.253.11/msword2019.exe | US | — | — | suspicious |
3932 | EXCEL.EXE | GET | 304 | 165.22.253.11:80 | http://165.22.253.11/msword2019.exe | US | — | — | suspicious |
1260 | EXCEL.EXE | GET | 200 | 165.22.253.11:80 | http://165.22.253.11/msword2019.exe | US | executable | 836 Kb | suspicious |
2264 | ntjupsb.exe | GET | 200 | 162.88.193.70:80 | http://checkip.dyndns.org/ | US | html | 105 b | shared |
876 | ntjupsb.exe | GET | 200 | 162.88.193.70:80 | http://checkip.dyndns.org/ | US | html | 105 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1260 | EXCEL.EXE | 165.22.253.11:80 | — | — | US | suspicious |
876 | ntjupsb.exe | 66.220.9.50:5546 | — | Hurricane Electric, Inc. | US | malicious |
3932 | EXCEL.EXE | 165.22.253.11:80 | — | — | US | suspicious |
876 | ntjupsb.exe | 66.220.9.50:21 | — | Hurricane Electric, Inc. | US | malicious |
2804 | EXCEL.EXE | 165.22.253.11:80 | — | — | US | suspicious |
2264 | ntjupsb.exe | 162.88.193.70:80 | checkip.dyndns.org | — | US | malicious |
876 | ntjupsb.exe | 162.88.193.70:80 | checkip.dyndns.org | — | US | malicious |
2144 | ntjupsb.exe | 162.88.193.70:80 | checkip.dyndns.org | — | US | malicious |
Domain | IP | Reputation |
---|---|---|
checkip.dyndns.org |
| shared |
PID | Process | Class | Message |
---|---|---|---|
1260 | EXCEL.EXE | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
1260 | EXCEL.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016 |
1260 | EXCEL.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Possible Malicious Macro EXE DL AlphaNumL |
1260 | EXCEL.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
1260 | EXCEL.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1260 | EXCEL.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
1260 | EXCEL.EXE | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
2804 | EXCEL.EXE | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
2804 | EXCEL.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016 |
2804 | EXCEL.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Possible Malicious Macro EXE DL AlphaNumL |