File name: | 998890-0996544scan.doc |
Full analysis: | https://app.any.run/tasks/69aa58dc-d0ba-405d-b0b9-c43322bbe79b |
Verdict: | Malicious activity |
Analysis date: | January 23, 2019, 00:38:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 837170A5B5D85B20D3E4C01228F5D74B |
SHA1: | 578E3AC7888126144E4E6080CEC0981D3281F664 |
SHA256: | 09BC978EBDC88D4F2CD380F14A33D8181F99F5D42DFDA3D4E48CCE6447A6E8F9 |
SSDEEP: | 24576:wfdvUZaOtZTmZhm4L1LNDHGNEzUFLoHLim7GKELfL8fnIC:u |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2856 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\998890-0996544scan.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 1 Version: 14.0.6024.1000 | ||||
3864 | "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2256 | CmD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2512 | C:\Windows\system32\cmd.exe /K itnqknf5.CMD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3052 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3512 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3944 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2436 | "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2540 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3252 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2856) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | {g$ |
Value: 7B672400280B0000010000000000000000000000 | |||
(PID) Process: | (2856) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2856) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2856) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1312227358 | |||
(PID) Process: | (2856) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1312227472 | |||
(PID) Process: | (2856) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1312227473 | |||
(PID) Process: | (2856) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 280B0000D8708A08B4B2D40100000000 | |||
(PID) Process: | (2856) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | rh$ |
Value: 72682400280B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2856) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | rh$ |
Value: 72682400280B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2856) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2856 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9B5B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2856 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\uffm.cmd | text | |
MD5:D262EFBD41B7F25E9D0B88BDBC4FD817 | SHA256:CD22927DEA8C9B3C9CFBC9F4EF85AC677ADB8CB4C353CBC2CC47034C1BEF5159 | |||
2856 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\a.ScT | xml | |
MD5:B079D52F89759AB61A9B7EFA9367CA17 | SHA256:A9EEF1BEA82EBAF0F71E356D77EC980FA087F56F6C665C58011BCB6FA98E4501 | |||
2856 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:4C236A869C06F844D1F2AA0C15AFFBBC | SHA256:DA5256FA675BD9248F1FECB9AE07BCD2807A0A0129369EE4EAFE881D1C3ABD88 | |||
2856 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{660E7199-018B-4581-B782-AD8AB228E4DC}.tmp | binary | |
MD5:B279EC8A2A9EE283EC9C2D7615DD8B6F | SHA256:AC50F03038E66605BEC5E04C50051C01F7F028CAA0DF4D680BDFBBA6013B108C | |||
2512 | cmd.exe | C:\Users\admin\AppData\Local\Temp\_.vbs | text | |
MD5:778643D184339788FEAD87C5043A6BEA | SHA256:FFEDB6EF220F09EC30ECAD07D897C14F59591A2F05D160308C11FC763AFF6060 | |||
2856 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$8890-0996544scan.doc.rtf | pgc | |
MD5:931AAD9CC6E08F2689603CDD2561E2E1 | SHA256:466E0D61169F8C956020AFDDC30011B029E3F17503DC512A58B1EB9E3AA29846 | |||
4092 | cscript.exe | C:\Users\admin\AppData\Local\Temp\gondi.doc | text | |
MD5:3790051BC2F564F6337614417202E89E | SHA256:A3C8998B02922559F2BBA9BA6E6F8C4C356AD7232370D430EDB1F63C74402172 | |||
4092 | cscript.exe | C:\Users\admin\AppData\Local\Temp\saver.scr | executable | |
MD5:624B11BDF913A445B2AAB98C9F1DB4B5 | SHA256:0C60D589E321611A68CCC28C3566D6DA7C261E098573DEE2F0B93233F9821280 | |||
2856 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{C4F4EA2F-6E1E-4465-BA69-1AB66986526F}.tmp | binary | |
MD5:DC4A0BE68F137F2632D47422369EA42B | SHA256:5F35DE9F499BD393324B08C9E30687317003D0F2706067DD516D86C936571117 |