File name: | Faisal Bari.CV.doc |
Full analysis: | https://app.any.run/tasks/f65c971e-a407-4585-b155-557e5cb83230 |
Verdict: | Malicious activity |
Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
Analysis date: | January 10, 2019, 15:33:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 708B34963703BDB30296A9F277FCDCB8 |
SHA1: | 4A57B46DC0388A26B3E394A5BCA77C48CA9D2F0A |
SHA256: | 1A49B4370584244FFE612F23ED13433DFE340836C413F9BDEB2B8FAE6A1A51E0 |
SSDEEP: | 24576:jakyUbuCyde71rrHWuz1V4FXL5njTgOjyeyDio6TF8bK+skY3t1OB:z |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3076 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Faisal Bari.CV.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 1 Version: 14.0.6024.1000 | ||||
2292 | "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\dqfm.cMd" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2968 | CmD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3244 | C:\Windows\system32\cmd.exe /K C:\Users\admin\AppData\Local\Temp\hondi.cmd | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3804 | "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\dqfm.cMd" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3904 | TIMEOUT 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2752 | CmD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2828 | C:\Users\admin\AppData\Local\Temp\mondi.eXe | C:\Users\admin\AppData\Local\Temp\mondi.exe | — | cmd.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.0.0.0 | ||||
3056 | TASKKILL /F /IM winword.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2964 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Version: 00110900 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3076 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREF75.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3076 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D512D016B6D8FC09C9D73080393CD633 | SHA256:E12CC561D707114629B3DAA016753E27BBF4954359B14694E71C0926457DABF5 | |||
3076 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$isal Bari.CV.doc | pgc | |
MD5:9AD8AB0C675CBD701D96422A8F63D4C0 | SHA256:16C3C04DEBAA3386A51A0F01E6E1E10844E3F023CBC958452679970D8A570564 | |||
3076 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\hondi.cmd | text | |
MD5:54CA3A500C443EABBCE1970B5B43A327 | SHA256:70A48CA2C20EFD4D0B1192C2FA84D2AFF25FD4CC094AEFF3491FFAEB18F53D8C | |||
3076 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{700E7F2D-CAB8-4B82-B186-FB3A95F52922}.tmp | binary | |
MD5:86545E6955C44CA708B6B651F9AF55D8 | SHA256:AE34256167D90DDB8173AE9B9648D8A97CD2D27BB9DD1C75A554C40EDD8A5D79 | |||
3076 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\dqfm.cmd | text | |
MD5:308D8E82E7ADC9279E411F982E6498EE | SHA256:94EB53C44C0B67B261BFF82D58E488DE542846AA1E2573BE375221AC68BBB00C | |||
2828 | mondi.exe | C:\Users\admin\AppData\Local\Temp\tmpAAA7.tmp | xml | |
MD5:B7922BA310BE5621022C3EC64134A566 | SHA256:C52367D486BCE3B4BD3D37F420658501E35D8400E0E0F88BE6FFCE3E3E92DBF8 | |||
3076 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\gondi.doc | document | |
MD5:4198FB827362BBB68A72498100B5D7BD | SHA256:5829999A4328A0CEF0D34E237C8645194A1F74D81C7F01B494651B113D580E0E | |||
3076 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\mondi.exe | executable | |
MD5:337BF899F972F5C172F4725EAA9A2BEB | SHA256:989F5D46B6452F784D779AAFB4951C6562D780A243CCE952929F1F1840EC5487 | |||
2452 | mondi.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat | fli | |
MD5:0038F6CE3BCE3206D8CE9F75D1608AA7 | SHA256:F2D7EEC149C055BA36A71F6EDF109A260030DDB287CD771D27C9385F7FD59F0C |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2452 | mondi.exe | 185.244.30.95:9003 | — | — | — | unknown |