File name: | purchase order.doc |
Full analysis: | https://app.any.run/tasks/7ea52ae3-0de7-4f25-bc3f-ccdfec22baa6 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | June 19, 2019, 03:16:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | B819877F4D1F3639902A3716C48E5994 |
SHA1: | 82410483EAE34FC15F10CF1185E7B42787750518 |
SHA256: | 24A6293BA60DBF92BC3391E24F9DBC78A8E2A1B8751C4A6333A19033E9522FAB |
SSDEEP: | 24576:pd6qlMEjK5+nmJdGMBHLCpVMkTYe/U0mn1pDkAE7EG2elVPGjOjrGv05SoFU:+ |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3932 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\purchase order.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 1 Version: 14.0.6024.1000 | ||||
1572 | "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2324 | CmD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2328 | C:\Windows\system32\cmd.exe /K mt6nzqofd.CMD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2856 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3084 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2180 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1040 | "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1892 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3144 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR42F8.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2328 | cmd.exe | C:\Users\admin\AppData\Local\Temp\_.vbs | text | |
MD5:BF9646FA68CAE0CE69FBF7FFF70D65B5 | SHA256:CC7DD8CF31F4634A109AC5A14931F8A4E55F528B36C40B0D109B9147B8E7C928 | |||
3932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\kulebiaka.ZiP | compressed | |
MD5:2B5656B2F1626D9C406C325099EB89E3 | SHA256:058A56FA1378E34E916E2F731466B24AAEC0BFF48AECA9F99A142FA431CCBF5C | |||
2172 | cscript.exe | C:\Users\admin\AppData\Local\Temp\saver.scr | executable | |
MD5:29FEC7816D483426CD55DE8714735D8C | SHA256:AF218E7B5A67091B7955C3CA4538EE49CB8E2A9B38D83E6F4B0443AACE856101 | |||
2172 | cscript.exe | C:\Users\admin\AppData\Local\Temp\gondi.doc | text | |
MD5:6291D5A22FCE652360616BD330E07082 | SHA256:80AE0226822B684927280C63CA9F4E683C121FA62715E02909DECC298C03B506 | |||
3932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\mt6nzqofd.cmd | text | |
MD5:B5B6D0CC5AE87D9B02585E5B3246C1A2 | SHA256:15C6536DD7A47ADD995049F4E54D86F69F50BB20FE29B88B5AE809A888730A5E | |||
3308 | saver.scr | C:\Users\admin\AppData\Local\Temp\636965146553755000_8a35233a-b73f-4912-943d-d63da4467334.db | sqlite | |
MD5:0B3C43342CE2A99318AA0FE9E531C57B | SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8 | |||
3932 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:B19FF5CEFD1DA5D0F2805A945B570C3C | SHA256:F75A592B67565D406D9D7F15EC8C276CD6D0D5E54AD5EF87413F565E44175FC9 | |||
3932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{62D90A86-B78C-4F7A-BDE1-31C04A785FB9}.tmp | binary | |
MD5:2AE3D2C978E132C5C8142E99AD19407A | SHA256:8EAB0C94DAF2EB3E244968830785B88748FD9C3D141F4BF55A027293D248255F | |||
3932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$rchase order.doc | pgc | |
MD5:044F5E47F7834AF37E5A322E05D45A59 | SHA256:48516477C16901A22B34B8AB9A9D2F1151D218867BE0F17C9C99F936277761CF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 2.16.186.35:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | unknown | der | 1.37 Kb | whitelisted |
3308 | saver.scr | GET | 200 | 34.233.102.38:80 | http://checkip.amazonaws.com/ | US | text | 15 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 2.16.186.35:80 | isrg.trustid.ocsp.identrust.com | Akamai International B.V. | — | whitelisted |
3308 | saver.scr | 82.221.130.149:587 | smtp.vivaldi.net | Thor Data Center ehf | IS | unknown |
3308 | saver.scr | 34.233.102.38:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
2776 | gup.exe | 37.59.28.236:443 | notepad-plus-plus.org | OVH SAS | FR | whitelisted |
Domain | IP | Reputation |
---|---|---|
smtp.vivaldi.net |
| shared |
notepad-plus-plus.org |
| whitelisted |
isrg.trustid.ocsp.identrust.com |
| whitelisted |
checkip.amazonaws.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3308 | saver.scr | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3308 | saver.scr | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|