File name: | Document.doc |
Full analysis: | https://app.any.run/tasks/cbf9f448-1716-49db-83a3-57fd7ec6206c |
Verdict: | Malicious activity |
Threats: | A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. |
Analysis date: | July 18, 2019, 05:07:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | BEB86A6171A5311949C82F451B8EB934 |
SHA1: | 479D29D8F03DCC67E3F490ECC9B304C25FBAB506 |
SHA256: | 3F7978A8ACCF0041A9F01DE14134256C7C6E8B667183641F21349C947CE92346 |
SSDEEP: | 1536:mrokUe1ehegeqfD3oZ1OkHFRIxPILSQWns3R:mroeZmxgLSQWno |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2856 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Document.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2988 | C:\Users\admin\AppData\Roaming\u.exe | C:\Users\admin\AppData\Roaming\u.exe | — | WINWORD.EXE |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2240 | "schtasks.exe" /query | C:\Windows\system32\schtasks.exe | — | u.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3484 | "schtasks.exe" /create /sc MINUTE /tn microsoft /MO 1 /tr C:\Users\admin\AppData\Roaming\u.exe | C:\Windows\system32\schtasks.exe | — | u.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3912 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | u.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Version: 8.0.50727.5420 |
(PID) Process: | (2856) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | n)< |
Value: 6E293C00280B0000010000000000000000000000 | |||
(PID) Process: | (2856) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2856) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2856) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1324482590 | |||
(PID) Process: | (2856) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1324482704 | |||
(PID) Process: | (2856) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1324482705 | |||
(PID) Process: | (2856) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 280B0000B42206AC263DD50100000000 | |||
(PID) Process: | (2856) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | '+< |
Value: 272B3C00280B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2856) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | '+< |
Value: 272B3C00280B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2856) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2856 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRDDEE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2856 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\387B71FA.png | — | |
MD5:— | SHA256:— | |||
2856 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$cument.doc.rtf | pgc | |
MD5:F9498376CA1A6CE563FAEF355D608F9E | SHA256:CD29C9FE78AF550D31143A828F73070E733A5899E133042BB54B4D6070E03A90 | |||
2856 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Abctfhghghghghg.sct | binary | |
MD5:A6F843FA4DEAACFF46C6AAC06BB2F836 | SHA256:7712156253B0589ECE122D22B1BC795E746ABA461827EE21B01ECE2A52D2B333 | |||
2856 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:4A940B0EB7813A577FC697A20F4AA1E7 | SHA256:FDEDCB8C518AD29752CCC1FA87D523F7498CAADE24F16AAE91652B3E3E387953 | |||
2856 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\u.exe | executable | |
MD5:20680A3D6510B524B3822862154CCC00 | SHA256:45F7B1401F8197413D626E2C1C1DDC5C46EE7E8ACC6B1A8B502063A4F3A52131 | |||
2856 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\u[1].exe | executable | |
MD5:20680A3D6510B524B3822862154CCC00 | SHA256:45F7B1401F8197413D626E2C1C1DDC5C46EE7E8ACC6B1A8B502063A4F3A52131 | |||
3912 | vbc.exe | C:\Users\admin\AppData\Roaming\remcos\logs.dat | text | |
MD5:1476A52EA99CDBFBA33E3C9893B22D55 | SHA256:011E7CC9C21ED0B2E2ACAECE626F4C68D767694FF9D244CA768059D27084FBD6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2856 | WINWORD.EXE | GET | 200 | 108.170.57.54:80 | http://danmaxexpress.com/ssl/u.exe | US | executable | 518 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3912 | vbc.exe | 185.247.228.189:7535 | princedaniels.duckdns.org | — | — | malicious |
2856 | WINWORD.EXE | 108.170.57.54:80 | danmaxexpress.com | SECURED SERVERS LLC | US | suspicious |
Domain | IP | Reputation |
---|---|---|
danmaxexpress.com |
| malicious |
princedaniels.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2856 | WINWORD.EXE | A Network Trojan was detected | ET TROJAN Single char EXE direct download likely trojan (multiple families) |
2856 | WINWORD.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016 |
2856 | WINWORD.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
2856 | WINWORD.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
3912 | vbc.exe | A Network Trojan was detected | ET TROJAN Remcos RAT Checkin 23 |
3912 | vbc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Remcos RAT Checkin |
3912 | vbc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Remcos RAT |
3912 | vbc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Remcos RAT Checkin |
3912 | vbc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Remcos RAT |