File name: | TT_180000 WIRE TRANSFER8JNBLGGH5FV99_0_0010.doc |
Full analysis: | https://app.any.run/tasks/4731c677-7a79-4c81-a999-b42e690fbcf7 |
Verdict: | Malicious activity |
Threats: | A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. |
Analysis date: | June 19, 2019, 04:25:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 752B042E0E1AEFAD3F60CD9A957C2ED5 |
SHA1: | 833DAEAEFBF19B84266FD42F33061B096F1AE237 |
SHA256: | 59D9F25B236A9256623FF95C2236FE9E40979B6E85E4C0BA7436DCC61C895067 |
SSDEEP: | 96:n7B6vxNFLpbyRVtgqH9krd5XFbDxn5yy4+kRrGKix3E8BGag6:N6xNFlb+jxqRln5pLgMVpBe6 |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2264 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\TT_180000 WIRE TRANSFER8JNBLGGH5FV99_0_0010.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.5123.5000 | ||||
2292 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2336 | "C:\Users\admin\AppData\Roaming\naonsultane.exe" | C:\Users\admin\AppData\Roaming\naonsultane.exe | — | EQNEDT32.EXE |
User: admin Integrity Level: MEDIUM Description: Binjhawari8 Exit code: 0 Version: 1.07.0009 | ||||
280 | C:\Users\admin\AppData\Roaming\naonsultane.exe" | C:\Users\admin\AppData\Roaming\naonsultane.exe | naonsultane.exe | |
User: admin Integrity Level: MEDIUM Description: Binjhawari8 Exit code: 0 Version: 1.07.0009 | ||||
2548 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\install.vbs" | C:\Windows\SysWOW64\WScript.exe | — | naonsultane.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3052 | "C:\Windows\System32\cmd.exe" /c "C:\Users\admin\AppData\Roaming\hpsupport\hpsupport.exe" | C:\Windows\SysWOW64\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2844 | C:\Users\admin\AppData\Roaming\hpsupport\hpsupport.exe | C:\Users\admin\AppData\Roaming\hpsupport\hpsupport.exe | — | cmd.exe |
User: admin Integrity Level: MEDIUM Description: Binjhawari8 Exit code: 0 Version: 1.07.0009 | ||||
2024 | :\Users\admin\AppData\Roaming\hpsupport\hpsupport.exe | C:\Users\admin\AppData\Roaming\hpsupport\hpsupport.exe | hpsupport.exe | |
User: admin Integrity Level: MEDIUM Description: Binjhawari8 Version: 1.07.0009 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2264 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR5291.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2264 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E7A7A3C4-97B4-4776-B4D7-DD7E49EB823F}.tmp | — | |
MD5:— | SHA256:— | |||
2264 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1AE8E3B9-4848-43C6-B5C9-961F093538ED}.tmp | — | |
MD5:— | SHA256:— | |||
2264 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3D8BE822-95B4-42F4-B4B5-CD63AB21AA00}.tmp | — | |
MD5:— | SHA256:— | |||
2292 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\a[1].exe | executable | |
MD5:2E860E4197F93BE2A6F3C60646E7AE5A | SHA256:E3ECBB93F6690350F23865302F51F1C4CC9237E36C254905DAE42E1264813515 | |||
2292 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\naonsultane.exe | executable | |
MD5:2E860E4197F93BE2A6F3C60646E7AE5A | SHA256:E3ECBB93F6690350F23865302F51F1C4CC9237E36C254905DAE42E1264813515 | |||
2264 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\TT_180000 WIRE TRANSFER8JNBLGGH5FV99_0_0010.LNK | lnk | |
MD5:0B6F08BE736DAAEE005A16539D759A50 | SHA256:D8AC7854B46A96B4A4ADADD63F6376953F02E2CCCE8C46C2ED134803B7979849 | |||
280 | naonsultane.exe | C:\Users\admin\AppData\Roaming\hpsupport\hpsupport.exe | executable | |
MD5:2E860E4197F93BE2A6F3C60646E7AE5A | SHA256:E3ECBB93F6690350F23865302F51F1C4CC9237E36C254905DAE42E1264813515 | |||
2024 | hpsupport.exe | C:\Users\admin\AppData\Roaming\hpsupport\logs.dat | text | |
MD5:EB2BB624C352E6305C36BC0C8B80DA8C | SHA256:2F3473C44003AD4BD9DAD159E98594B261D904ABF1982D416220A40A1EAC2A17 | |||
2264 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:32961079F760BF92D37F32E87ADE710F | SHA256:9B8EA81C4C0B5F40C49439C2C61C55F1F5BBEE77A89DF5489E2F14013A0FD33E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2292 | EQNEDT32.EXE | GET | 200 | 136.243.69.18:443 | https://www.arshadconsultancy.com/a/a.exe | DE | executable | 492 Kb | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2292 | EQNEDT32.EXE | 136.243.69.18:443 | www.arshadconsultancy.com | Hetzner Online GmbH | DE | unknown |
2024 | hpsupport.exe | 185.247.228.250:5001 | cemileorucs.ddns.net | — | — | malicious |
Domain | IP | Reputation |
---|---|---|
www.arshadconsultancy.com |
| unknown |
cemileorucs.ddns.net |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2024 | hpsupport.exe | A Network Trojan was detected | ET TROJAN Remcos RAT Checkin 23 |
2024 | hpsupport.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Remcos RAT Checkin |
2024 | hpsupport.exe | A Network Trojan was detected | MALWARE [PTsecurity] Remcos RAT |
2024 | hpsupport.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Remcos RAT Checkin |
2024 | hpsupport.exe | A Network Trojan was detected | MALWARE [PTsecurity] Remcos RAT |