General Info

File name

Proposal.doc

Full analysis
https://app.any.run/tasks/e6155828-21ca-4489-8bd3-d4c049cfc7c6
Verdict
Malicious activity
Analysis date
5/15/2019, 01:14:40
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

ole-embedded

trojan

rat

revenge

Indicators:

MIME:
text/rtf
File info:
Rich Text Format data, version 1, ANSI
MD5

6edc7c666cdcd12f7905ddaf92218df5

SHA1

d8ff8534bd441317830894f52ce5ec8b69725471

SHA256

62b076effd55499b3f2485976494c9d7b329744bfa34438abecb6f8a4a385337

SSDEEP

3072:l/RE7QuGU/REDQuGn/RE7QuGi/REvQuGv/REXQuGn/REvQuGm:lZ4HZgQZQNZEUZcUZ0B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
on
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes settings of System certificates
  • mshta.exe (PID: 2152)
  • mshta.exe (PID: 2872)
  • mshta.exe (PID: 1492)
  • mshta.exe (PID: 2852)
  • mshta.exe (PID: 2920)
Uses TASKKILL.EXE to kill antiviruses
  • forfiles.exe (PID: 2812)
  • forfiles.exe (PID: 2836)
  • forfiles.exe (PID: 3920)
  • forfiles.exe (PID: 2896)
  • forfiles.exe (PID: 3540)
  • forfiles.exe (PID: 4036)
Loads the Task Scheduler COM API
  • schtasks.exe (PID: 2356)
  • schtasks.exe (PID: 764)
  • schtasks.exe (PID: 3060)
  • schtasks.exe (PID: 1160)
Uses Task Scheduler to run other applications
  • mshta.exe (PID: 2568)
  • mshta.exe (PID: 3940)
  • mshta.exe (PID: 1784)
  • mshta.exe (PID: 2956)
Unusual execution from Microsoft Office
  • EXCEL.EXE (PID: 3176)
  • EXCEL.EXE (PID: 3224)
  • EXCEL.EXE (PID: 2672)
  • EXCEL.EXE (PID: 868)
  • EXCEL.EXE (PID: 2312)
Starts MSHTA.EXE for opening HTA or HTMLS files
  • EXCEL.EXE (PID: 3176)
  • EXCEL.EXE (PID: 3224)
  • EXCEL.EXE (PID: 2672)
  • EXCEL.EXE (PID: 868)
  • EXCEL.EXE (PID: 2312)
Connects to CnC server
  • powershell.exe (PID: 916)
REVENGE was detected
  • powershell.exe (PID: 916)
Creates files in the user directory
  • powershell.exe (PID: 3628)
  • powershell.exe (PID: 1396)
  • powershell.exe (PID: 1252)
  • powershell.exe (PID: 2976)
  • powershell.exe (PID: 3208)
  • powershell.exe (PID: 4048)
  • powershell.exe (PID: 2904)
  • powershell.exe (PID: 916)
  • powershell.exe (PID: 2832)
  • mshta.exe (PID: 2956)
Application launched itself
  • mshta.exe (PID: 2152)
  • mshta.exe (PID: 2872)
  • mshta.exe (PID: 1492)
  • mshta.exe (PID: 2852)
  • mshta.exe (PID: 2920)
Executes PowerShell scripts
  • cmd.exe (PID: 1892)
  • cmd.exe (PID: 1896)
  • cmd.exe (PID: 456)
  • cmd.exe (PID: 3740)
  • cmd.exe (PID: 3812)
  • cmd.exe (PID: 1708)
  • cmd.exe (PID: 1928)
  • cmd.exe (PID: 3028)
  • cmd.exe (PID: 1688)
  • cmd.exe (PID: 2984)
Starts MSHTA.EXE for opening HTA or HTMLS files
  • mshta.exe (PID: 2152)
  • mshta.exe (PID: 2872)
  • mshta.exe (PID: 1492)
  • mshta.exe (PID: 2852)
  • mshta.exe (PID: 2920)
Adds / modifies Windows certificates
  • mshta.exe (PID: 2152)
  • mshta.exe (PID: 2872)
  • mshta.exe (PID: 1492)
  • mshta.exe (PID: 2852)
  • mshta.exe (PID: 2920)
Starts CMD.EXE for commands execution
  • forfiles.exe (PID: 2940)
  • mshta.exe (PID: 2568)
  • forfiles.exe (PID: 1720)
  • mshta.exe (PID: 3940)
  • mshta.exe (PID: 1784)
  • forfiles.exe (PID: 1728)
  • forfiles.exe (PID: 3604)
  • mshta.exe (PID: 2956)
Uses TASKKILL.EXE to kill process
  • forfiles.exe (PID: 3172)
  • forfiles.exe (PID: 2588)
  • forfiles.exe (PID: 3672)
  • forfiles.exe (PID: 3144)
  • forfiles.exe (PID: 1204)
  • forfiles.exe (PID: 3568)
Reads internet explorer settings
  • mshta.exe (PID: 2152)
  • mshta.exe (PID: 2568)
  • mshta.exe (PID: 3940)
  • mshta.exe (PID: 2872)
  • mshta.exe (PID: 1492)
  • mshta.exe (PID: 1784)
  • mshta.exe (PID: 2852)
  • mshta.exe (PID: 2956)
  • mshta.exe (PID: 2920)
Reads Microsoft Office registry keys
  • EXCEL.EXE (PID: 3176)
  • EXCEL.EXE (PID: 3224)
  • EXCEL.EXE (PID: 2672)
  • EXCEL.EXE (PID: 868)
  • EXCEL.EXE (PID: 2312)
  • WINWORD.EXE (PID: 3456)
Reads settings of System Certificates
  • powershell.exe (PID: 2976)
  • powershell.exe (PID: 4048)
  • powershell.exe (PID: 916)
Creates files in the user directory
  • WINWORD.EXE (PID: 3456)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rtf
|   Rich Text Format (100%)

Screenshots

Processes

Total processes
214
Monitored processes
166
Malicious processes
30
Suspicious processes
6

Behavior graph

+
start winword.exe no specs excel.exe no specs mshta.exe mshta.exe excel.exe no specs cmd.exe no specs cmd.exe no specs forfiles.exe no specs schtasks.exe no specs forfiles.exe no specs mpcmdrun.exe no specs taskkill.exe no specs cmd.exe no specs #REVENGE powershell.exe forfiles.exe no specs taskkill.exe no specs mshta.exe taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs mshta.exe no specs taskkill.exe no specs taskkill.exe no specs cmd.exe no specs cmd.exe no specs forfiles.exe no specs schtasks.exe no specs forfiles.exe no specs mpcmdrun.exe no specs taskkill.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs powershell.exe forfiles.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs taskkill.exe no specs powershell.exe taskkill.exe no specs taskkill.exe no specs excel.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs mshta.exe taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs powershell.exe taskkill.exe no specs forfiles.exe no specs forfiles.exe no specs