File name: | Draft BL.doc |
Full analysis: | https://app.any.run/tasks/6ddf3999-f28f-476d-b40e-f0ec5df8b831 |
Verdict: | Malicious activity |
Analysis date: | May 15, 2019, 13:25:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | AC3A35769F141166C120DE2B8E95DB1C |
SHA1: | A6C2249E8808B65991370DD0E47D7BACE23D1549 |
SHA256: | A29A39D6D139A468FCB953587423C9B02D4D68B333922B7783E24FFAB5F69FB0 |
SSDEEP: | 24576:pd6qlMEjK5kyHty99BE7f8Gh+lN4z4Z19tWLAs1Uwq0/4oveckLKOidW0GdmChP:F |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2948 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Draft BL.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 1 Version: 14.0.6024.1000 | ||||
3436 | "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3884 | CmD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1116 | C:\Windows\system32\cmd.exe /K mt6nzqofd.CMD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2684 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3152 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3748 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4004 | "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2388 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2968 | CmD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
(PID) Process: | (2948) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | )s |
Value: 29732000840B0000010000000000000000000000 | |||
(PID) Process: | (2948) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2948) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2948) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1320091678 | |||
(PID) Process: | (2948) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1320091800 | |||
(PID) Process: | (2948) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1320091801 | |||
(PID) Process: | (2948) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 840B00001295B9B9210BD50100000000 | |||
(PID) Process: | (2948) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | bt |
Value: 62742000840B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2948) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | bt |
Value: 62742000840B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2948) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREB29.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{467EAFAE-5212-44D6-93FE-3DE6D21DE104}.tmp | binary | |
MD5:F2CF47F3D2D0BEE4E99A0AB16B2C4804 | SHA256:A6984BEB2551A99FFA95223B0ED1CF3D24946F462799E2FE11CFAA6F25030A87 | |||
3840 | cscript.exe | C:\Users\admin\AppData\Local\Temp\saver.scr | executable | |
MD5:0A389BF75072D8AB4B152CD4A14B3581 | SHA256:F031A414E5C6881E2207D38006166CE1F6C86D7F8176AE6B3DCEBCA88DDC2935 | |||
3840 | cscript.exe | C:\Users\admin\AppData\Local\Temp\gondi.doc | text | |
MD5:6291D5A22FCE652360616BD330E07082 | SHA256:80AE0226822B684927280C63CA9F4E683C121FA62715E02909DECC298C03B506 | |||
2948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{DCE0A545-83E3-4FE3-A8F2-3E701D412B38}.tmp | binary | |
MD5:6AE9A47835BE77DBB98AFF42C07A8755 | SHA256:5E07C5C96285344E4230F8751DB9B3E5302E709D6EB4DECA1F536624E068BD3C | |||
1116 | cmd.exe | C:\Users\admin\AppData\Local\Temp\_.vbs | text | |
MD5:BF9646FA68CAE0CE69FBF7FFF70D65B5 | SHA256:CC7DD8CF31F4634A109AC5A14931F8A4E55F528B36C40B0D109B9147B8E7C928 | |||
2948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\kulebiaka.ZiP | compressed | |
MD5:46820D7DA085420CC9F3956D5EA83332 | SHA256:98AC30F758FFEA67D95DA03EDB2FDFF84C7C0CB3CF3C6ADAD750DC00782E77C2 | |||
2948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\mt6nzqofd.cmd | text | |
MD5:B5B6D0CC5AE87D9B02585E5B3246C1A2 | SHA256:15C6536DD7A47ADD995049F4E54D86F69F50BB20FE29B88B5AE809A888730A5E | |||
2948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$aft BL.doc.rtf | pgc | |
MD5:373B54091DBDC71E17B565D6ADD27767 | SHA256:9C020818C564EC80C56B572E3064466593922C79F96A2B0BC58F5738C5E2C201 | |||
2948 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:097280C056CE39439CCC3847D81BD8E8 | SHA256:0953075297DD805C383180F637440927D9292D4FAEDCFD744C727C571261B925 |