File name: | 4878.rtf |
Full analysis: | https://app.any.run/tasks/2c50a08a-034e-404a-a079-4ef5adad3c42 |
Verdict: | Malicious activity |
Analysis date: | December 06, 2018, 06:34:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | data |
MD5: | DEB6EE45F62AEEA268382A2528541C55 |
SHA1: | 60726EEF03144D8EA1472CAA98B71AD1CD7C8720 |
SHA256: | A5522BF1321906CAB067023B2523418F5881B829B883C19CA2AAF7AC0AF98234 |
SSDEEP: | 24576:jDjkZMoBwFDxAvLfeDh4kqE3bn5ZMzDj6:r |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2964 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\4878.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 1 Version: 14.0.6024.1000 | ||||
2336 | "C:\Windows\System32\cmd.exe" /C C:\Users\admin\AppData\Local\Temp\tAsK.bAt | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2936 | C:\Windows\system32\cmd.exe /K C:\Users\admin\AppData\Local\Temp\2nd.bat | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3396 | "C:\Windows\System32\cmd.exe" /C C:\Users\admin\AppData\Local\Temp\tAsK.bAt | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3608 | TIMEOUT 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2512 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Version: 00110900 | ||||
3192 | C:\Users\admin\AppData\Local\Temp\ExE.ExE | C:\Users\admin\AppData\Local\Temp\exe.exe | — | cmd.exe |
User: admin Company: BRoTHERS Integrity Level: MEDIUM Description: BRoTHERS Exit code: 0 Version: 7.02.0006 | ||||
3368 | TASKKILL /F /IM winword.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3708 | CmD /C %TmP%\TasK.BaT & UUUUUUUUc | C:\Windows\system32\CmD.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2592 | reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2964) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | e`? |
Value: 65603F00940B0000010000000000000000000000 | |||
(PID) Process: | (2964) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2964) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2964) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1300627479 | |||
(PID) Process: | (2964) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1300627600 | |||
(PID) Process: | (2964) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1300627601 | |||
(PID) Process: | (2964) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 940B00005ED451D62D8DD40100000000 | |||
(PID) Process: | (2964) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | .b? |
Value: 2E623F00940B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2964) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | .b? |
Value: 2E623F00940B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2964) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA8D6.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\task.bat | — | |
MD5:— | SHA256:— | |||
2964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C6D167F7-FCB2-45DA-964E-E06951D19568}.tmp | binary | |
MD5:4806FBB9076109B3B65745B4880BAD59 | SHA256:DCA169FF0B14A55D084CC019E751C1AD417902BDCC53E55BE25E384752C1E0F0 | |||
2964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\decoy.doc | image | |
MD5:0527182A4A0A90CF60EDBD78B3258CC5 | SHA256:708CF211951F86F8D3A8EF977EBE12FF4442CFD95A831D9EA53859BA48BB4760 | |||
2964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\inteldriverupd1.sct | xml | |
MD5:8DECDCAEB92D9F628B6BF95DE4C0597A | SHA256:E4F6B9DEF338FE9ACA9E8796E79C58C5E42168E697C41BFE149946513765036E | |||
2964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$4878.rtf | pgc | |
MD5:B4B75A84C7F264E8706FC0AC40065000 | SHA256:A1B3BBBE35AF8A8C7DCF290E816166D8FD022854C94698EE0A549E1E574C1FAD | |||
2964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\2nd.bat | text | |
MD5:57FF2666BFC47C63E05D5C182B0F89F3 | SHA256:74249727C5D760E91B9277BE58B45A03FD89A587CC19E0B42503B50DB2E00356 | |||
2964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\exe.exe | executable | |
MD5:F9331B6D430F7BB7832A8F25CBA17E03 | SHA256:577FD84B3582281CB3D5EFB235A4A29FEE63F7B8D484A0F900D2EA7F4AEF7FD3 | |||
3192 | exe.exe | C:\Users\admin\AppData\Local\Temp\~DF03155A47DC7CFB28.TMP | binary | |
MD5:D00505E7C0BA985522356D318818CE69 | SHA256:ADEDCA05F35DAE8E5EC0F429978E7F22A0AB0D05E27639D214C100B5DD4B39F8 | |||
2964 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:C9005899C42F58E9E7C96DCB3A5EE8E3 | SHA256:BAAA4B86601B2CDBDAF8C9D3F3076A6A57EBB0E5FFD49CF53E039A90105750E4 |
Domain | IP | Reputation |
---|---|---|
www.tkgxim.men |
| unknown |