File name: | ORDER NO93829.doc |
Full analysis: | https://app.any.run/tasks/2cf1a909-6613-43d0-8895-fd06a9c2a1d4 |
Verdict: | Malicious activity |
Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
Analysis date: | November 15, 2018, 10:54:08 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | B4944E75DEF86A11F76E8E2EAF0D5F07 |
SHA1: | 65D18EDC5461E038FF0A61EC8F115580944E187E |
SHA256: | B9A877B5ED9D75CC9B44D638B322EB1B359CB0037EB4A465DF81CFF45B329449 |
SSDEEP: | 6144:F7uMqOFvwOEYWWA4mpynUMo/jrWWeArRR:FyY5t7myxrWPRR |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1308 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\ORDER NO93829.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3944 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3136 | C:\Users\admin\AppData\Roaming\math_igfxi.exe | C:\Users\admin\AppData\Roaming\math_igfxi.exe | EQNEDT32.EXE | |
User: admin Company: RAPPELLED Integrity Level: MEDIUM Description: Outheart Exit code: 0 Version: 6.07 | ||||
2116 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\datetimer\datetimer.vbs" | C:\Windows\System32\WScript.exe | math_igfxi.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3868 | "C:\Users\admin\AppData\Local\Temp\datetimer\datetimer.exe" | C:\Users\admin\AppData\Local\Temp\datetimer\datetimer.exe | — | math_igfxi.exe |
User: admin Company: RAPPELLED Integrity Level: MEDIUM Description: Outheart Exit code: 0 Version: 6.07 | ||||
940 | C:\Users\admin\AppData\Local\Temp\datetimer\datetimer.exe" | C:\Users\admin\AppData\Local\Temp\datetimer\datetimer.exe | datetimer.exe | |
User: admin Company: RAPPELLED Integrity Level: MEDIUM Description: Outheart Version: 6.07 | ||||
2828 | "C:\Windows\System32\control.exe" "C:\Windows\system32\timedate.cpl", | C:\Windows\System32\control.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Control Panel Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2052 | "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\timedate.cpl", | C:\Windows\system32\rundll32.exe | — | control.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3148 | C:\Windows\system32\DllHost.exe /Processid:{9DF523B0-A6C0-4EA9-B5F1-F4565C3AC8B8} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1308 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9BAF.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1308 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:256A3EF47ED32A3D3038855D49DF0319 | SHA256:151B56C71BC28DD4D752808CE3A9352E96D9FA381320511F87B327A8208F5DD0 | |||
3136 | math_igfxi.exe | C:\Users\admin\AppData\Local\Temp\~DF41D6313C5F66603F.TMP | binary | |
MD5:D0348B392A3E14285332C677D63B111D | SHA256:8024D20A4F57DD970DF90241D66F2FCC32FB436A95EC70D2C7302D2A80D83802 | |||
3868 | datetimer.exe | C:\Users\admin\AppData\Local\Temp\~DFA8F91DEF35DA3E50.TMP | binary | |
MD5:D0348B392A3E14285332C677D63B111D | SHA256:8024D20A4F57DD970DF90241D66F2FCC32FB436A95EC70D2C7302D2A80D83802 | |||
3136 | math_igfxi.exe | C:\Users\admin\AppData\Local\Temp\datetimer\datetimer.exe | executable | |
MD5:371903DCC4F4E414BA38B230F3D1ADBA | SHA256:444F2C0E81DE08F0A584FC505D4F68CB19489E1A54C8C0668FA8DC9A4E855A68 | |||
3944 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\hrtree[1].exe | executable | |
MD5:371903DCC4F4E414BA38B230F3D1ADBA | SHA256:444F2C0E81DE08F0A584FC505D4F68CB19489E1A54C8C0668FA8DC9A4E855A68 | |||
3944 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\math_igfxi.exe | executable | |
MD5:371903DCC4F4E414BA38B230F3D1ADBA | SHA256:444F2C0E81DE08F0A584FC505D4F68CB19489E1A54C8C0668FA8DC9A4E855A68 | |||
1308 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$DER NO93829.doc | pgc | |
MD5:340490C40D8A0726785274AB30B0CAA4 | SHA256:D7A0F648E5DD35C61277968F46F757DCA927EB530DFD48CB79A07BB0A9F9CD1D | |||
3136 | math_igfxi.exe | C:\Users\admin\AppData\Local\Temp\datetimer\datetimer.vbs | text | |
MD5:966CF024D791BB07E700EA00933F0EFD | SHA256:C54C0675DA3D634634A01F1B87E80D7FE914A1390432CEA2FF796F682FA2E627 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3944 | EQNEDT32.EXE | GET | 200 | 198.54.126.123:80 | http://micropcsystem.com/knrt/hrtree.exe | US | executable | 550 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
940 | datetimer.exe | 185.148.241.49:1948 | — | Ideal Hosting Sunucu Internet Hiz. Tic. Ltd. Sti. | TR | malicious |
3944 | EQNEDT32.EXE | 198.54.126.123:80 | micropcsystem.com | Namecheap, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
micropcsystem.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3944 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |