File name: | TRACKSUIT QUOTATION.doc |
Full analysis: | https://app.any.run/tasks/0cf42c0c-aefe-4316-b31d-1e9512093636 |
Verdict: | Malicious activity |
Threats: | A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. |
Analysis date: | May 20, 2019, 19:17:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | DE877AD27004B5FBB27CAB691B3D8024 |
SHA1: | 871A3863761BA7170EF7266D0EF90420F98A5862 |
SHA256: | CA1B9112AC550CD21ABDCD13E7EDC6BAAD8B6FC7AFC0B35F52868005CF2AA857 |
SSDEEP: | 768:6xD7q8e8s2FbRqs14dwRy4BkBExekPUFJbgw8DDnF:6Z7q8e8J1edwQ4BkBExekPgJMw8DDnF |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3052 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\TRACKSUIT QUOTATION.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3916 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3516 | C:\Users\admin\AppData\Local\X098765432198.scr | C:\Users\admin\AppData\Local\X098765432198.scr | EQNEDT32.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 7.1.4.4 | ||||
2676 | C:\Users\admin\AppData\Local\X098765432198.scr | C:\Users\admin\AppData\Local\X098765432198.scr | X098765432198.scr | |
User: admin Integrity Level: MEDIUM Version: 7.1.4.4 |
(PID) Process: | (3052) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | ay |
Value: 61792000EC0B0000010000000000000000000000 | |||
(PID) Process: | (3052) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (3052) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (3052) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1320419358 | |||
(PID) Process: | (3052) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1320419480 | |||
(PID) Process: | (3052) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1320419481 | |||
(PID) Process: | (3052) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: EC0B0000B811EBBF400FD50100000000 | |||
(PID) Process: | (3052) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | kz |
Value: 6B7A2000EC0B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (3052) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | kz |
Value: 6B7A2000EC0B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (3052) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3052 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE9E1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3052 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E4B4FE9C-25D3-4F81-A06D-B718D28F3438}.tmp | — | |
MD5:— | SHA256:— | |||
3052 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F26BBDD6-644C-4DB8-AF83-F352B857D5C4}.tmp | — | |
MD5:— | SHA256:— | |||
3052 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7E24999A-0322-44A9-97FE-11E6AE1DE104}.tmp | — | |
MD5:— | SHA256:— | |||
3052 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{9D1CDF81-6B00-41BD-9038-B2C2AAAD44D3}.tmp | binary | |
MD5:C0A309D337CAE5CB2D9ADE6A7A045CE4 | SHA256:9FA43F6DE36E56738A9BE6B2CC050ABAD2A94071AB3FF713B990102A0F6653A2 | |||
3916 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\traaa[1] | executable | |
MD5:4041E5BCCA90BC69BDA33DFF623185C3 | SHA256:CB31A8C497878CAFD27DCE028934E9A7E50A43BE621EDD0E0DFF57A21923DF3A | |||
3916 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\X098765432198.scr | executable | |
MD5:4041E5BCCA90BC69BDA33DFF623185C3 | SHA256:CB31A8C497878CAFD27DCE028934E9A7E50A43BE621EDD0E0DFF57A21923DF3A | |||
3052 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:2445A0A77396BDF54E13CF88D259E053 | SHA256:3B6A15B0A7BBC2D301BCC38624170DDCAED04BC8E8166D1E5A9BD836C3D09E38 | |||
3052 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\TRACKSUIT QUOTATION.doc.rtf.LNK | lnk | |
MD5:E5330CE328A7ACAE6AA891FF25F7D42F | SHA256:857A395AA63DE068C06D54ECF9E0CF31F4CF8FEACD8CBEB82411137F02CDBC49 | |||
3916 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txt | text | |
MD5:DB073107DF169D33826D38C5630D3DEE | SHA256:19407FAF93556E597BC7645011FC2881E1513B5916311000CBAE08399D4BB7FD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3916 | EQNEDT32.EXE | GET | 301 | 67.199.248.10:80 | http://bit.ly/2VLRJ8J | US | html | 114 b | shared |
3916 | EQNEDT32.EXE | GET | 200 | 45.67.14.154:80 | http://45.67.14.154/5/traaa | unknown | executable | 262 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3916 | EQNEDT32.EXE | 45.67.14.154:80 | — | — | — | suspicious |
3916 | EQNEDT32.EXE | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
2676 | X098765432198.scr | 185.84.181.80:56477 | — | Radore Veri Merkezi Hizmetleri A.S. | TR | malicious |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3916 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
3916 | EQNEDT32.EXE | Misc activity | ET INFO Packed Executable Download |
3916 | EQNEDT32.EXE | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
3916 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3916 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
3916 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
3916 | EQNEDT32.EXE | Misc activity | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) |
Process | Message |
---|---|
X098765432198.scr | User32.dll |
X098765432198.scr | User32.dll |
X098765432198.scr | User32.dll |
X098765432198.scr | User32.dll |
X098765432198.scr | User32.dll |
X098765432198.scr | User32.dll |
X098765432198.scr | User32.dll |
X098765432198.scr | User32.dll |
X098765432198.scr | User32.dll |
X098765432198.scr | User32.dll |