File name: | OVER DUE INVOICE PAYMENT.docx |
Full analysis: | https://app.any.run/tasks/2f29d15b-b350-4c9b-8cb8-cf9dadcb84d3 |
Verdict: | Malicious activity |
Threats: | A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. |
Analysis date: | July 05, 2024, 00:58:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 9F3FD4E8AA2AD81966D0C2A036D1E901 |
SHA1: | 80A58393ACB58FCC666E56B514994D98BA3F4716 |
SHA256: | CD9CF022180C8C6F6C4FB0D76476BF2E9382128D28A4686114C50448934E5381 |
SSDEEP: | 384:IqcbcXNjeU2bSLSxnindXUclBy/m9dEbEYH4LynCYk1o:M8CU7LSxidXDeAibErWCg |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
Creator: | Modexcomm |
---|
ModifyDate: | 2023:08:16 13:25:00Z |
---|---|
CreateDate: | 2023:03:27 22:13:00Z |
RevisionNumber: | 7 |
LastModifiedBy: | Modexcomm |
AppVersion: | 12 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 21248 |
LinksUpToDate: | No |
Company: | - |
ScaleCrop: | No |
Paragraphs: | 42 |
Lines: | 150 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 18113 |
Words: | 3177 |
Pages: | 7 |
TotalEditTime: | 19 minutes |
Template: | Normal.dotm |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1312 |
ZipCompressedSize: | 341 |
ZipCRC: | 0x3795fcdd |
ZipModifyDate: | 2024:07:04 02:08:32 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0002 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
816 | C:\Windows\system32\svchost.exe -k LocalService | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: LOCAL SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3400 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\OVER DUE INVOICE PAYMENT.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 Modules
| |||||||||||||||
3684 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | ||||||||||||
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 Modules
| |||||||||||||||
936 | "C:\Users\admin\AppData\Roaming\obi23456.scr" | C:\Users\admin\AppData\Roaming\obi23456.scr | — | EQNEDT32.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Description: Shroud Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
3920 | "C:\Users\admin\AppData\Roaming\obi23456.scr" | C:\Users\admin\AppData\Roaming\obi23456.scr | obi23456.scr | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Shroud Version: 1.0.0.0 Modules
SnakeKeylogger(PID) Process(3920) obi23456.scr Keys DES6fc98cd6 Options SMTP User[email protected] SMTP PasswordArtEfes4765*+ SMTP Hostmail.artefes.com SMTP SendTo[email protected] SMTP Port587 |
(PID) Process: | (3400) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | h=2 |
Value: 683D3200480D0000010000000000000000000000 | |||
(PID) Process: | (3400) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (3400) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (3400) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (3400) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (3400) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (3400) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (3400) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (3400) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off | |||
(PID) Process: | (3400) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: Off |
PID | Process | Filename | Type | |
---|---|---|---|---|
3400 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE5B9.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3400 | WINWORD.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12 | der | |
MD5:2365869258DF7A66A2121B802CA4AFD9 | SHA256:D6B1932822BBD72A8E78C771717D992142348F67D625A42393719FEFBE59B0ED | |||
3400 | WINWORD.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8 | binary | |
MD5:FE696FA3F37F2BB3A4321E7E56D814BE | SHA256:D2E375254E49303B20C3FAFA3A0546584F5C50F205F3E7E112A27D2F21898C3F | |||
3400 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{3E236B26-A687-4DF1-A016-37EB4A21001B} | binary | |
MD5:C25A3148298FC4E03317155303CF39EC | SHA256:E630ED491F9AC8DAF9593F0BA291AE7737881254B4F98167824BA4AE8A6926AE | |||
3400 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:C25A3148298FC4E03317155303CF39EC | SHA256:E630ED491F9AC8DAF9593F0BA291AE7737881254B4F98167824BA4AE8A6926AE | |||
3400 | WINWORD.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8 | binary | |
MD5:1BFE0A81DB078EA084FF82FE545176FE | SHA256:5BA8817F13EEE00E75158BAD93076AB474A068C6B52686579E0F728FDA68499F | |||
3400 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:D471A0BB5F0B8A9AC834E0172491B7F9 | SHA256:418B6AE0A39787583DCD77DA0ED040F8C3DDA03410E71D04C235EE6E736F298F | |||
3400 | WINWORD.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12 | binary | |
MD5:E32CDDD803EDDCD9D8E90730B4C8C8F9 | SHA256:856B226F42F5A4B5ABE9BE85907149CC5AACCDD41B201AF106F106D7902E618E | |||
3400 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:C1EF68B12A6ED73F8F23ACC292393101 | SHA256:8C94FBE8CD43B93AF1F7FFB012AC8E540B345C07472DC4C31A8F76AC7CA97C3B | |||
3400 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD | binary | |
MD5:0793630FAE4021AA4CA655FE3BE757F9 | SHA256:4E2C48455889948BFBA73D8048E1BBE6E1695554C9DA6FB5DF7050177759B57F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3400 | WINWORD.EXE | GET | 304 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ba9e8e5522de732c | unknown | — | — | unknown |
3400 | WINWORD.EXE | GET | 200 | 172.217.18.99:80 | http://c.pki.goog/r/gsr1.crl | unknown | — | — | unknown |
3400 | WINWORD.EXE | GET | 200 | 172.217.18.99:80 | http://c.pki.goog/r/r4.crl | unknown | — | — | unknown |
1372 | svchost.exe | GET | 200 | 95.101.54.122:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
3920 | obi23456.scr | GET | 200 | 132.226.8.169:80 | http://checkip.dyndns.org/ | unknown | — | — | unknown |
1372 | svchost.exe | GET | 200 | 104.79.89.142:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
3920 | obi23456.scr | GET | 200 | 132.226.8.169:80 | http://checkip.dyndns.org/ | unknown | — | — | unknown |
3920 | obi23456.scr | GET | 200 | 132.226.8.169:80 | http://checkip.dyndns.org/ | unknown | — | — | unknown |
3920 | obi23456.scr | GET | 200 | 132.226.8.169:80 | http://checkip.dyndns.org/ | unknown | — | — | unknown |
3920 | obi23456.scr | GET | 200 | 132.226.8.169:80 | http://checkip.dyndns.org/ | unknown | — | — | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1372 | svchost.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1060 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3400 | WINWORD.EXE | 188.114.97.3:443 | riell.top | CLOUDFLARENET | NL | unknown |
3400 | WINWORD.EXE | 93.184.221.240:80 | ctldl.windowsupdate.com | EDGECAST | GB | whitelisted |
3400 | WINWORD.EXE | 172.217.18.99:80 | c.pki.goog | GOOGLE | US | whitelisted |
816 | svchost.exe | 188.114.97.3:443 | riell.top | CLOUDFLARENET | NL | unknown |
1372 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1372 | svchost.exe | 95.101.54.122:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
Domain | IP | Reputation |
---|---|---|
riell.top |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
c.pki.goog |
| unknown |
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
checkip.dyndns.org |
| shared |
reallyfreegeoip.org |
| malicious |
mail.artefes.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
1060 | svchost.exe | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
1060 | svchost.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org) |
3920 | obi23456.scr | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup - checkip.dyndns.org |
3920 | obi23456.scr | Device Retrieving External IP Address Detected | ET INFO 404/Snake/Matiex Keylogger Style External IP Check |
1060 | svchost.exe | Misc activity | ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org) |
3920 | obi23456.scr | Misc activity | ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI |
3920 | obi23456.scr | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup - checkip.dyndns.org |
3920 | obi23456.scr | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup - checkip.dyndns.org |
3920 | obi23456.scr | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup - checkip.dyndns.org |
3920 | obi23456.scr | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup - checkip.dyndns.org |