| File name: | e5619ddfee775c4f3afd5c36269e74cad5d30b0154b8aad931fbe0ff2912c83f |
| Full analysis: | https://app.any.run/tasks/e3123d54-1d6b-4164-90b3-39f7c5af6962 |
| Verdict: | Malicious activity |
| Threats: | Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. |
| Analysis date: | May 24, 2019, 09:56:02 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/rtf |
| File info: | Rich Text Format data, version 1, unknown character set |
| MD5: | 3AB5ABBBED1BF88262C8DCBF8F7C10E3 |
| SHA1: | 1E54AD7E1774DCC2811A24144AFE6C910FF02C11 |
| SHA256: | E5619DDFEE775C4F3AFD5C36269E74CAD5D30B0154B8AAD931FBE0FF2912C83F |
| SSDEEP: | 3072:oHqXcituHewAp3Qa/XcituHewAp3Qa/XcituHewAp3Qa/XcituHewAp3Qa/Xcit/:X2pAL2pAL2pAL2pAL2pAFHIS |
MALICIOUS
Unusual execution from Microsoft Office
- EXCEL.EXE (PID: 1816)
- EXCEL.EXE (PID: 3384)
- EXCEL.EXE (PID: 2612)
- EXCEL.EXE (PID: 1648)
Starts CMD.EXE for commands execution
- EXCEL.EXE (PID: 3384)
- EXCEL.EXE (PID: 1816)
- EXCEL.EXE (PID: 2612)
- EXCEL.EXE (PID: 1648)
Requests a remote executable file from MS Office
- EXCEL.EXE (PID: 3384)
- EXCEL.EXE (PID: 1816)
- EXCEL.EXE (PID: 1648)
- EXCEL.EXE (PID: 2612)
SUSPICIOUS
Executed via COM
- EXCEL.EXE (PID: 2612)
- EXCEL.EXE (PID: 1816)
- EXCEL.EXE (PID: 3384)
- EXCEL.EXE (PID: 4072)
- excelcnv.exe (PID: 2056)
- EXCEL.EXE (PID: 1648)
Executes application which crashes
- cmd.exe (PID: 2768)
- cmd.exe (PID: 1424)
- cmd.exe (PID: 3912)
- cmd.exe (PID: 3292)
INFO
Reads Microsoft Office registry keys
- EXCEL.EXE (PID: 3384)
- EXCEL.EXE (PID: 4072)
- WINWORD.EXE (PID: 3960)
- EXCEL.EXE (PID: 1816)
- EXCEL.EXE (PID: 2612)
- EXCEL.EXE (PID: 1648)
- excelcnv.exe (PID: 2056)
Creates files in the user directory
- WINWORD.EXE (PID: 3960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rtf | | | Rich Text Format (100) |
|---|
EXIF
RTF
| Author: | Admin |
|---|---|
| LastModifiedBy: | Admin |
| CreateDate: | 2019:01:07 23:54:00 |
| ModifyDate: | 2019:01:07 23:54:00 |
| RevisionNumber: | 1 |
| TotalEditTime: | - |
| Pages: | 1 |
| Words: | - |
| Characters: | 4 |
| CharactersWithSpaces: | 4 |
| InternalVersionNumber: | 57435 |
Total processes
56
Monitored processes
15
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 536 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1424 | "C:\Windows\System32\cmd.exe" /c ren "C:\Users\admin\AppData\Local\Temp\h84bb.png" "h84bb.exe" &start "" "C:\Users\admin\AppData\Local\Temp\h84bb.exe" | C:\Windows\System32\cmd.exe | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1648 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 1816 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 2056 | "C:\Program Files\Microsoft Office\Office14\excelcnv.exe" -Embedding | C:\Program Files\Microsoft Office\Office14\excelcnv.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 2108 | "C:\Windows\system32\ntvdm.exe" -i4 | C:\Windows\system32\ntvdm.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2196 | "C:\Windows\system32\ntvdm.exe" -i3 | C:\Windows\system32\ntvdm.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2560 | "C:\Windows\system32\ntvdm.exe" -i2 | C:\Windows\system32\ntvdm.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2612 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 2768 | "C:\Windows\System32\cmd.exe" /c ren "C:\Users\admin\AppData\Local\Temp\h84bb.png" "h84bb.exe" &start "" "C:\Users\admin\AppData\Local\Temp\h84bb.exe" | C:\Windows\System32\cmd.exe | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
2 568
Read events
2 145
Write events
394
Delete events
29
Modification events
| (PID) Process: | (3960) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | dp" |
Value: 64702200780F0000010000000000000000000000 | |||
| (PID) Process: | (3960) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (3960) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (3960) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | WORDFiles |
Value: 1320681502 | |||
| (PID) Process: | (3960) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1320681616 | |||
| (PID) Process: | (3960) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1320681617 | |||
| (PID) Process: | (3960) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
| Operation: | write | Name: | MTTT |
Value: 780F0000BA86DEEF1612D50100000000 | |||
| (PID) Process: | (3960) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | <r" |
Value: 3C722200780F000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (3960) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | delete value | Name: | <r" |
Value: 3C722200780F000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (3960) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
Executable files
0
Suspicious files
1
Text files
8
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR40D5.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 4072 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR4847.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3384 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR2D58.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3384 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\h84bb.png | — | |
MD5:— | SHA256:— | |||
| 536 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs6B6A.tmp | — | |
MD5:— | SHA256:— | |||
| 536 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs6B7B.tmp | — | |
MD5:— | SHA256:— | |||
| 1816 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR6BB8.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2560 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs7166.tmp | — | |
MD5:— | SHA256:— | |||
| 2560 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs7176.tmp | — | |
MD5:— | SHA256:— | |||
| 2612 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR7202.tmp.cvr | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
5
DNS requests
3
Threats
10
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1648 | EXCEL.EXE | GET | 404 | 192.254.78.66:80 | http://simplestplanofaction.com/wp-admin/images/files/arii.exe | US | html | 347 b | malicious |
3384 | EXCEL.EXE | GET | 404 | 192.254.78.66:80 | http://simplestplanofaction.com/wp-admin/images/files/arii.exe | US | html | 347 b | malicious |
2612 | EXCEL.EXE | GET | 404 | 192.254.78.66:80 | http://simplestplanofaction.com/wp-admin/images/files/arii.exe | US | html | 347 b | malicious |
1816 | EXCEL.EXE | GET | 404 | 192.254.78.66:80 | http://simplestplanofaction.com/wp-admin/images/files/arii.exe | US | html | 347 b | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4072 | EXCEL.EXE | 192.254.78.66:80 | simplestplanofaction.com | Centrilogic, Inc. | US | malicious |
3384 | EXCEL.EXE | 192.254.78.66:80 | simplestplanofaction.com | Centrilogic, Inc. | US | malicious |
1816 | EXCEL.EXE | 192.254.78.66:80 | simplestplanofaction.com | Centrilogic, Inc. | US | malicious |
2612 | EXCEL.EXE | 192.254.78.66:80 | simplestplanofaction.com | Centrilogic, Inc. | US | malicious |
1648 | EXCEL.EXE | 192.254.78.66:80 | simplestplanofaction.com | Centrilogic, Inc. | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
simplestplanofaction.com |
| malicious |
dns.msftncsi.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3384 | EXCEL.EXE | Potential Corporate Privacy Violation | ET POLICY Unsupported/Fake Windows NT Version 5.0 |
3384 | EXCEL.EXE | A Network Trojan was detected | ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious |
1816 | EXCEL.EXE | Potential Corporate Privacy Violation | ET POLICY Unsupported/Fake Windows NT Version 5.0 |
1816 | EXCEL.EXE | A Network Trojan was detected | ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious |
2612 | EXCEL.EXE | A Network Trojan was detected | ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious |
1648 | EXCEL.EXE | A Network Trojan was detected | ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious |
4 ETPRO signatures available at the full report