File name: | 0f2b29049e8548b414a5fd62fcd2697bbe22055e422dbb93baa78947dc0315e8 |
Full analysis: | https://app.any.run/tasks/77f60d88-fad8-413a-b0d6-3c09f9e440f0 |
Verdict: | Malicious activity |
Analysis date: | January 10, 2019, 22:08:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | F97837DA88BA76EDAFFDA44D3540643D |
SHA1: | A83CD0C852DB8E5DCCF2E172B9F6E8A9977C9811 |
SHA256: | 0F2B29049E8548B414A5FD62FCD2697BBE22055E422DBB93BAA78947DC0315E8 |
SSDEEP: | 6144:Ez0zWzjzjzAzAzAzAzAzAzAzfz0z0zLzNznzuTzNzCzhzvzoo:E4SPPkkkkkkk7443BbSTZW9r0o |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 24689 |
---|---|
CharactersWithSpaces: | 1773 |
Characters: | 1511 |
Words: | 265 |
Pages: | 2 |
TotalEditTime: | - |
RevisionNumber: | 2 |
LastPrinted: | 2018:12:12 16:35:00 |
ModifyDate: | 2018:12:14 09:22:00 |
CreateDate: | 2018:12:14 09:22:00 |
LastModifiedBy: | Windows User |
Author: | Mr.Duoc |
Upr: | {CH??NG TRÌNH }{*{CH{ƯƠNG TRÌNH }}} |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2840 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\0f2b29049e8548b414a5fd62fcd2697bbe22055e422dbb93baa78947dc0315e8.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3408 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2840 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9A81.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2840 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:97134130F5D402DEF1A4F4D6C8F007FA | SHA256:5CD87DA05B66B14EE81C18E40F0A083053B878A7F3D82D5CF3212B25AF266A26 | |||
2840 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$2b29049e8548b414a5fd62fcd2697bbe22055e422dbb93baa78947dc0315e8.rtf | pgc | |
MD5:E89E8A51AEC7DC0FBB7A796382136465 | SHA256:E8E55B61BDF815AC320A11D50AD4CF5AD42ECA000CA3CFE36ADB08F19BF564AB | |||
3408 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txt | text | |
MD5:648BFBE30FB4B04FAF2B7163766BF266 | SHA256:95A70B67F279D9AA8A86044C4D6B1153BEFE8275205E09A7529057D5EEAA9D4B | |||
3408 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@uchi[1].txt | text | |
MD5:094D3EDA99636E6DED4B09609C2FBD9C | SHA256:7588EA55DF88B3ADCEED21C98A06B8921BD00BAEA1C2B9B78CC3CF9647E919E7 | |||
3408 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3408 | EQNEDT32.EXE | GET | 301 | 67.199.248.10:80 | http://bit.ly/2LZASaq | US | html | 116 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3408 | EQNEDT32.EXE | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
3408 | EQNEDT32.EXE | 104.27.172.56:443 | a.uchi.moe | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
a.uchi.moe |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3408 | EQNEDT32.EXE | A Network Trojan was detected | MALWARE [PTsecurity] PowerShell.Downloader httpHeader |