File name: | PO3373.doc |
Full analysis: | https://app.any.run/tasks/09bd9115-bf30-4a73-ab75-a18d7e5710fe |
Verdict: | Malicious activity |
Analysis date: | October 20, 2020, 09:49:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | 1EC343EF9F72DA70FBF51A900BC9BFBA |
SHA1: | 0F8836E8CC775C96FE4E39AE8775B546DE079D2B |
SHA256: | 13C792D0C8F243EE5311B9FAF4A29D1C0DEF68B6305E8633FCD71192C3D0A8D9 |
SSDEEP: | 6144:MC8ZX6RPwQRzBlMSj3vQFeFcuWB1D3zrb1hEm2DA/ABZ13T5nz2729DPEtOz91oX:MC824YzPN7QScugD3R3xoBvhm2dEozrE |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1340 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\PO3373.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2136 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3540 | "C:\Users\admin\AppData\Roaming\threex7539.exe" | C:\Users\admin\AppData\Roaming\threex7539.exe | EQNEDT32.EXE | |
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 1.0.0.0 | ||||
1760 | "C:\Users\admin\AppData\Roaming\threex7539.exe" | C:\Users\admin\AppData\Roaming\threex7539.exe | threex7539.exe | |
User: admin Integrity Level: MEDIUM Description: Version: 1.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1340 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3C81.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1340 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:FB0A80D87CEECDB167EAE1CAD465CC12 | SHA256:E3BBC90BE196079DDA92D65110BEC977A979FEF4D008B58A7D2953D26E5C9978 | |||
2136 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\threex[1].exe | executable | |
MD5:76C9524B0664E304862BED6A3477BA7D | SHA256:6339585AE21633CE485F2B874C9797C84C5326B325847A44361E6978DA77B758 | |||
3540 | threex7539.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chlome\chlomx.exe | executable | |
MD5:76C9524B0664E304862BED6A3477BA7D | SHA256:6339585AE21633CE485F2B874C9797C84C5326B325847A44361E6978DA77B758 | |||
2136 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\threex7539.exe | executable | |
MD5:76C9524B0664E304862BED6A3477BA7D | SHA256:6339585AE21633CE485F2B874C9797C84C5326B325847A44361E6978DA77B758 | |||
1340 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\PO3373.doc.LNK | lnk | |
MD5:66B35F9C18C9A055FEFF4D96917706AB | SHA256:A8633650A57FA0C6FCF45DDE3F68E29E53584E38A45EAAC99D97A06818DA54E8 | |||
1340 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:26828D2AD288F4CB77E698F377F8E240 | SHA256:41149FB1708629A81717F7CA6DBC2C3E3DD8DA5E3D52215088BC8F6BD883E082 | |||
1340 | WINWORD.EXE | C:\Users\admin\Desktop\~$PO3373.doc | pgc | |
MD5:DCBBB424A456D810EE92499D1D18BF9C | SHA256:8E4D10E2A77D27B9B98181DD4BB44883B3F850A00A1A4DE093D9CCF98A51FDFE |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2136 | EQNEDT32.EXE | 193.228.91.147:80 | gooddns.ir | — | AT | malicious |
Domain | IP | Reputation |
---|---|---|
gooddns.ir |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2136 | EQNEDT32.EXE | Misc Attack | ET DROP Dshield Block Listed Source group 1 |
2136 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |