File name: | Embargo+Bancario.doc |
Full analysis: | https://app.any.run/tasks/5594bed0-db72-4465-972e-5172894c2549 |
Verdict: | Malicious activity |
Analysis date: | June 16, 2019, 07:43:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | MIME entity, ISO-8859 text, with CRLF line terminators |
MD5: | 1BC1A4503F0988F6A02CDF9BFEA8164F |
SHA1: | AFD89744B54DEC49A63A6D868A442656309988F7 |
SHA256: | 13E9A306EE43D18C0C1E52CDD54204F45F8AE7916EE248BDFEF2892FAE4E8D47 |
SSDEEP: | 3072:Yo0mh3hOjHfdnsKiH3bQTrhhC+6B+V97jkfv8M1j/CEXbfO2ut:Yo3x+DVTFA+Vx8/hLmPt |
.mht/mhtml | | | MIME HTML archive format (var 2) (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3052 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Embargo+Bancario.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2652 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | taskeng.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 3221225477 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3052 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREA10.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3052 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\764DF9A3.png | — | |
MD5:— | SHA256:— | |||
3052 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5FF1C6A9.png | — | |
MD5:— | SHA256:— | |||
2652 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs6DB7.tmp | — | |
MD5:— | SHA256:— | |||
2652 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs6DF7.tmp | — | |
MD5:— | SHA256:— | |||
3052 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9AEF6C96.png | — | |
MD5:— | SHA256:— | |||
3052 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\74579F48.png | — | |
MD5:— | SHA256:— | |||
3052 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1BBAFE40-EA69-493A-BA95-5D9F57E0B648}.tmp | — | |
MD5:— | SHA256:— | |||
3052 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F26BBDD6-644C-4DB8-AF83-F352B857D5C4}.tmp | — | |
MD5:— | SHA256:— | |||
3052 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{DCD9A573-892E-412A-A8F2-FC708DC21238}.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3052 | WINWORD.EXE | GET | 404 | 162.213.255.108:80 | http://medicosempresa.com/image/win.jpg | US | html | 330 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3052 | WINWORD.EXE | 162.213.255.108:80 | medicosempresa.com | Namecheap, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
medicosempresa.com |
| malicious |