File name: | INVOICE NO. BKC-003-2019 SMS AIR 04 CTN - STYLE# 1000049650.doc |
Full analysis: | https://app.any.run/tasks/ac2ac9dd-c49f-4195-bf18-45d764997579 |
Verdict: | Malicious activity |
Analysis date: | January 18, 2019, 13:36:08 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | data |
MD5: | D090E7E33FBE4BDD8E86453E59EA9E8A |
SHA1: | 14446C6B0EE6D5F0C970E5C2AFD65C49235B0291 |
SHA256: | 16CDFFBB5F5F2C44B1ABC3839B1AF0F0117F33940CB991822EB7BC2F11594D37 |
SSDEEP: | 96:HJpWT5pUq/yWEm+P5Gk3Jl6AxFJ5iKr6OsWGwcEvwMn1Vg56SyoZTdCQVOkUTNcj:PW2p5P5l6AxF/Q2c01q5tZT38p6 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3000 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\INVOICE NO. BKC-003-2019 SMS AIR 04 CTN - STYLE# 1000049650.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3268 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3104 | "C:\Users\admin\AppData\Local\Temp\fedwser657.exe" | C:\Users\admin\AppData\Local\Temp\fedwser657.exe | EQNEDT32.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.3.9600.16441 (winblue_gdr.131021-1506) | ||||
3224 | "C:\Users\admin\AppData\Local\Temp\fedwser657.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | fedwser657.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 4.6.1055.0 built by: NETFXREL2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3000 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREA35.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3000 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:E19279658F5878C3F7E1BE1A1A466AB0 | SHA256:E047B13A3169186D4D065FAF0C8D719E5386FBFCAC2620B1F5F7C86B7A012575 | |||
3268 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Temp\fedwser657.exe | executable | |
MD5:AD708D9F8D4C49B8A0FCB0B0013B5C87 | SHA256:834A5674D75F985562D2DF08A8B1CA467CE0838CB8D6493629C76BF69992E209 | |||
3104 | fedwser657.exe | C:\Users\admin\AppData\Roaming\khpljqiirw\gtvdaykqyhrsxji.exe | executable | |
MD5:AD708D9F8D4C49B8A0FCB0B0013B5C87 | SHA256:834A5674D75F985562D2DF08A8B1CA467CE0838CB8D6493629C76BF69992E209 | |||
3104 | fedwser657.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gtvdaykqyhrsxji.eu.url | ini | |
MD5:8E5660FE8328648FA34E05627D39CFEF | SHA256:E583B3845082500DB009097855B92143E89E83DF64FBAB8C7C18F7994DAFFE70 | |||
3000 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$VOICE NO. BKC-003-2019 SMS AIR 04 CTN - STYLE# 1000049650.doc | pgc | |
MD5:AEF83929CB625D4BDF928D85410345B1 | SHA256:B2BFAC9DEA6C6938D8F363D65E349743CF2984DB1EB973B0AFB124BCC422D78B | |||
3268 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\windows-update[1].123 | executable | |
MD5:AD708D9F8D4C49B8A0FCB0B0013B5C87 | SHA256:834A5674D75F985562D2DF08A8B1CA467CE0838CB8D6493629C76BF69992E209 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3268 | EQNEDT32.EXE | GET | 200 | 195.123.228.117:80 | http://irnportcargo.com/ComBat-Engineer/windows-update.123 | BG | executable | 680 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3268 | EQNEDT32.EXE | 195.123.228.117:80 | irnportcargo.com | ITL Company | BG | suspicious |
Domain | IP | Reputation |
---|---|---|
irnportcargo.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3268 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3268 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
3268 | EQNEDT32.EXE | Misc activity | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) |