File name: | 93eb992f1bde5212998d978bb26e53d7.rtf |
Full analysis: | https://app.any.run/tasks/b75d192f-be41-41d2-a58a-071c405a4114 |
Verdict: | Malicious activity |
Analysis date: | May 24, 2019, 02:47:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, ANSI |
MD5: | 93EB992F1BDE5212998D978BB26E53D7 |
SHA1: | ABBCA3877233E8F2E6E0F98EEAD46BDD0556C547 |
SHA256: | 29E19087CC3AB2B0EF929A5B3F78061CDC87CB64302CE9AB12302FFA7E182D1E |
SSDEEP: | 48:Mp54iWuutGfEjNMtvbDSj3xMa279806ZphyD9LhQQQzQUAUxNhHb11gb90RCZNyi:MwuUG5VoWx23yRFVS1E9fNDHy4h/1N/ |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2932 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\93eb992f1bde5212998d978bb26e53d7.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2068 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3580 | xcopy /Y c:\target c:\pwn | C:\Windows\system32\xcopy.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extended Copy Utility Exit code: 4 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE425.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:816BEA007272E3D591722A84B2EBD2E8 | SHA256:0BD48B965DD591F21A77D8C83E4C24FE5627C543192A698F7B1E1842A0EEDB5A | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$eb992f1bde5212998d978bb26e53d7.rtf | pgc | |
MD5:39A7F6EC5F68686504119B10C080F758 | SHA256:A1FE73EDD5D74DA0B452D8C95B020642FE237963A3AC6008158B4B1B502931FC | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8BE557DF.wmf | wmf | |
MD5:975B76E8E77D57CC386AF977A08B1E31 | SHA256:8D80E9B9B39CD00F3BFADB3B2538DC46845FE8D0E7854D5DD9C9C381150DEDAD |