File name: | 656790.doc |
Full analysis: | https://app.any.run/tasks/8640b078-3c51-4e81-b880-b30377bfad74 |
Verdict: | Malicious activity |
Analysis date: | May 24, 2019, 07:36:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | F075CD51FBF77562E415CEE4FD194A30 |
SHA1: | 4F2B5E36FBD48CB4E30F2C77F761D435F912EF1F |
SHA256: | 3574C12186C64223040A21B1C31C411E10978376F508DF2769034351F9D1BD33 |
SSDEEP: | 384:V6SbLHCRmoOhuoExekPXBIe0rIW6k0Qtfbuqq6gwhuJTul+HRAst0NGs+VjSv1WA:R4BkBExekPUFJbgw8DDnq |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2256 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\656790.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3008 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
1412 | C:\Users\admin\AppData\Local\X098765432198.exe | C:\Users\admin\AppData\Local\X098765432198.exe | — | EQNEDT32.EXE |
User: admin Company: Simon Tatham Integrity Level: MEDIUM Description: SSH, Telnet and Rlogin client Exit code: 0 Version: Release 0.67 | ||||
2960 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\requirementsshort.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2256 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3F6D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR74B1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2256 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:B19FF5CEFD1DA5D0F2805A945B570C3C | SHA256:F75A592B67565D406D9D7F15EC8C276CD6D0D5E54AD5EF87413F565E44175FC9 | |||
2256 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$6790.doc.rtf | pgc | |
MD5:491446F11C951D14EB511A3968FE9C81 | SHA256:5D78F81E07F3C215390F6D2E0C55414551DAF3662F52CF72861AFD00A91ABFE9 | |||
3008 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txt | text | |
MD5:6246764B2F554641E6CAED3777425A97 | SHA256:217B93A0B84F473D5F193217D61A272E918EB99227C487A7CBA28886AA17A0D5 | |||
2256 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:366A954E5FC76E3F0E8A778294638E41 | SHA256:82D29B6B0CAE43200E71B90B4ED6FE8C1EC3E9955BA3604DB7F17F0B3D6E9BA9 | |||
3008 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\putty[1].pos | executable | |
MD5:BA78410702F0CC8453DA1AFBB2A8B670 | SHA256:9F9E74241D59ECCFE7040BFDCBBCEACB374EDA397CC53A4197B59E4F6F380A91 | |||
2256 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\requirementsshort.rtf.LNK | lnk | |
MD5:8AC6DDD0AF867FAD2E20DA110BCB3F34 | SHA256:F04C2FE3E4E429099D7135606453672F178260D1EF9FA49BD672A2FB188D037E | |||
3008 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\X098765432198.exe | executable | |
MD5:BA78410702F0CC8453DA1AFBB2A8B670 | SHA256:9F9E74241D59ECCFE7040BFDCBBCEACB374EDA397CC53A4197B59E4F6F380A91 | |||
2256 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3008 | EQNEDT32.EXE | GET | — | 84.200.62.204:80 | http://theoldphantom.de/putty.pos | DE | — | — | suspicious |
3008 | EQNEDT32.EXE | GET | 301 | 67.199.248.10:80 | http://bit.ly/2VCVZlO | US | html | 120 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3008 | EQNEDT32.EXE | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
3008 | EQNEDT32.EXE | 84.200.62.204:80 | theoldphantom.de | Accelerated IT Services GmbH | DE | suspicious |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
theoldphantom.de |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3008 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3008 | EQNEDT32.EXE | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |