File name: | 563707f2f12748eb50afc76fa6dcc29c636729bc2338070aef842b440ce49d5a.rtf |
Full analysis: | https://app.any.run/tasks/f790c91b-f65f-4aac-a534-78a8a1cee596 |
Verdict: | Malicious activity |
Analysis date: | August 09, 2020, 02:00:50 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, ANSI |
MD5: | 1FBBAD28E7050F268F636BF51AD2D16D |
SHA1: | 0700FA50C362D9AE31ACEB50ACE9D8F668593E26 |
SHA256: | 563707F2F12748EB50AFC76FA6DCC29C636729BC2338070AEF842B440CE49D5A |
SSDEEP: | 1536:WItGS1qFO6cYsyfl8WrLcBXLGU4z3Mqlrr:Ic74rMqlrr |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 2053 |
---|---|
CharactersWithSpaces: | 6 |
Characters: | 6 |
Words: | 1 |
Pages: | 1 |
TotalEditTime: | - |
RevisionNumber: | 1 |
ModifyDate: | 2020:03:04 17:45:00 |
CreateDate: | 2020:03:04 17:45:00 |
LastModifiedBy: | Microsoft Office User |
Author: | Microsoft Office User |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2772 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\563707f2f12748eb50afc76fa6dcc29c636729bc2338070aef842b440ce49d5a.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2636 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3844 | cmd.exe /c%tmp%\default.exe AC | C:\Windows\system32\cmd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2364 | C:\Users\admin\AppData\Local\Temp\default.exe AC | C:\Users\admin\AppData\Local\Temp\default.exe | cmd.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2772 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3043.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2772 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{00F36E52-616B-4158-9245-0A9C773D949A}.tmp | — | |
MD5:— | SHA256:— | |||
2772 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:0B01ACC1DA93702864E575CD3DC1D913 | SHA256:4A0564D01786CC6BD1091BD9E42C39C9028B383E91487C3F5DD1DBA20AE1B810 | |||
2772 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\default.exe | executable | |
MD5:571320CB749017FEF01D0A510733A55B | SHA256:B4335A1130DAD9166775E20D8281A3B1DA046AB14C3FED396C71D77BB6246EC4 | |||
2772 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$3707f2f12748eb50afc76fa6dcc29c636729bc2338070aef842b440ce49d5a.rtf | pgc | |
MD5:B5FECA2169AC5BCC7F2B521C26C19195 | SHA256:5FC6143DA8236B3BEA127974E8D4C0D0E4803810C088C19C3DA3F04DF2B6F063 | |||
2772 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\794E5550.wmf | wmf | |
MD5:95BB648D6EB9265EEAF0F889731B1E23 | SHA256:9639441A9D36E7E4FDA980961B75EEB334540B8CFBCEE71EB3CD857E0A838E0C |