File name: | as.doc |
Full analysis: | https://app.any.run/tasks/66643ba3-3043-4d45-809b-cefdc2e13cb9 |
Verdict: | Malicious activity |
Analysis date: | January 23, 2019, 09:56:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | 56A73B5DD47B90971D7C86F54488DFA1 |
SHA1: | B3BB8C0A9DC9911405042917301A8FE703006C38 |
SHA256: | 61F682CD6769982AA23833DA3133B69D78EA73310596B2E2AFBE15A5938942C2 |
SSDEEP: | 1536:WBsG2OiYC8X7xdHoP13Gm+xaA2J+gvhkbXLjcuMs/LTRnGS:WlhiYC81J |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2964 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\as.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3452 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR67B3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3452 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txt | text | |
MD5:7297E271120FD7A6B2D89CE93B0DF322 | SHA256:9C6008F84641655E663FF0F37424A193F831297AC6E29375969532D65AF8F09A | |||
2964 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:6B01A4399B399324F54D1B8A2E65AF4E | SHA256:2053FC6E06AD503565098797E40EDDF8CC5E6604C5164B385EF69A4E5CF81581 | |||
2964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$as.doc | pgc | |
MD5:2D64DE8421AB3830A1F0FE1786FBDFCF | SHA256:3EDF2A29DEFBA48FC467E2F228F4D7B691F192CEBE32274B984B1BB40D57E72E | |||
3452 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3452 | EQNEDT32.EXE | GET | 301 | 67.199.248.10:80 | http://bit.ly/2MmdlAB | US | html | 129 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3452 | EQNEDT32.EXE | 94.73.146.167:80 | vektorex.com | Cizgi Telekomunikasyon Anonim Sirketi | TR | malicious |
3452 | EQNEDT32.EXE | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
vektorex.com |
| unknown |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3452 | EQNEDT32.EXE | A Network Trojan was detected | MALWARE [PTsecurity] PowerShell.Downloader httpHeader |