File name: | 6f59a406057d4333a18da2c6fba0d611a30e8644faaea012e7ca7350677ca0dd |
Full analysis: | https://app.any.run/tasks/38fb37fb-1db1-4dc9-8c9e-8da6994dc523 |
Verdict: | Malicious activity |
Analysis date: | January 23, 2019, 09:29:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | 3E3B9CDFF9A94D862788F6DB4DE58E01 |
SHA1: | 34EBA8A96F44FE7816B981EDE478897E2E63AD9D |
SHA256: | 6F59A406057D4333A18DA2C6FBA0D611A30E8644FAAEA012E7CA7350677CA0DD |
SSDEEP: | 6144:w3Ah5LS6W/lnjavdDNAbhlYPmMhhYYYYYYYlnkpv6cmOFtEiv+2pUg:W4Wd+dZdzb |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2700 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\6f59a406057d4333a18da2c6fba0d611a30e8644faaea012e7ca7350677ca0dd.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.5123.5000 | ||||
2104 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2700 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR7B59.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2700 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\6f59a406057d4333a18da2c6fba0d611a30e8644faaea012e7ca7350677ca0dd.LNK | lnk | |
MD5:C778B846C2BB4E4168B6764765D684D9 | SHA256:AFB0AA73A885992D017E9981DCCD4F3490D3F9CDFAE4F517C7C6610F5E29FFA1 | |||
2700 | WINWORD.EXE | C:\Users\admin\Desktop\~$59a406057d4333a18da2c6fba0d611a30e8644faaea012e7ca7350677ca0dd.rtf | pgc | |
MD5:38E5F57E567393619D980E44177EA95D | SHA256:C23274A0C46A7727B42E47E1113D9004AD2D4AF2C069A84B128B3C5E9C56DA3D | |||
2104 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\2T6Zqkn[1].htm | html | |
MD5:E4E2DF815A5217568F9D1F308070F530 | SHA256:F9AC913189702FAE9D916415C3BFCA0BBAADE6A68D956E7F62E20BD5DF08FD0C | |||
2700 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:E0114AE69E0C88D88324D46E2147D4BA | SHA256:C1C2FB7045ABA3E275F5B7F27D6FAC59FDBA79FCB9AB733394EC9A107DFFBD65 | |||
2104 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\IKXRCI93.txt | text | |
MD5:0781CA0813C86BFB7BB0EEE04000483A | SHA256:D585B6324AB0EF0FFFF68252722D55FBD3F3AE9E214AAA15437CCA4852669D2B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2104 | EQNEDT32.EXE | GET | 301 | 67.199.248.10:80 | http://bit.ly/2T6Zqkn | US | html | 116 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2104 | EQNEDT32.EXE | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
a.uchi.moe |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2104 | EQNEDT32.EXE | A Network Trojan was detected | MALWARE [PTsecurity] PowerShell.Downloader httpHeader |