File name: | 1570596409_1.doc |
Full analysis: | https://app.any.run/tasks/ff3e80d4-d74d-497e-a39e-1f4269e59165 |
Verdict: | Malicious activity |
Analysis date: | October 09, 2019, 18:10:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | C4EAC56ABD34B83D19EADCA0E5215A00 |
SHA1: | 9ED767991D1037D793FE5437F23D0EEAE4B2FFAF |
SHA256: | 8352CE62DFD4C10C15F733D777DBA559353162BFD25EADC59AEC36A50B2611C9 |
SSDEEP: | 6144:JCxLmyzxwHkJuy4VAbJxxWjdKfVo7d0sRPL5z9UJVf6upFcujIpbqVWt3Xn:kV9HcdKfO50sRPLRIVCuvowVWtHn |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2216 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\1570596409_1.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2164 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | — | svchost.exe |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3796 | "C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\ldin.exe | C:\Windows\System32\cmd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 3221225794 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
880 | "C:\Users\admin\AppData\Local\Temp\ldin.exe" | C:\Users\admin\AppData\Local\Temp\ldin.exe | — | WINWORD.EXE |
User: admin Company: I;LBE88CG<NMMALO?C Integrity Level: MEDIUM Description: ACH9=;NA7:<9@P7G7G9>JHO Exit code: 0 Version: 7.11.14.18 | ||||
2172 | "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\AppData\Local\Temp\ldin.exe:Zone.Identifier" | C:\Windows\System32\cmd.exe | — | ldin.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2800 | "C:\Users\admin\AppData\Local\Temp\ldin.exe" | C:\Users\admin\AppData\Local\Temp\ldin.exe | ldin.exe | |
User: admin Company: I;LBE88CG<NMMALO?C Integrity Level: MEDIUM Description: ACH9=;NA7:<9@P7G7G9>JHO Version: 7.11.14.18 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2216 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR102E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2216 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{806EB8A4-4B22-4B1B-B962-EA2DC4F441A0}.tmp | — | |
MD5:— | SHA256:— | |||
2216 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6C933EDE-68A3-4E74-BEB7-8584846E1C14}.tmp | — | |
MD5:— | SHA256:— | |||
2216 | WINWORD.EXE | C:\Users\admin\Desktop\~$70596409_1.doc.rtf | pgc | |
MD5:DF86157B08CC348FBA404741CCA14206 | SHA256:416E6DF40F0FA497600212FFB6C9B09BC41B667B4AE97712EAEDA3D231DE2543 | |||
2216 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:CB3C82791EBE849DC0D5EB8F46E52FBB | SHA256:47BD043ECBFAC0525E8AE216C4D85002DDBC371D371058E02ED4020608D23258 | |||
2216 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:DEF63BDED1EE3934080DE7F8BFF20B07 | SHA256:12DC517B740E80053C268410CE063019919F7F74F9DBA7F3D3C35729CE52238F | |||
2216 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\ldin.exe | executable | |
MD5:E099D30F9565F697CA8945FFE60D4D95 | SHA256:D706E5C758478F5118B038BD4A6ECE93C94B2ADAB51F49BB220B983DB97AA894 | |||
2216 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\1570596409_1.doc.rtf.LNK | lnk | |
MD5:9B65D799F845DA25BB3F0DF0B29849A9 | SHA256:51819374E31278BB296054071D5441EA818DB3842055E25BE5FEF3A5595661BE | |||
2216 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{773FBAFA-8CCE-43FE-A78B-F83A3E08E2DA}.tmp | binary | |
MD5:37612005E4BDC097BD48133B727D5923 | SHA256:FF9A96EF88720249DE9FE95C4AB9EF6EEF81435C794F315A2E50F24CB99197F1 | |||
2216 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\1.a | text | |
MD5:DCD94CFCF3517AA9F1C9F47B75A08C0E | SHA256:0404FFE20E2F5CABC8913E3C9832EF6494D2EF47D5FACE1A78259BF9728BC13C |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2800 | ldin.exe | 213.208.152.205:5200 | — | Next Layer Telekommunikationsdienstleistungs- und Beratungs GmbH | AT | malicious |