File name: | scan.01.doc |
Full analysis: | https://app.any.run/tasks/9d3d2215-9f49-49d6-8c28-7d9334f6674d |
Verdict: | Malicious activity |
Analysis date: | January 23, 2019, 06:36:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | C9DE90D1B067D29A673EA0DE9B36BA1E |
SHA1: | 15B830190CFB1442B929A19198AD905D80A8D67A |
SHA256: | 84276750AD6D01A700936B21073F1482025000153EF9D3E12AB23F416F5C39DB |
SSDEEP: | 96:um2GgOM5YnGACwplB6fKsh/8z6Qb3HoNYMFOav9s4yNK:XVgOMWnjB63/ijIYUsxK |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2948 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\scan.01.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3220 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2380 | C:\Users\admin\AppData\Roaming\assat.exe | C:\Users\admin\AppData\Roaming\assat.exe | — | EQNEDT32.EXE |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR908E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3220 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@dropmybin[1].txt | text | |
MD5:036DDF66F65D7FBED880923D2E5DF3BD | SHA256:2A10D840C2383AFE26F7B1571815102A05BEA6758E65B40452350D2BE23FE588 | |||
2948 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:6E28B672E33ED44FA2233E4B0EA4D984 | SHA256:ECF9C6BE22E4A542EBECD6F2A9B2ABCD77BA994D3F8910570A44D4737F95D6E1 | |||
3220 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\oztrsl[1].exe | executable | |
MD5:B9E04A9E4B38302A4DC5D338F9B5E839 | SHA256:F27EDC5686B570A2AB494CED480BD360F1707C9402100F585D2FD032FD040D92 | |||
3220 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\assat.exe | executable | |
MD5:B9E04A9E4B38302A4DC5D338F9B5E839 | SHA256:F27EDC5686B570A2AB494CED480BD360F1707C9402100F585D2FD032FD040D92 | |||
2948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$can.01.doc | pgc | |
MD5:2BCA3C7EE8BEF6B608C05116167AF99C | SHA256:F509573E42670BF04D45158DCCA2DA36CC35532ACC5C5157C263C4DBA72A67E8 | |||
3220 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3220 | EQNEDT32.EXE | GET | 301 | 104.27.151.26:80 | http://files.dropmybin.me/oztrsl.exe | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3220 | EQNEDT32.EXE | 104.27.150.26:80 | files.dropmybin.me | Cloudflare Inc | US | shared |
3220 | EQNEDT32.EXE | 104.27.151.26:443 | files.dropmybin.me | Cloudflare Inc | US | shared |
3220 | EQNEDT32.EXE | 104.27.151.26:80 | files.dropmybin.me | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
files.dropmybin.me |
| malicious |