File name: | SCB_MT103_31951R1903200040_190320.doc |
Full analysis: | https://app.any.run/tasks/9acc2203-44bc-4fc4-8ddb-04efc9edcfd1 |
Verdict: | Malicious activity |
Analysis date: | March 22, 2019, 12:21:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | 9A4F7961C9E99BD6C392AC1CFA6F0761 |
SHA1: | FEEEFD313F3D89B35A32F669D384765E89CC205D |
SHA256: | 89504DD3C94F0B99A69101C761A1A3A72B1983B1A691CE5C6F96214D34075906 |
SSDEEP: | 3072:H2welZiYC89dKtvTaCyo9ZDeFMkk2kkMkk4kk6kkcv:H5miFNyo9NEMkk2kkMkk4kk6kkcv |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1476 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\SCB_MT103_31951R1903200040_190320.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3568 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1476 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8B3F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1476 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:5208E8E5DF905E12211AD249A3722751 | SHA256:F0D41DB7E718F257A6A10BED01EA1DCED1396B1B5AA7534707824426894837C3 | |||
1476 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\SCB_MT103_31951R1903200040_190320.doc.rtf.LNK | lnk | |
MD5:0AC63234C42574D0C84FC3949D808E8C | SHA256:C48FFA0B38D45534C605FB6FAA1FFA7DD0B8EB1E334C25767DFDB90AC7B9C0EB | |||
1476 | WINWORD.EXE | C:\Users\admin\Desktop\~$B_MT103_31951R1903200040_190320.doc.rtf | pgc | |
MD5:46E8536E4DA0E1B5C9D0D2D999C8E9DA | SHA256:F61971B568C10AB8C925B2F41B1489BCC371603BC980F82FB0D6C1F3529CEFAC | |||
3568 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txt | text | |
MD5:75421144ABE95A3487997D13C03072C8 | SHA256:D7A0CDB1F6D323B04C7800E2C7393CE76F34C64C4684DF2E78463C1A3FE0FF5E | |||
1476 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:49D078DFAB25D5E3C9BA0DC7191EB69E | SHA256:C4A3368F95BC9CFC3F1A19EBDBC1D83299047F14178D10D8BC1B5B778FC23B4C | |||
3568 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3568 | EQNEDT32.EXE | GET | 301 | 67.199.248.10:80 | http://bit.ly/2FeBuWB | US | html | 114 b | shared |
3568 | EQNEDT32.EXE | GET | 403 | 103.44.63.13:80 | http://mospg.com/wp/101.jpg | HK | html | 185 b | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3568 | EQNEDT32.EXE | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
3568 | EQNEDT32.EXE | 103.44.63.13:80 | mospg.com | Internet Solutions Limited | HK | unknown |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
mospg.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3568 | EQNEDT32.EXE | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |