File name: | INV-98-UHX.doc |
Full analysis: | https://app.any.run/tasks/a1b33c42-48ed-4a04-8e55-b82f07145f8d |
Verdict: | Malicious activity |
Analysis date: | January 18, 2019, 09:58:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 367C248CF6492C5650E13F9068A40B76 |
SHA1: | BBF70243F96CCFE692D646C8497C363AE88BE1FD |
SHA256: | 9044EFFCC0B538A5302A72A3FBCF052D09789F779D2170278AAA0354325571EF |
SSDEEP: | 1536:at7aapppppppGttC+OEi8M52TrtL8quKWlV6HNfJvwxKikBvATSKiHX99A0e83LD:yC9 |
.rtf | | | Rich Text Format (100) |
---|
Upr: | {CH??NG TRÌNH }{*{CH{ƯƠNG TRÌNH }}} |
---|---|
Author: | Mr.Duoc |
LastModifiedBy: | Windows User |
CreateDate: | 2018:12:14 09:22:00 |
ModifyDate: | 2018:12:14 09:22:00 |
LastPrinted: | 2018:12:12 16:35:00 |
RevisionNumber: | 2 |
TotalEditTime: | - |
Pages: | 2 |
Words: | 265 |
Characters: | 1511 |
CharactersWithSpaces: | 1773 |
InternalVersionNumber: | 24689 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2992 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\INV-98-UHX.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3492 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3408 | C:\Users\admin\AppData\Local\Temp\1.exe | C:\Users\admin\AppData\Local\Temp\1.exe | — | EQNEDT32.EXE |
User: admin Company: interalliance Integrity Level: MEDIUM Description: HAUNTED10 Exit code: 0 Version: 3.09.0001 | ||||
2736 | :\Users\admin\AppData\Local\Temp\1.exe | C:\Users\admin\AppData\Local\Temp\1.exe | — | 1.exe |
User: admin Company: interalliance Integrity Level: MEDIUM Description: HAUNTED10 Version: 3.09.0001 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2992 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE822.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3492 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\q[1].png | executable | |
MD5:43D43DA373FD0C65988820FA00C1719A | SHA256:18ABC7398B47D0D2BC77B19750DD0A89110CABB358CB22F40491B9182AF336AA | |||
2992 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:E7B61C210005698197542125CEEC8FCF | SHA256:AABB3BCAB2DECA4FCB0202CDDE079E717F6BDBDD72C69CB0CC36D8F468AE9A3A | |||
3492 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A | |||
3492 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Temp\1.exe | executable | |
MD5:43D43DA373FD0C65988820FA00C1719A | SHA256:18ABC7398B47D0D2BC77B19750DD0A89110CABB358CB22F40491B9182AF336AA | |||
3408 | 1.exe | C:\Users\admin\AppData\Local\Temp\~DF6D0550B59CAF0C9D.TMP | binary | |
MD5:D24115B537CADAB89F4884B3C651C5E0 | SHA256:8AFCCE0322506ADD5662970A4D4D074F23A7444D6F07B9CB9EE018E9A8D57659 | |||
2992 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$V-98-UHX.doc.rtf | pgc | |
MD5:1DE96A9ED487D19B7B5DA19680B6E688 | SHA256:86485A0A03AA3BE58013138DAFA54CD595D185DDD7962B85AA5273104C0B6B37 | |||
3492 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txt | text | |
MD5:D88AA96F9A42D5A7E6F2094FCDA60E4F | SHA256:161F61815E8905D42AB21085CB6C70636E178FE98BD1A06FD4B08E250B076967 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3492 | EQNEDT32.EXE | GET | 301 | 67.199.248.10:80 | http://bit.ly/2HiWP5m | US | html | 117 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3492 | EQNEDT32.EXE | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
3492 | EQNEDT32.EXE | 65.60.35.58:443 | aoiap.org | SingleHop, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
aoiap.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3492 | EQNEDT32.EXE | A Network Trojan was detected | MALWARE [PTsecurity] PowerShell.Downloader httpHeader |