File name: | 9528dd205c12965052a21163025d11e77bad70023a9fe01c13d759d213026420.rtf |
Full analysis: | https://app.any.run/tasks/fc414c23-ebf3-48fe-8267-9651c421ff39 |
Verdict: | Malicious activity |
Analysis date: | July 17, 2019, 15:14:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 57C1C4AA402AD334F6945EAEBB398C30 |
SHA1: | 5B9CFA22D93FA4A37649936F0E37CBF5AD0BC34F |
SHA256: | 9528DD205C12965052A21163025D11E77BAD70023A9FE01C13D759D213026420 |
SSDEEP: | 6144:bFFJ+Rf3z9iieqZIlRypuceO3cUrwz5brt/r7L7O8+ZP989EL35eDW:hvMf3z9ii5IlR3Ccgwlx/r7nOO9ED5e6 |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 32859 |
---|---|
CharactersWithSpaces: | - |
Company: | MFA KR |
Characters: | - |
Words: | - |
Pages: | 1 |
TotalEditTime: | 1 minute |
RevisionNumber: | 6 |
LastPrinted: | 2013:07:23 09:55:00 |
ModifyDate: | 2019:06:19 16:29:00 |
CreateDate: | 2018:06:14 02:55:00 |
LastModifiedBy: | Administrator |
Author: | ILD |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3696 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\9528dd205c12965052a21163025d11e77bad70023a9fe01c13d759d213026420.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2036 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3736 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\bagdiscount.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
1260 | rundll32.exe C:\Users\admin\AppData\Roaming\Microsoft\Word\Startup\calc.wll,run_03 | C:\Windows\system32\rundll32.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1984 | rundll32.exe C:\Users\admin\AppData\Roaming\Microsoft\Word\Startup\calc.wll,run_03 | C:\Windows\system32\rundll32.exe | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3696 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD08E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3696 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C42D7796-B314-4596-A8A4-94E8B014CCC4}.tmp | — | |
MD5:— | SHA256:— | |||
3696 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8BEA8905-6D6C-42E6-BB67-D43477105044}.tmp | — | |
MD5:— | SHA256:— | |||
3736 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRB9A1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3736 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{008662E9-3EC9-44DE-BD23-7D3757F5E4A5}.tmp | — | |
MD5:— | SHA256:— | |||
3736 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0887256C-1242-4B3A-BBD0-00693647A62C}.tmp | — | |
MD5:— | SHA256:— | |||
3696 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\8.t | binary | |
MD5:5CEABE96F782D56288B6043AE8DF4758 | SHA256:AF3066C08703A3F9704EC85653985CF71950B6DD1AB9E3CCD8A1FF4B18CFFDE2 | |||
3696 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$28dd205c12965052a21163025d11e77bad70023a9fe01c13d759d213026420.rtf | pgc | |
MD5:62B98C4964B8878E21AB13B68172F2AD | SHA256:57D738581A6E2B37BC1FEE78D94FEAD3DA329B38F4F3F33210CD8A423A7E5032 | |||
3736 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\bagdiscount.rtf.LNK | lnk | |
MD5:1E6966B99EDFA3B6F3B2867A70ED7C78 | SHA256:5C6678CEBB1EBF6AB4FE1D25B23E7A7981BC5B548C2F3C736C40CC57AD6AA473 | |||
3696 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{AE69ABB5-497C-433F-B19C-08D933A03D9C}.tmp | binary | |
MD5:1BE328964B19BED55008117B86FBE536 | SHA256:60F6017D310A7D537B02B6C9ED1825D46AA73DC331CF2EBBDBEC22960206D6D3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1260 | rundll32.exe | POST | — | 77.244.211.51:80 | http://77.244.211.51/ | RU | — | — | malicious |
1260 | rundll32.exe | POST | — | 77.244.211.51:80 | http://77.244.211.51/ | RU | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1260 | rundll32.exe | 77.244.211.51:80 | — | OOO Network of data-centers Selectel | RU | malicious |
PID | Process | Class | Message |
---|---|---|---|
1260 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] HttpBackDoorForClient |
1260 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] HttpBackDoorForClient |