File name: | a7aead565341c4a3a3f8867a3ca3c9ab |
Full analysis: | https://app.any.run/tasks/0cc8d526-3e21-42c5-ba01-02c905d1f7d2 |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 03:14:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | A7AEAD565341C4A3A3F8867A3CA3C9AB |
SHA1: | 61EDA60023DA167657C1B89251E4C11CC40DF87A |
SHA256: | A2D41FFA099E587EB692A7E90B37B978A4A49E4F2A00BA383027F1DBC10328AC |
SSDEEP: | 768:qaKf8YDEP6d3MzuuUdjTCMJhIS4NX8l0l/cHnQeEHpljeDXrdBj1ANlY7S4cwHNX:qfCqNdjOi4UHHQxJlwrdboY7Scttt |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 57433 |
---|---|
CharactersWithSpaces: | 39 |
Characters: | 34 |
Words: | 6 |
Pages: | 1 |
TotalEditTime: | 2 minutes |
RevisionNumber: | 1 |
ModifyDate: | 2019:06:16 21:53:00 |
CreateDate: | 2019:06:16 21:51:00 |
LastModifiedBy: | Karla |
Author: | Karla |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3684 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\a7aead565341c4a3a3f8867a3ca3c9ab.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3976 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2844 | "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 3 > nul & start C:\Users\Public\WindowsDefender.vbs | C:\Windows\System32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3192 | "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & start C:\Users\Public\atach.vbs | C:\Windows\System32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2136 | ping 127.0.0.1 -n 3 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1356 | ping 127.0.0.1 -n 5 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3448 | "C:\Windows\System32\WScript.exe" "C:\Users\Public\WindowsDefender.vbs" | C:\Windows\System32\WScript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3344 | "C:\Windows\System32\WScript.exe" "C:\Users\Public\atach.vbs" | C:\Windows\System32\WScript.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
1860 | "C:\Users\Public\amsi.dll" "C:\Users\Public\atach.vbs" | C:\Users\Public\amsi.dll | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
844 | C:\Windows\system32\svchost.exe -k netsvcs | C:\Windows\System32\svchost.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3684 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRF8B8.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3976 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR182.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3976 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFE4D419492EA3C1DB.TMP | — | |
MD5:— | SHA256:— | |||
1632 | excelcnv.exe | C:\Users\admin\AppData\Local\Temp\CVRAD33.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3684 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFC914459B483F85A6.TMP | — | |
MD5:— | SHA256:— | |||
1324 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRBE9.tmp.cvr | — | |
MD5:— | SHA256:— | |||
844 | svchost.exe | C:\Windows\appcompat\programs\RecentFileCache.bcf | txt | |
MD5:E929AD9A619EBF5D337285414CE97C3D | SHA256:BAD478325EDBAF575E4F0C86C3B028CAB766089AE89740B0A8802D193EA39759 | |||
3976 | EXCEL.EXE | C:\Users\Public\atach.vbs | text | |
MD5:6A38E73B9B0B30879A19EF216E19AB91 | SHA256:0E2DB9B565821E3DE073F9E3124F88EB1D795226B8241554A005086141EA4FCD | |||
3976 | EXCEL.EXE | C:\Users\Public\WindowsDefender.vbs | text | |
MD5:7F2A202549A7CE9E21FA866B234E6E1F | SHA256:81D128737CE4EC69BCAB76FFA039B80C84A1E8001DB603029DA878E766BD0E9D | |||
3976 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\yvyE642L[1].txt | text | |
MD5:7F2A202549A7CE9E21FA866B234E6E1F | SHA256:81D128737CE4EC69BCAB76FFA039B80C84A1E8001DB603029DA878E766BD0E9D |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3976 | EXCEL.EXE | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
1324 | EXCEL.EXE | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
1860 | amsi.dll | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
3724 | amsi.dll | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |