File name: | Payments.doc |
Full analysis: | https://app.any.run/tasks/8f695b13-7ef5-4f8f-8272-a522c521479a |
Verdict: | Malicious activity |
Analysis date: | April 15, 2019, 12:47:09 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | 687E6860F3512060DCE67BBE92E8D213 |
SHA1: | 8B21BF6BD8F48A91E0445BE02666C9CB2110A7B1 |
SHA256: | AB15B95275561F7462BBE6FC9926DBF2E5E049EB40BE62E5EA51889708F7FCF7 |
SSDEEP: | 24576:ne+wxme+wxme+wxzo9huHVo9cVe+wxme+wxme+wxzo9huHVo9cg:u |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3276 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Payments.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
760 | "C:\Users\admin\AppData\Roaming\payments.exe" | C:\Users\admin\AppData\Roaming\payments.exe | — | WINWORD.EXE |
User: admin Company: AxInstSv Integrity Level: MEDIUM Description: aitstatic Version: 269.40.279.184 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3276 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6832.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3276 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E0265A20.png | — | |
MD5:— | SHA256:— | |||
3276 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\76FB53A1.png | — | |
MD5:— | SHA256:— | |||
3276 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:03F75A861CC10AD1C3318BEB891B725B | SHA256:7EBE4AE513B230A4E93B55D5C5B1A8281E935A6A42B38FA33B58EA5B73980E58 | |||
3276 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\payments.exe | executable | |
MD5:23CC62774BA135511D52DECC03546CBF | SHA256:007D3DCD431618F92C5D56F882EFA7662D5F7C3D75892741E756CEAFE07E1CF0 | |||
3276 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\ley2-bin_Protected[1].exe | executable | |
MD5:23CC62774BA135511D52DECC03546CBF | SHA256:007D3DCD431618F92C5D56F882EFA7662D5F7C3D75892741E756CEAFE07E1CF0 | |||
3276 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$yments.doc.rtf | pgc | |
MD5:BCB50CF3DAB39D3896260F570FB06349 | SHA256:629EC32A348FB83452880D2275635AE7D09F88F1324CFAB6F479FE69910EAC14 | |||
3276 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Abctfhghghghghg.sct | binary | |
MD5:F92213E4261EDEC5B9620EC5F5F41D73 | SHA256:D2F8FE3C0DA973F14D7D60BA7C07106DC63374CCA005786DDD5F62C8CABAC6A0 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3276 | WINWORD.EXE | 23.226.129.107:443 | wareen.com | QuadraNet, Inc | US | malicious |
Domain | IP | Reputation |
---|---|---|
wareen.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3276 | WINWORD.EXE | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |