URL: | http://80.82.66.58/sqrf/Priceneeded.doc |
Full analysis: | https://app.any.run/tasks/49fdbb53-caf5-43de-9be0-0ff1088b842f |
Verdict: | Malicious activity |
Analysis date: | April 25, 2019, 09:48:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | B4D52E5FA1B1BFD968E53627E77B47A4 |
SHA1: | 5853F9024972B091765C68BAC5CB1050749194F6 |
SHA256: | AB1FC6B7E0B8435F71914258B03AB8DFEDCD94C9826949C92675367F5460FE13 |
SSDEEP: | 3:N1KgYKYXLBKG:CgYKYb8G |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3692 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
1204 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3692 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2776 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1244 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
1252 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3128 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3884 | "C:\Program Files\Microsoft Office\Office14\excelcnv.exe" -Embedding | C:\Program Files\Microsoft Office\Office14\excelcnv.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3692 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3692 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
1204 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EEBSHOBZ\errorPageStrings[1] | text | |
MD5:1A0563F7FB85A678771450B131ED66FD | SHA256:EB5678DE9D8F29CA6893D4E6CA79BD5AB4F312813820FE4997B009A2B1A1654C | |||
1204 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT | smt | |
MD5:2D7A02B353FC357326F455B482A4EEDA | SHA256:3E5C8CCF572ED9DC0AA4877D4D86D40E9882A03F7846F6F1DA9C52DE6B24D7AE | |||
1204 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PCGUHHLC\down[1] | image | |
MD5:555E83CE7F5D280D7454AF334571FB25 | SHA256:70F316A5492848BB8242D49539468830B353DDAA850964DB4E60A6D2D7DB4880 | |||
1204 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:A068406B8907467D7B413328F3F94660 | SHA256:D71E7FA3D55DF0C1C007CA6F605B71EA3C6D1808A8CC4A640CB776D23094DBB0 | |||
1204 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:D94B1514337AB67838980BCC697FDB8E | SHA256:7BD20A804323AF613C359133360371F5A9E69CC9C877EF841F7AF8E9C3CEFBB9 | |||
1204 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PCGUHHLC\httpErrorPagesScripts[1] | text | |
MD5:E7CA76A3C9EE0564471671D500E3F0F3 | SHA256:58268CA71A28973B756A48BBD7C9DC2F6B87B62AE343E582CE067C725275B63C | |||
3692 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\StructuredQuery.log | text | |
MD5:04E173A8125E70C727DD9B31ADDF3B68 | SHA256:CA684527DF7C854BD7B1B5A5A32E0AADE9131D9DC0A2C3026954C10E396D572E | |||
1204 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2U5H5XHK\desktop.ini | ini | |
MD5:4A3DEB274BB5F0212C2419D3D8D08612 | SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2776 | WINWORD.EXE | OPTIONS | 200 | 80.82.66.58:80 | http://80.82.66.58/sqrf/ | SC | — | — | suspicious |
1204 | iexplore.exe | GET | 200 | 80.82.66.58:80 | http://80.82.66.58/sqrf/ | SC | html | 599 b | suspicious |
1204 | iexplore.exe | GET | 200 | 80.82.66.58:80 | http://80.82.66.58/icons/binary.gif | SC | image | 246 b | suspicious |
2776 | WINWORD.EXE | HEAD | 200 | 80.82.66.58:80 | http://80.82.66.58/sqrf/List_of_Needed_Appliances_Legisterra_Housing.doc | SC | — | — | suspicious |
3692 | iexplore.exe | GET | 404 | 80.82.66.58:80 | http://80.82.66.58/favicon.ico | SC | html | 286 b | suspicious |
1204 | iexplore.exe | GET | 200 | 80.82.66.58:80 | http://80.82.66.58/sqrf/List_of_Needed_Appliances_Legisterra_Housing.doc | SC | text | 236 Kb | suspicious |
2776 | WINWORD.EXE | HEAD | 200 | 80.82.66.58:80 | http://80.82.66.58/sqrf/List_of_Needed_Appliances_Legisterra_Housing.doc | SC | — | — | suspicious |
972 | svchost.exe | PROPFIND | 301 | 80.82.66.58:80 | http://80.82.66.58/sqrf | SC | html | 309 b | suspicious |
972 | svchost.exe | PROPFIND | 301 | 80.82.66.58:80 | http://80.82.66.58/sqrf | SC | html | 309 b | suspicious |
972 | svchost.exe | OPTIONS | 301 | 80.82.66.58:80 | http://80.82.66.58/sqrf | SC | html | 309 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3692 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2776 | WINWORD.EXE | 80.82.66.58:80 | — | Quasi Networks LTD. | SC | suspicious |
1204 | iexplore.exe | 80.82.66.58:80 | — | Quasi Networks LTD. | SC | suspicious |
972 | svchost.exe | 80.82.66.58:80 | — | Quasi Networks LTD. | SC | suspicious |
3692 | iexplore.exe | 80.82.66.58:80 | — | Quasi Networks LTD. | SC | suspicious |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1204 | iexplore.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |
1204 | iexplore.exe | Potentially Bad Traffic | ET INFO Suspicious Request for Doc to IP Address with Terse Headers |
1204 | iexplore.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |
1204 | iexplore.exe | Potentially Bad Traffic | ET INFO Suspicious Request for Doc to IP Address with Terse Headers |
1204 | iexplore.exe | Misc activity | SUSPICIOUS [PTsecurity] Possible RTF CVE-2017-11882 header |
2776 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |
2776 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |
2776 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |
2776 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Suspicious Request for Doc to IP Address with Terse Headers |
2776 | WINWORD.EXE | Misc activity | SUSPICIOUS [PTsecurity] Possible RTF CVE-2017-11882 header |