File name: | b039bf7fa59c3835de02f9c2258ea0d910394df2af2e28269a86102ce4e95bb5 |
Full analysis: | https://app.any.run/tasks/249bbbcc-55aa-4d07-b27a-45d909d4b589 |
Verdict: | Malicious activity |
Analysis date: | January 17, 2019, 21:32:50 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 417D653F0F024116EA6B03E5B754BA65 |
SHA1: | 346528ACF9852A8E642D87E41A731E6F28CFC769 |
SHA256: | B039BF7FA59C3835DE02F9C2258EA0D910394DF2AF2E28269A86102CE4E95BB5 |
SSDEEP: | 1536:uhB6hBAhBnhBnhBWhBWhBWhBWhBWhBWhBWhBThB6hB6hBPhBvCKEi8M52TrBLQSo:M4C//0000000L44HXDdo7WRFBB |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 24689 |
---|---|
CharactersWithSpaces: | 1773 |
Characters: | 1511 |
Words: | 265 |
Pages: | 2 |
TotalEditTime: | - |
RevisionNumber: | 2 |
LastPrinted: | 2018:12:12 16:35:00 |
ModifyDate: | 2018:12:14 09:22:00 |
CreateDate: | 2018:12:14 09:22:00 |
LastModifiedBy: | Windows User |
Author: | Mr.Duoc |
Upr: | {CH??NG TRÌNH }{*{CH{ƯƠNG TRÌNH }}} |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2984 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\b039bf7fa59c3835de02f9c2258ea0d910394df2af2e28269a86102ce4e95bb5.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3532 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3608 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2984 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR891C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3608 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs9958.tmp | — | |
MD5:— | SHA256:— | |||
3608 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs9968.tmp | — | |
MD5:— | SHA256:— | |||
2984 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$39bf7fa59c3835de02f9c2258ea0d910394df2af2e28269a86102ce4e95bb5.rtf | pgc | |
MD5:65B2829D9E02029BF413FE6616195348 | SHA256:BB22DA7AD1B95D5EA3DD4A05AC8497FDE64329721392DB14020B3AC38606D776 | |||
3532 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\warning[1].txt | html | |
MD5:110808626304CDC10408192DA4D49599 | SHA256:FA039CA46979142C84C9D4C044187403727A062EC1282FBCBA6AF77314C2C51F | |||
3532 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Temp\1.exe | html | |
MD5:110808626304CDC10408192DA4D49599 | SHA256:FA039CA46979142C84C9D4C044187403727A062EC1282FBCBA6AF77314C2C51F | |||
3532 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bitly[1].txt | text | |
MD5:F5005C0E143F60B01AF4356687B7A9CE | SHA256:A2E42C9AD6BA6A7F144F35187A738711D33A083E2E43890AE9000D1ACA06B456 | |||
2984 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:11A215388F6C571C32906EC07668FCFA | SHA256:3684B3A876757BD96653E7770BDA3F8BAF4CEC7352F2A8C93F9B80D019D08D1A | |||
3532 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3532 | EQNEDT32.EXE | GET | 302 | 67.199.248.10:80 | http://bit.ly/2M8N20F | US | html | 173 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3532 | EQNEDT32.EXE | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
3532 | EQNEDT32.EXE | 67.199.248.14:443 | bitly.com | Bitly Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
bitly.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3532 | EQNEDT32.EXE | A Network Trojan was detected | MALWARE [PTsecurity] PowerShell.Downloader httpHeader |