File name: | bd1e7b42a9c265266b8cc5cc966470497c4f9cba2b247d1f036b6b3892106b52 |
Full analysis: | https://app.any.run/tasks/7ebc0e6f-5295-4b33-96e6-3fa33a837054 |
Verdict: | Malicious activity |
Analysis date: | April 23, 2019, 16:52:24 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, ANSI |
MD5: | 07544892999B91AE2C9280D8EE3C663A |
SHA1: | 28531BCFAAD25A5B1230F60F243CE617B6C237D2 |
SHA256: | BD1E7B42A9C265266B8CC5CC966470497C4F9CBA2B247D1F036B6B3892106B52 |
SSDEEP: | 6144:gMnuUcvfZBaRCS1ubJ7aSRq8aV4RaGBbK6nQNQZNOyqVQSNyolVOEc2xvAk1A2CR:1uXnZBeC9+8aV4VDQa6yqY8qPzky |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 24689 |
---|---|
CharactersWithSpaces: | 3570 |
Characters: | 3044 |
Words: | 533 |
Pages: | 2 |
TotalEditTime: | 5 minutes |
RevisionNumber: | 2 |
ModifyDate: | 2018:01:17 09:09:00 |
CreateDate: | 2018:01:17 09:04:00 |
LastModifiedBy: | Windows User |
Author: | Windows User |
Upr: | {C¨¢c d? ¨¢n ?ng ph¨® bi?n ??i kh¨ª h?u: G?p nhi?u v??ng m?c}{*{C¨¢c d{ự ¨¢n ứng ph¨® biến đổi kh¨ª hậu: Gặp nhiều vướng mắc}}} |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2172 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\bd1e7b42a9c265266b8cc5cc966470497c4f9cba2b247d1f036b6b3892106b52.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
368 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | — | svchost.exe |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3920 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | EQNEDT32.EXE | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 1 Version: 00110900 | ||||
2660 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | — | svchost.exe |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
4064 | "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\ScnCfg.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\ScnCfg.exe | explorer.exe | |
User: admin Company: McAfee, Inc. Integrity Level: MEDIUM Description: VirusScan On-Demand Scan Task Properties Version: 8.8.0.777 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2172 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR2EDD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2172 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\8.t | binary | |
MD5:4DC172D1B1A23B23A310E48CBEB1880B | SHA256:5CF920CDE20DB05C065645A633095BABA1B335E82F8AB7FD07EE20CA6EF174AA | |||
2172 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:E0A6D871DF9AF8A843020CC2FC70CA4E | SHA256:33FAFDD37700ECE853AC83901FBEAB68A9A8E725B6B27DF6C65EDBF64767BE47 | |||
3920 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\vsodscpl.dll | executable | |
MD5:91A650700F19249EF5183737689B2A26 | SHA256:FFA2B23F6B6B7941D6CD1D410FF232F3B218BDE667CAAEDF7E20B3CD37A489E8 | |||
3920 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\ScnCfg.exe | executable | |
MD5:BD19302A58133803622E119080A5CEDA | SHA256:77361B1CA09D6857D68CEA052A0BB857E03D776D3E1943897315A80A19F20FC2 | |||
3920 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Chrome.lnk | lnk | |
MD5:CAE5527B17AE49E3A0F8316752C70261 | SHA256:A47B843751D340A79652E7F519821C7B636CD66450DC30D47FB853C356718887 | |||
2172 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$1e7b42a9c265266b8cc5cc966470497c4f9cba2b247d1f036b6b3892106b52.rtf | pgc | |
MD5:2C3B68BB8CFE4392851A5B4DA5C1C35B | SHA256:D38321FB2E5CF596500B811824ECEF63E7B756F6184DFE4F23996DEFB3481FE4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4064 | ScnCfg.exe | GET | — | 130.255.184.38:443 | http://chip.pringleas.com:443/366727331E6677377B626111000504057000780C0000000E00003336363732373333314536363737333700555345522D5043000000000000000000000000000000000000000000000057696E3720537031207838360000000000000000000000000000000000000461646D696E0000000000000000000000000000000000000000000000000001000000020000003139322E3136382E3130302E31383800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000323031372D30362D3238000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | DE | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4064 | ScnCfg.exe | 130.255.184.38:80 | chip.pringleas.com | Bradler & Krantz GmbH & Co. KG | DE | malicious |
4064 | ScnCfg.exe | 130.255.184.38:8001 | chip.pringleas.com | Bradler & Krantz GmbH & Co. KG | DE | malicious |
4064 | ScnCfg.exe | 130.255.184.38:443 | chip.pringleas.com | Bradler & Krantz GmbH & Co. KG | DE | malicious |
Domain | IP | Reputation |
---|---|---|
chip.pringleas.com |
| malicious |
dns.msftncsi.com |
| shared |