File name: | RFQ LIST-02.doc |
Full analysis: | https://app.any.run/tasks/0066014f-24a3-4bb2-9931-b57995efd01c |
Verdict: | Malicious activity |
Analysis date: | April 23, 2019, 14:01:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, ANSI |
MD5: | 1B057C9AFCA714E2422EA6940D4B5911 |
SHA1: | 79D9A775D4A7BD428733ED863E33CF52E004F6AE |
SHA256: | CAB6F734EDC2397267D14DCA037F2AC5CD10E0E800CAF70A9BEABCB6A61DBB3B |
SSDEEP: | 1536:rYMHtZA+9I/6/tPztNin/zy8YLVNh1Og7qag6fyo:TZA+9//lhNin/zy8Y7b |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 30863 |
---|---|
CharactersWithSpaces: | 4897 |
Company: | |
Characters: | 1 |
Words: | - |
Pages: | 1 |
TotalEditTime: | 5 minutes |
RevisionNumber: | 1 |
ModifyDate: | 2008:09:12 06:27:00 |
CreateDate: | 2008:09:12 06:22:00 |
LastModifiedBy: | Admin |
Author: | Admin |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2180 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\RFQ LIST-02.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
(PID) Process: | (2180) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | /b: |
Value: 2F623A0084080000010000000000000000000000 | |||
(PID) Process: | (2180) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2180) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2180) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1318518814 | |||
(PID) Process: | (2180) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1318518928 | |||
(PID) Process: | (2180) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1318518929 | |||
(PID) Process: | (2180) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 840800005229890CDDF9D40100000000 | |||
(PID) Process: | (2180) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | 8c: |
Value: 38633A008408000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2180) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | 8c: |
Value: 38633A008408000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2180) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2180 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR2E8F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2180 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3AE74239.jpg | — | |
MD5:— | SHA256:— | |||
2180 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9A0899AF.wmf | — | |
MD5:— | SHA256:— | |||
2180 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\hCXODPIbvcJrqw.txt | ini | |
MD5:AD722371EDEFCE748498200F3DBE78A7 | SHA256:23EF9F7EA8C87A734AB12D49FD20C8CE0FFA264A26B91A4D6B07A078CFCA7DC6 | |||
2180 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\99B212E6.wmf | wmf | |
MD5:5F79E7F84847D8E1AE7BEC6F4A3D1A92 | SHA256:0AB32D750CCEF11A453940C84CD65DE8542A6501FA1A01C1B1DE155A80BCF32E | |||
2180 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:E0A6D871DF9AF8A843020CC2FC70CA4E | SHA256:33FAFDD37700ECE853AC83901FBEAB68A9A8E725B6B27DF6C65EDBF64767BE47 | |||
2180 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\aa.txt | text | |
MD5:50E6B735346030CE50DF6F52F5EE0F40 | SHA256:9B00088E20A1F1B7ADACB4B1FE30254334507860C04726135A7368CE7D52529E | |||
2180 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\o.sct | html | |
MD5:45900C4A73BA97A8690B74C095F3E0FA | SHA256:AE0BC2480FAA924D86D47EFF9FB92F1B2857A42C3BD3560D818529D868756877 | |||
2180 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$Q LIST-02.doc.rtf | pgc | |
MD5:897693210C3DE5033002D53088921861 | SHA256:8C5DD9D8ECA01BE06D833A09940E1323D7A05378991C7BB2863070B6E03FA512 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2180 | WINWORD.EXE | GET | — | 5.196.247.3:80 | http://get.extra-files.com/license.txt | FR | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2180 | WINWORD.EXE | 5.196.247.3:80 | get.extra-files.com | OVH SAS | FR | malicious |
Domain | IP | Reputation |
---|---|---|
get.extra-files.com |
| malicious |