File name: | Evrikatradings-Order.rtf |
Full analysis: | https://app.any.run/tasks/c90f8d74-8150-4c8f-a82b-3a7cdb4cbde8 |
Verdict: | Malicious activity |
Analysis date: | November 08, 2019, 13:43:34 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators, with escape sequences |
MD5: | DA95EC916F4F7F6EFCA7E75B629ADCA1 |
SHA1: | 563F78FFCCB45EE1FAE5849077BD1FBB8C6DC93F |
SHA256: | CB0C2EC4AAC396996B115E071E0ACBB726A542D52FDD4AC9BA34FC5E2E721C0D |
SSDEEP: | 1536:MBPBZBkBkBLBLBLBLBLBLBLBABPBPBPBOM41Sffj4vfuffvjfUBB5zB5RB5dB5Xy:MBPBZBkBkBLBLBLBLBLBLBLBABPBPBP7 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
584 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Evrikatradings-Order.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3928 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 |
PID | Process | Filename | Type | |
---|---|---|---|---|
584 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA747.tmp.cvr | — | |
MD5:— | SHA256:— | |||
584 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$rikatradings-Order.rtf | pgc | |
MD5:DF85145DD4A05F25FA947CA2E9FE0B01 | SHA256:F9AD4AAC1A35DEFC5915ECA253E6B2E142EAF95CD12B64900E02C8C25394C938 | |||
584 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D3E45E9E34C71A48C10FD945E9620BAF | SHA256:6CC7603DD408465CD9F4E0ED479443E49C34BDBCC43DE9FD1A9A1A1B8185537F | |||
3928 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txt | text | |
MD5:C225E3C8A105B5CBDFDA2AF71DDE03E2 | SHA256:66AE305401235E94CB6440FC0C96AF8C1915E8DC64713F0B3DEC06A118E4890D | |||
3928 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3928 | EQNEDT32.EXE | GET | 301 | 67.199.248.11:80 | http://bit.ly/2DxLWcy | US | html | 115 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3928 | EQNEDT32.EXE | 67.199.248.11:80 | bit.ly | Bitly Inc | US | shared |
3928 | EQNEDT32.EXE | 195.154.112.204:443 | f.coka.la | Online S.a.s. | FR | unknown |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
f.coka.la |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3928 | EQNEDT32.EXE | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |