File name: | SECOEX ORDER 19891878 20191601.doc |
Full analysis: | https://app.any.run/tasks/5d0a79a0-1770-40d4-afd1-1c9cef6224c2 |
Verdict: | Malicious activity |
Analysis date: | January 17, 2019, 22:11:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | 63516C6D79A17429A0AF37EFC27283DD |
SHA1: | 2C50AB9D8405E6A78212433BA17187FB36AACBDB |
SHA256: | D44DF376D708E7B67CDB360FBC85C0723C748B042CA63C77957424F9B708D8A7 |
SSDEEP: | 1536:1X97aV1nybaTjlS986lll94+s1LczuajER3U2+x4zOz5dcXNjWTRqV9s0c1210py:1X581nybqlS98mlls1LczJjER3Urx4zh |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2972 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\SECOEX ORDER 19891878 20191601.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3212 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2972 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6A63.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2972 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:FFDDA778140572C37C6C1B9E1A88C58B | SHA256:478279FBD54E6D1EE6C21D74755708B0B3AD34CCC4069C872C81C9A3A4BF25D2 | |||
2972 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$COEX ORDER 19891878 20191601.doc | pgc | |
MD5:F333F8817AEA67ADF2719B1B0F988DDA | SHA256:628CBBB0A1F4D9AC6EF6432ECA7EACF11702A4D115D72889962C129F541C21B3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3212 | EQNEDT32.EXE | GET | 404 | 193.107.36.40:80 | http://rumenbg.com/av/nnanna_stub_output89362BF.exe | BG | html | 230 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3212 | EQNEDT32.EXE | 193.107.36.40:80 | rumenbg.com | NetInfo.BG JSCo | BG | suspicious |
Domain | IP | Reputation |
---|---|---|
rumenbg.com |
| malicious |