File name:

Order.doc

Full analysis: https://app.any.run/tasks/5139d3a8-3445-4a1f-a33d-2633bc3093dd
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 07:05:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
exploit
cve-2017-11882
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

583B04889DF6E5F5D40B77C1DFF486A3

SHA1:

038509B9C5B440B72E645DEE32F60DD15480C511

SHA256:

00695CE5CA45B0C343E12B7E43B11B0B5433BAAB170053AF87D9FF12A907152F

SSDEEP:

24576:rVVtH7OYU03ftSUGSaA45TkvrxSstMWS3FegCWGyvnwrpuCnZCz1+eFLm5Ba3tZI:r

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3624)

    • Application was dropped or rewritten from another process

      • hdhahhdhdhakdakdk.exe (PID: 2620)
      • hdhahhdhdhakdakdk.exe (PID: 3032)

    • Changes settings of System certificates

      • hdhahhdhdhakdakdk.exe (PID: 3032)

  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 3624)

    • Reads Internet Cache Settings

      • EQNEDT32.EXE (PID: 3624)
      • hdhahhdhdhakdakdk.exe (PID: 3032)

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3624)
      • hdhahhdhdhakdakdk.exe (PID: 3032)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3624)

    • Application launched itself

      • hdhahhdhdhakdakdk.exe (PID: 2620)

    • Adds / modifies Windows certificates

      • hdhahhdhdhakdakdk.exe (PID: 3032)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2724)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe hdhahhdhdhakdakdk.exe no specs hdhahhdhdhakdakdk.exe

Process information

PID
CMD
Path
Indicators
Parent process
2620C:\Users\admin\AppData\Roaming\hdhahhdhdhakdakdk.exeC:\Users\admin\AppData\Roaming\hdhahhdhdhakdakdk.exeEQNEDT32.EXE
User:
admin
Company:
CircusMid
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\roaming\hdhahhdhdhakdakdk.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2724"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Order.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
3032C:\Users\admin\AppData\Roaming\hdhahhdhdhakdakdk.exeC:\Users\admin\AppData\Roaming\hdhahhdhdhakdakdk.exe
hdhahhdhdhakdakdk.exe
User:
admin
Company:
CircusMid
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\system32\msvbvm60.dll
c:\users\admin\appdata\roaming\hdhahhdhdhakdakdk.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3624"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
Total events
1 631
Read events
928
Write events
574
Delete events
129

Modification events

(PID) Process:(2724) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:?l,
Value:
3F6C2C00A40A0000010000000000000000000000
(PID) Process:(2724) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2724) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2724) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2724) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2724) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2724) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2724) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2724) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2724) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
2
Suspicious files
4
Text files
11
Unknown types
4

Dropped files

PID
Process
Filename
Type
2724WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR7C3F.tmp.cvr
MD5:
SHA256:
3624EQNEDT32.EXEC:\Users\admin\AppData\Local\Temp\Cab915D.tmp
MD5:
SHA256:
3624EQNEDT32.EXEC:\Users\admin\AppData\Local\Temp\Tar915E.tmp
MD5:
SHA256:
3032hdhahhdhdhakdakdk.exeC:\Users\admin\AppData\Local\Temp\Cab9C5A.tmp
MD5:
SHA256:
3032hdhahhdhdhakdakdk.exeC:\Users\admin\AppData\Local\Temp\Tar9C5B.tmp
MD5:
SHA256:
2724WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$der.doc.rtfpgc
MD5:
SHA256:
2724WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:
SHA256:
3624EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\ojado[1].htmhtml
MD5:
SHA256:
3624EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\TJ1CINZI.txttext
MD5:
SHA256:
3624EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\ojado[1].exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
6
DNS requests
4
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3624
EQNEDT32.EXE
GET
301
104.24.97.5:80
http://collaglu.com/wp-content/plugins/platously/ojado.exe
US
html
442 b
malicious
1052
svchost.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
3032
hdhahhdhdhakdakdk.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
1052
svchost.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEA7yTSbUNi7CXXtef0luXqk%3D
US
der
279 b
whitelisted
3032
hdhahhdhdhakdakdk.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3624
EQNEDT32.EXE
104.24.97.5:443
collaglu.com
Cloudflare Inc
US
shared
3624
EQNEDT32.EXE
104.24.97.5:80
collaglu.com
Cloudflare Inc
US
shared
1052
svchost.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3032
hdhahhdhdhakdakdk.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3032
hdhahhdhdhakdakdk.exe
40.90.22.186:443
login.live.com
Microsoft Corporation
US
malicious
3032
hdhahhdhdhakdakdk.exe
13.107.42.13:443
onedrive.live.com
Microsoft Corporation
US
malicious

DNS requests

Domain
IP
Reputation
collaglu.com
  • 104.24.97.5
  • 104.24.96.5
  • 172.67.223.143
malicious
onedrive.live.com
  • 13.107.42.13
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted
login.live.com
  • 40.90.22.186
  • 40.90.22.187
  • 40.90.22.183
  • 40.90.22.188
  • 40.90.22.192
  • 40.90.22.185
  • 40.90.22.191
  • 40.90.22.189
whitelisted

Threats

PID
Process
Class
Message
3624
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Order.doc