File name:

SecuriteInfo.com.Exploit.CVE201711882.123.7774.12516.rtf

Full analysis: https://app.any.run/tasks/e4e5fff7-c828-49e2-84f7-e6d4bf7b31b5
Verdict: Malicious activity
Analysis date: August 22, 2024, 08:24:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
cve-2017-11882
opendir
MIME: text/rtf
File info: Rich Text Format data, version 1
MD5:

317ADB82DF51A092951746B6AF150470

SHA1:

EF5075B0EC0667DB270FD1623A310170AEF94C4A

SHA256:

0610CA079CBD41D02B55144F5DF7D136CB3A69344CB14A979D39F774B6D542E4

SSDEEP:

768:iWk3U132e7JYi8A7sGXYqZNuQmYXpCjidAnVQX3LLfX6:s3UZ5l8A7sGXY0uQGiWn67z6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (likely CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3620)

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3620)

  • SUSPICIOUS

    • Reads the Internet Settings

      • EQNEDT32.EXE (PID: 3620)

    • Reads security settings of Internet Explorer

      • EQNEDT32.EXE (PID: 3620)

  • INFO

    • Reads the machine GUID from the registry

      • EQNEDT32.EXE (PID: 3620)

    • Checks supported languages

      • EQNEDT32.EXE (PID: 3620)
      • wmpnscfg.exe (PID: 648)

    • Reads the computer name

      • EQNEDT32.EXE (PID: 3620)
      • wmpnscfg.exe (PID: 648)

    • Checks proxy server information

      • EQNEDT32.EXE (PID: 3620)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 648)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs eqnedt32.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
648"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2484"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n C:\Users\admin\Desktop\SecuriteInfo.com.Exploit.CVE201711882.123.7774.12516.rtfC:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
3620"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
6 442
Read events
5 542
Write events
581
Delete events
319

Modification events

(PID) Process:(2484) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:5=*
Value:
353D2A00B4090000010000000000000000000000
(PID) Process:(2484) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2484) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2484) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2484) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2484) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2484) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2484) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2484) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2484) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
0
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2484WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR2515.tmp.cvr
MD5:
SHA256:
2484WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:956850F4CBAF6FD30AA5A3E2DF54FAFB
SHA256:6BAAAF8EB8059756927A829C1F682300F24593E7B89FE91E1189A9249142A378
2484WINWORD.EXEC:\Users\admin\Desktop\~$curiteInfo.com.Exploit.CVE201711882.123.7774.12516.rtfbinary
MD5:93DA0596C495D6313085A4267F6EAC7A
SHA256:93C411F3D451A95AC7107FAB9C92412462ACAB3490C3EBF5629B542178B8CF00
2484WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.CVE201711882.123.7774.12516.rtf.LNKbinary
MD5:E004002CD2A8E12532C7C982DBA71599
SHA256:FF4D378C94EADBB73B94E83AC6D45DE7151B12519559EA5D26F50C579C0A5367
2484WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:E411046BA756EEEABC298E594FC6A179
SHA256:33BAD8E279AD7DBC5D70FF835B41971279DF815010324575936E5F746217D134
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
13
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3620
EQNEDT32.EXE
GET
404
198.46.174.158:80
http://198.46.174.158/xampp/MNT/yummybutterbunverysweet.tIF
unknown
unknown
1372
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
1060
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8f69642324cc87bd
unknown
whitelisted
1372
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1372
svchost.exe
GET
200
95.101.54.122:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
239.255.255.250:3702
whitelisted
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
3620
EQNEDT32.EXE
198.46.174.158:80
AS-COLOCROSSING
US
unknown
1372
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1372
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
1372
svchost.exe
95.101.54.122:80
crl.microsoft.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
crl.microsoft.com
  • 95.101.54.122
  • 95.101.54.128
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SecuriteInfo.com.Exploit.CVE201711882.123.7774.12516.rtf