analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

560207798.doc

Full analysis: https://app.any.run/tasks/8993e7cb-4bc6-4228-8dd3-6b6db711bb96
Verdict: Malicious activity
Analysis date: January 10, 2019, 20:21:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

14B3421EE512A4B0DE85EE28D32F7E46

SHA1:

4F5AD08975E89082C6E989261759B54B814DE9F8

SHA256:

084E734542007D91A694899C6FE4F44664940690FB52C552733E00B16E7DF647

SSDEEP:

1536:ZdLKKZZZZZZZmddCNCKEi8M52TrBLQSuKS9ViLN31TEVCd0QhLkPaG7ijhFNpw7A:tbi2k7zhZbi2kC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3548)

  • SUSPICIOUS

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3548)

  • INFO

    • Application was crashed

      • EQNEDT32.EXE (PID: 3548)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3016)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3016)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

LastModifiedBy: -
Author: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs eqnedt32.exe

Process information

PID
CMD
Path
Indicators
Parent process
3016"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\560207798.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3548"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Total events
1 243
Read events
835
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
3016WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE9F6.tmp.cvr
MD5:
SHA256:
3016WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3FCF3993-C21C-4EB6-BD50-724A9191E57D}.tmp
MD5:
SHA256:
3016WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0B4C83C6-5501-47DD-B1AB-326D74EA6C66}.tmp
MD5:
SHA256:
3016WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{700E7C85-B4B8-4ACE-9999-FB3ACDA00022}.tmp
MD5:
SHA256:
3016WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{8C321475-148D-47A3-AF8A-7128F313D5E3}.tmpbinary
MD5:D4143F0F3D8733F63A357ABBB764C9D3
SHA256:964172717C4F187A07EF33683E7A5A94896F77FAB39D627F4DD9138025659129
3016WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:0EA4FED71645C6D74BF3C03D1E94DB97
SHA256:22D101B1125D9A35C0EA6BE189C39B3C3C27DFA9CDC99F54B729EEE5ACF4844A
3548EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txttext
MD5:F3F34EF2432F80ACD5EFE80AF9614741
SHA256:4BC621F4A08A581F073D0EF7F29AF971976E01D83942FE550A6361EBC8878549
3016WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$0207798.doc.rtfpgc
MD5:391F256CACBE38AC53A69C438540795F
SHA256:3FEDED9B4A9EC1EAC41BA87589050A5F105EBD60146881B80590F00684881AF4
3548EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3548
EQNEDT32.EXE
GET
301
67.199.248.10:80
http://bit.ly/2M0yIHq
US
html
122 b
shared
3548
EQNEDT32.EXE
GET
500
64.37.60.157:80
http://cgi.cvpsas.com/560207798.jpg
US
html
7.20 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3548
EQNEDT32.EXE
67.199.248.10:80
bit.ly
Bitly Inc
US
shared
3548
EQNEDT32.EXE
64.37.60.157:80
cgi.cvpsas.com
HostDime.com, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
cgi.cvpsas.com
  • 64.37.60.157
malicious

Threats

PID
Process
Class
Message
3548
EQNEDT32.EXE
A Network Trojan was detected
MALWARE [PTsecurity] PowerShell.Downloader httpHeader
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
560207798.doc