analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Faisal Bari.CV.doc

Full analysis: https://app.any.run/tasks/f65c971e-a407-4585-b155-557e5cb83230
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: January 10, 2019, 15:33:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
exploit
CVE-2017-11882
rat
nanocore
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

708B34963703BDB30296A9F277FCDCB8

SHA1:

4A57B46DC0388A26B3E394A5BCA77C48CA9D2F0A

SHA256:

1A49B4370584244FFE612F23ED13433DFE340836C413F9BDEB2B8FAE6A1A51E0

SSDEEP:

24576:jakyUbuCyde71rrHWuz1V4FXL5njTgOjyeyDio6TF8bK+skY3t1OB:z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 3076)

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3076)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3076)

    • Runs app for hidden code execution

      • cmd.exe (PID: 2292)
      • cmd.exe (PID: 3804)

    • Application was dropped or rewritten from another process

      • mondi.exe (PID: 2828)
      • mondi.exe (PID: 2452)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2964)

    • Uses Task Scheduler to run other applications

      • mondi.exe (PID: 2828)

    • NanoCore was detected

      • mondi.exe (PID: 2452)

    • Changes the autorun value in the registry

      • mondi.exe (PID: 2452)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3500)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2292)
      • cmd.exe (PID: 2968)
      • cmd.exe (PID: 3804)
      • EQNEDT32.EXE (PID: 2964)
      • cmd.exe (PID: 3244)

    • Application launched itself

      • cmd.exe (PID: 2292)
      • cmd.exe (PID: 3244)
      • mondi.exe (PID: 2828)

    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 3244)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3244)
      • cmd.exe (PID: 3004)
      • cmd.exe (PID: 2340)
      • cmd.exe (PID: 3048)
      • cmd.exe (PID: 3108)
      • cmd.exe (PID: 3992)
      • cmd.exe (PID: 4048)

    • Executable content was dropped or overwritten

      • mondi.exe (PID: 2452)

    • Cleans NTFS data-stream (Zone Identifier)

      • mondi.exe (PID: 2452)

    • Creates files in the user directory

      • mondi.exe (PID: 2452)

    • Connects to unusual port

      • mondi.exe (PID: 2452)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3076)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3076)

    • Application was crashed

      • EQNEDT32.EXE (PID: 2964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
67
Monitored processes
31
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs mondi.exe no specs taskkill.exe no specs eqnedt32.exe cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs schtasks.exe no specs #NANOCORE mondi.exe

Process information

PID
CMD
Path
Indicators
Parent process
3076"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Faisal Bari.CV.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
1
Version:
14.0.6024.1000
2292"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\dqfm.cMd"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2968CmD C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3244C:\Windows\system32\cmd.exe /K C:\Users\admin\AppData\Local\Temp\hondi.cmdC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3804"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\dqfm.cMd"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3904TIMEOUT 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2752CmD C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2828C:\Users\admin\AppData\Local\Temp\mondi.eXe C:\Users\admin\AppData\Local\Temp\mondi.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
3056TASKKILL /F /IM winword.exe C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2964"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Version:
00110900
Total events
716
Read events
688
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
4
Unknown types
4

Dropped files

PID
Process
Filename
Type
3076WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVREF75.tmp.cvr
MD5:
SHA256:
3076WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:D512D016B6D8FC09C9D73080393CD633
SHA256:E12CC561D707114629B3DAA016753E27BBF4954359B14694E71C0926457DABF5
3076WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$isal Bari.CV.docpgc
MD5:9AD8AB0C675CBD701D96422A8F63D4C0
SHA256:16C3C04DEBAA3386A51A0F01E6E1E10844E3F023CBC958452679970D8A570564
3076WINWORD.EXEC:\Users\admin\AppData\Local\Temp\hondi.cmdtext
MD5:54CA3A500C443EABBCE1970B5B43A327
SHA256:70A48CA2C20EFD4D0B1192C2FA84D2AFF25FD4CC094AEFF3491FFAEB18F53D8C
3076WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{700E7F2D-CAB8-4B82-B186-FB3A95F52922}.tmpbinary
MD5:86545E6955C44CA708B6B651F9AF55D8
SHA256:AE34256167D90DDB8173AE9B9648D8A97CD2D27BB9DD1C75A554C40EDD8A5D79
3076WINWORD.EXEC:\Users\admin\AppData\Local\Temp\dqfm.cmdtext
MD5:308D8E82E7ADC9279E411F982E6498EE
SHA256:94EB53C44C0B67B261BFF82D58E488DE542846AA1E2573BE375221AC68BBB00C
2828mondi.exeC:\Users\admin\AppData\Local\Temp\tmpAAA7.tmpxml
MD5:B7922BA310BE5621022C3EC64134A566
SHA256:C52367D486BCE3B4BD3D37F420658501E35D8400E0E0F88BE6FFCE3E3E92DBF8
3076WINWORD.EXEC:\Users\admin\AppData\Local\Temp\gondi.docdocument
MD5:4198FB827362BBB68A72498100B5D7BD
SHA256:5829999A4328A0CEF0D34E237C8645194A1F74D81C7F01B494651B113D580E0E
3076WINWORD.EXEC:\Users\admin\AppData\Local\Temp\mondi.exeexecutable
MD5:337BF899F972F5C172F4725EAA9A2BEB
SHA256:989F5D46B6452F784D779AAFB4951C6562D780A243CCE952929F1F1840EC5487
2452mondi.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.datfli
MD5:0038F6CE3BCE3206D8CE9F75D1608AA7
SHA256:F2D7EEC149C055BA36A71F6EDF109A260030DDB287CD771D27C9385F7FD59F0C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
10
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2452
mondi.exe
185.244.30.95:9003
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Faisal Bari.CV.doc