analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

OA # 2300133094.doc

Full analysis: https://app.any.run/tasks/6127b48f-22d3-4839-a657-5e6e437f2f27
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: February 19, 2019, 08:57:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
exploit
CVE-2017-11882
rat
nanocore
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

D3E22BE77D0C059D9492914CF1AB5137

SHA1:

4A7A4BD8DF8F3BA23C6DCCF3858B52B888EFD39D

SHA256:

1B906236A6841582CC5D9DA95F1F8C4EC2C2FD6DDDAE7C5D5426C5C7C82FA015

SSDEEP:

24576:jakyUbuCyde71rrHWuzrR9ozXR6mawNDQ2k3dfZkm/cw7f:Z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3104)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 3104)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3104)

    • Application was dropped or rewritten from another process

      • mondi.exe (PID: 3676)
      • RegAsm.exe (PID: 3388)

    • Runs app for hidden code execution

      • cmd.exe (PID: 3444)
      • cmd.exe (PID: 2708)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3320)

    • NanoCore was detected

      • RegAsm.exe (PID: 3388)

    • Changes the autorun value in the registry

      • RegAsm.exe (PID: 3388)

  • SUSPICIOUS

    • Application launched itself

      • cmd.exe (PID: 3444)
      • cmd.exe (PID: 1328)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2708)
      • cmd.exe (PID: 3912)
      • cmd.exe (PID: 3444)
      • EQNEDT32.EXE (PID: 3320)
      • cmd.exe (PID: 1328)

    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 1328)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3140)
      • cmd.exe (PID: 3132)
      • cmd.exe (PID: 1328)
      • cmd.exe (PID: 2112)
      • cmd.exe (PID: 3688)
      • cmd.exe (PID: 3824)
      • cmd.exe (PID: 2136)

    • Creates files in the user directory

      • RegAsm.exe (PID: 3388)

    • Executable content was dropped or overwritten

      • RegAsm.exe (PID: 3388)

    • Connects to unusual port

      • RegAsm.exe (PID: 3388)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3104)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3104)

    • Application was crashed

      • EQNEDT32.EXE (PID: 3320)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
66
Monitored processes
30
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs mondi.exe taskkill.exe no specs eqnedt32.exe cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs #NANOCORE regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
3104"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\OA # 2300133094.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
1
Version:
14.0.6024.1000
3444"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\dqfm.cMd"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3912CmD C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1328C:\Windows\system32\cmd.exe /K C:\Users\admin\AppData\Local\Temp\hondi.cmdC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2708"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\dqfm.cMd"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2772TIMEOUT 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3668CmD C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3676C:\Users\admin\AppData\Local\Temp\mondi.eXe C:\Users\admin\AppData\Local\Temp\mondi.exe
cmd.exe
User:
admin
Company:
inobservantly
Integrity Level:
MEDIUM
Description:
hilltops
Exit code:
0
Version:
2.4.7.0
3904TASKKILL /F /IM winword.exe C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3320"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Version:
00110900
Total events
672
Read events
648
Write events
21
Delete events
3

Modification events

(PID) Process:(3104) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:x2%
Value:
78322500200C0000010000000000000000000000
(PID) Process:(3104) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3104) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3104) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1314062366
(PID) Process:(3104) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1314062480
(PID) Process:(3104) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1314062481
(PID) Process:(3104) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
200C00000A50994131C8D40100000000
(PID) Process:(3104) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:f5%
Value:
66352500200C000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3104) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:f5%
Value:
66352500200C000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3104) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
2
Suspicious files
2
Text files
4
Unknown types
3

Dropped files

PID
Process
Filename
Type
3104WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8EE8.tmp.cvr
MD5:
SHA256:
3104WINWORD.EXEC:\Users\admin\AppData\Local\Temp\gondi.docdocument
MD5:44DBB6E2FC066E200BBF63228F42156D
SHA256:7372BBD6B744245E5B9242DCB233A4CAAF8F51F74AD8CB6189306A929AB98840
3104WINWORD.EXEC:\Users\admin\AppData\Local\Temp\hondi.cmdtext
MD5:54CA3A500C443EABBCE1970B5B43A327
SHA256:70A48CA2C20EFD4D0B1192C2FA84D2AFF25FD4CC094AEFF3491FFAEB18F53D8C
3104WINWORD.EXEC:\Users\admin\Desktop\~$ # 2300133094.doc.rtfpgc
MD5:9DFD262740AD630A70783E399456A709
SHA256:FC216DE01D13C99039715A881116D126665F27425C8A1F52C6752EE53BDB5C7A
3104WINWORD.EXEC:\Users\admin\AppData\Local\Temp\dqfm.cmdtext
MD5:308D8E82E7ADC9279E411F982E6498EE
SHA256:94EB53C44C0B67B261BFF82D58E488DE542846AA1E2573BE375221AC68BBB00C
3104WINWORD.EXEC:\Users\admin\AppData\Local\Temp\mondi.exeexecutable
MD5:0036C915B8B9CF05D897F70F39CE3C3A
SHA256:BF20E314326C2EAEA5DEAC759808BBD33811A3EE17619EA277ABEB01A73F4D68
3104WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A85022E4-5CE6-43E2-A082-59ABE869B77F}.tmpbinary
MD5:86545E6955C44CA708B6B651F9AF55D8
SHA256:AE34256167D90DDB8173AE9B9648D8A97CD2D27BB9DD1C75A554C40EDD8A5D79
3104WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:E38C46694F93F7B7521B835043B365A5
SHA256:80AFEF6DBF00D7FBBFE3A67DB00E4F9E36A0D1161385E0E185863FC6F10CEB00
3388RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dattext
MD5:0226A1C6072CC178AC7F11A681630B76
SHA256:6237464717DD720686E5B39B33F35D3B20E88F3478C991DDC86F471BD29B99A6
3104WINWORD.EXEC:\Users\admin\AppData\Local\Temp\trbatehtqevyay.ScTxml
MD5:AA71A44BF5DFE09062E37CA88607A62F
SHA256:E942325B1059A2AA7EE8B739EB138500FBB669233F3332FE7A79C339D626225C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
9
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3388
RegAsm.exe
185.244.30.97:1989
malicious

DNS requests

No data

Threats

No threats detected
Process
Message
mondi.exe
User32.dll
mondi.exe
User32.dll
mondi.exe
User32.dll
mondi.exe
User32.dll
mondi.exe
User32.dll
mondi.exe
User32.dll
mondi.exe
User32.dll
mondi.exe
User32.dll
mondi.exe
User32.dll
mondi.exe
User32.dll
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
OA # 2300133094.doc