File name:

SecuriteInfo.com.Exploit.CVE-2018-0798.4.4081.11101

Full analysis: https://app.any.run/tasks/7b5a28a0-183a-4585-be51-bed5d361d6f4
Verdict: Malicious activity
Analysis date: October 24, 2023, 12:13:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: text/rtf
File info: Rich Text Format data, version 1
MD5:

B22DB970AEFF8F7B4490D206B850C205

SHA1:

8D758DB65BFE2962A2211C6D9AC90D48EFC5A881

SHA256:

1E6B6F2B94BA22F1FD86FC927E87F1568DEB3762590AF9D091CD9C02B8390456

SSDEEP:

48:8BBfCK7WHjbNT7xVxdnGBaaDv8NB4VKNsZFHFir0pKjQN/S5nMTnyxOyF711wKDy:8T65TNV3GwbNBIKNs7lm0qM6elFcO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 1044)

  • SUSPICIOUS

    • Reads the Internet Settings

      • EQNEDT32.EXE (PID: 1044)

  • INFO

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 3184)
      • EQNEDT32.EXE (PID: 1044)

    • Checks supported languages

      • EQNEDT32.EXE (PID: 1044)
      • wmpnscfg.exe (PID: 3184)

    • Reads the computer name

      • wmpnscfg.exe (PID: 3184)
      • EQNEDT32.EXE (PID: 1044)

    • Checks proxy server information

      • EQNEDT32.EXE (PID: 1044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs eqnedt32.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1044"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
3184"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
3248"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.CVE-2018-0798.4.4081.11101.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
Total events
3 244
Read events
2 760
Write events
339
Delete events
145

Modification events

(PID) Process:(3184) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{DEDB799A-3263-4800-8594-297D720ECEF3}\{C01382C4-80FB-4296-A8C1-C214DA5DE7AC}
Operation:delete keyName:(default)
Value:
(PID) Process:(3184) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{DEDB799A-3263-4800-8594-297D720ECEF3}
Operation:delete keyName:(default)
Value:
(PID) Process:(3184) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{AF2396DE-971E-41CB-9579-5E7196A31577}
Operation:delete keyName:(default)
Value:
(PID) Process:(3248) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3248) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
On
(PID) Process:(3248) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
On
(PID) Process:(3248) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
On
(PID) Process:(3248) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
On
(PID) Process:(3248) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
On
(PID) Process:(3248) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
On
Executable files
0
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3248WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRBC78.tmp.cvr
MD5:
SHA256:
3248WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$curiteInfo.com.Exploit.CVE-2018-0798.4.4081.11101.rtfbinary
MD5:0DA3ADE85F0D5CDC13CE1D23D2204491
SHA256:2232E23D63CDC0D7FD13045FC165B3D756C0604C190B4EAAEC1D6768D754B715
3248WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:53AFE4C1C0A6B77C02EB69C66ADDB276
SHA256:FAF910F20F002D6F0DFEBD397C55D0151E246D60CC8CDAE89836CD63240CC63D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
4
DNS requests
1
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1044
EQNEDT32.EXE
GET
41.185.64.155:80
http://mail.treeoflifeadventures.com/wp-content/plugins/70d5e28f51c1438d94e3e6dc84b95311/xt/mmd/shell/sukonted2.1.exe
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2656
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
1044
EQNEDT32.EXE
41.185.64.155:80
mail.treeoflifeadventures.com
ZA-1-Grid
ZA
malicious
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
mail.treeoflifeadventures.com
  • 41.185.64.155
unknown

Threats

PID
Process
Class
Message
1044
EQNEDT32.EXE
A Network Trojan was detected
ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SecuriteInfo.com.Exploit.CVE-2018-0798.4.4081.11101