analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Inquiry from our Clinet in Germany.doc

Full analysis: https://app.any.run/tasks/a69eb027-3e32-409b-b6cf-2efd22758b4a
Verdict: Malicious activity
Analysis date: March 21, 2019, 07:42:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
exploit
CVE-2017-11882
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

EFA58209123BE49725C0C9427EC52C54

SHA1:

0D70192945C9899C13670901DA08B1726960EF49

SHA256:

2ACC3BDF6821D27A401376845659040D75DD31D0405DA2E1809A22A9B5F65145

SSDEEP:

12288:WsH4xo5xcCeaRsH4xo5xcCeag8+rVPn/u9csLZ70szoIo3PskLbFLUnUnaPPbeN4:WczBczlSPGysLbzLqxLbuAabfOY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ~AFER125419.tmp (PID: 2572)
      • ~AFER125419.tmp (PID: 3000)
      • ~AFER125419.tmp (PID: 2460)
      • ~AFER125419.tmp (PID: 2128)
      • ~AFER125419.tmp (PID: 3392)
      • ~AFER125419.tmp (PID: 2260)

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3940)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2252)
      • cmd.exe (PID: 3744)
      • cmd.exe (PID: 3760)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3940)

    • Writes to a start menu file

      • cmd.exe (PID: 2396)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2856)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • cmd.exe (PID: 3584)
      • ~AFER125419.tmp (PID: 2572)

    • Application launched itself

      • cmd.exe (PID: 2884)
      • ~AFER125419.tmp (PID: 2572)

    • Reads internet explorer settings

      • EQNEDT32.EXE (PID: 3940)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 3604)
      • cmd.exe (PID: 2396)

    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 3940)
      • cmd.exe (PID: 2884)

    • Starts Internet Explorer

      • rundll32.exe (PID: 1436)

    • Creates files in the user directory

      • cmd.exe (PID: 2396)

    • Uses RUNDLL32.EXE to load library

      • WINWORD.EXE (PID: 2856)

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 2856)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2856)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2856)
      • iexplore.exe (PID: 584)

    • Changes internet zones settings

      • iexplore.exe (PID: 3796)

    • Application launched itself

      • iexplore.exe (PID: 3796)

    • Modifies the open verb of a shell class

      • rundll32.exe (PID: 2364)

    • Reads internet explorer settings

      • iexplore.exe (PID: 584)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3796)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 584)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3796)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3796)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

InternalVersionNumber: 99
CharactersWithSpaces: 20
Characters: 18
Words: 3
Pages: 1
TotalEditTime: 3 minutes
RevisionNumber: 1
ModifyDate: 2019:03:12 13:33:00
CreateDate: 2019:03:12 13:30:00
LastModifiedBy: n3o
Author: n3o
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
69
Monitored processes
27
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs eqnedt32.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs ping.exe no specs cmd.exe cmd.exe no specs ping.exe no specs cmd.exe no specs cmd.exe no specs ~afer125419.tmp no specs ping.exe no specs cmd.exe ~afer125419.tmp no specs ~afer125419.tmp no specs ~afer125419.tmp no specs ~afer125419.tmp no specs ~afer125419.tmp no specs notepad.exe no specs rundll32.exe no specs rundll32.exe no specs iexplore.exe iexplore.exe rundll32.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2856"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Inquiry from our Clinet in Germany.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3940"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2884cmd /c echo|set /p "=MZ">%temp%\~F9.TMPC:\Windows\system32\cmd.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3508C:\Windows\system32\cmd.exe /S /D /c" echo"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3576C:\Windows\system32\cmd.exe /S /D /c" set /p "=MZ" 1>C:\Users\admin\AppData\Local\Temp\~F9.TMP"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2252"C:\Windows\System32\cmd.exe" /c ping localhost -n 2C:\Windows\System32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2768ping localhost -n 2C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3604cmd /c copy /B %temp%\~F9.tmp+%temp%\~191AEF9.tmp %temp%\~AFER125419.tmpC:\Windows\system32\cmd.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3744"C:\Windows\System32\cmd.exe" /c ping localhost -n 2C:\Windows\System32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2700ping localhost -n 2C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 856
Read events
2 221
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
3
Text files
30
Unknown types
12

Dropped files

PID
Process
Filename
Type
2856WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR7F1.tmp.cvr
MD5:
SHA256:
2856WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~191AEF9.tmpimage
MD5:C3915A7EE891FF77DF50EA141C00325A
SHA256:79E2D23CDFD206767A6CAF0D48EA9BE74001CCBD4991A249F46D93DE8EAF7AB7
2396cmd.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exeexecutable
MD5:FDE0C7C38CB34CAE1AB01774E8F242AF
SHA256:036CDB3B45F71E96B23436B81BDD7CBFB61E90BA8FF175CE02E2990A85D5BCEA
2856WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2861B2CD.emfemf
MD5:39BE498AD2A2E6E0E23F2844100DBA0B
SHA256:1E10939E7E60AEF49FBCA8B0052993A6D94C835938C789FB3C7AF24FF0EF1777
2856WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~191AEF9 (2).tmpimage
MD5:C3915A7EE891FF77DF50EA141C00325A
SHA256:79E2D23CDFD206767A6CAF0D48EA9BE74001CCBD4991A249F46D93DE8EAF7AB7
2856WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$quiry from our Clinet in Germany.docpgc
MD5:ACF661155C20EDF9620CBDCE57739487
SHA256:5AA182A726818AD835AD747AADF27470310EF92819DAE0479666297E18B0C225
3604cmd.exeC:\Users\admin\AppData\Local\Temp\~AFER125419.tmpexecutable
MD5:FDE0C7C38CB34CAE1AB01774E8F242AF
SHA256:036CDB3B45F71E96B23436B81BDD7CBFB61E90BA8FF175CE02E2990A85D5BCEA
2856WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:21F381C60BBB9B8D4889CAB042938F2F
SHA256:C4745E5A5F667A7FE0A75D8DDF0A48037D69BD8339209A0236B5B2451F47F8F3
2856WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7038C26A.wmfwmf
MD5:B1273DF6B064C659BFC861C9B8B0C79B
SHA256:9E74A28A57880D0933492C5D963B1BE6C5F7137C2A4BF4F01A05A66A1745B6C3
3796iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].ico
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
10
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
584
iexplore.exe
GET
301
2.16.186.24:80
http://shell.windows.com/fileassoc/fileassoc.asp?Ext=tmp
unknown
whitelisted
584
iexplore.exe
GET
302
23.51.118.23:80
http://go.microsoft.com/fwlink/?LinkId=57426&Ext=tmp
NL
whitelisted
3796
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
584
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3796
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
584
iexplore.exe
23.51.118.23:80
go.microsoft.com
Akamai Technologies, Inc.
NL
whitelisted
3796
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
584
iexplore.exe
65.55.163.78:443
login.live.com
Microsoft Corporation
US
whitelisted
584
iexplore.exe
2.16.186.24:80
shell.windows.com
Akamai International B.V.
whitelisted
3940
EQNEDT32.EXE
173.198.217.123:443
modernizingforeignassistance.net
Turnkey Internet Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
modernizingforeignassistance.net
  • 173.198.217.123
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
go.microsoft.com
  • 23.51.118.23
whitelisted
shell.windows.com
  • 2.16.186.24
  • 2.16.186.27
whitelisted
login.live.com
  • 65.55.163.78
  • 65.55.163.91
  • 65.55.163.76
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Inquiry from our Clinet in Germany.doc