analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2dbd75da78f0c7ef746d8312a7d04895f1b1a20410a655beea5b2b00cbff608b.rtf

Full analysis: https://app.any.run/tasks/22be02ff-2411-4224-854c-50a1545da515
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: September 19, 2019, 01:34:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
maldoc-13
trojan
loader
rat
rms
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

4EBEF478C29BDA36EA53EED42C9C3E6A

SHA1:

3CEF11EDF366EF2E91337229517E85AB39280BAE

SHA256:

2DBD75DA78F0C7EF746D8312A7D04895F1B1A20410A655BEEA5B2B00CBFF608B

SSDEEP:

1536:mPydmZSTn1jtHv9YNpZ0Iie1ehegeOfDPfDmLaK333gMSYkRD3Y7mYYAPFRIxPIf:mPyd7mTmxgLSQWno

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Requests a remote executable file from MS Office

      • WINWORD.EXE (PID: 3544)
    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 3544)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3544)
    • Application was dropped or rewritten from another process

      • bin.exe (PID: 2636)
      • 1.exe (PID: 3636)
      • 1.exe (PID: 3216)
      • bin.exe (PID: 3768)
      • package-service.exe (PID: 3200)
      • package-service.exe (PID: 2344)
      • bin.exe (PID: 2304)
      • bin.exe (PID: 2716)
      • winserv.exe (PID: 3276)
      • winserv.exe (PID: 4032)
    • Downloads executable files from IP

      • WINWORD.EXE (PID: 3544)
    • Loads dropped or rewritten executable

      • cmd.exe (PID: 2940)
      • cmd.exe (PID: 3044)
    • Changes the autorun value in the registry

      • reg.exe (PID: 4044)
      • reg.exe (PID: 2624)
    • RMS was detected

      • winserv.exe (PID: 4032)
  • SUSPICIOUS

    • Creates files in the program directory

      • WINWORD.EXE (PID: 3544)
      • package-service.exe (PID: 3200)
      • package-service.exe (PID: 2344)
    • Executable content was dropped or overwritten

      • 1.exe (PID: 3636)
      • cmd.exe (PID: 2940)
      • package-service.exe (PID: 3200)
    • Starts CMD.EXE for commands execution

      • bin.exe (PID: 2636)
      • bin.exe (PID: 3768)
      • bin.exe (PID: 2304)
      • bin.exe (PID: 2716)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2844)
      • cmd.exe (PID: 2828)
    • Reads Windows Product ID

      • winserv.exe (PID: 4032)
      • winserv.exe (PID: 3276)
    • Reads Environment values

      • winserv.exe (PID: 4032)
      • winserv.exe (PID: 3276)
    • Reads the machine GUID from the registry

      • winserv.exe (PID: 4032)
      • winserv.exe (PID: 3276)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2844)
      • cmd.exe (PID: 2828)
    • Creates files in the user directory

      • winserv.exe (PID: 4032)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3544)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
241
Monitored processes
200
Malicious processes
12
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start winword.exe 1.exe bin.exe no specs cmd.exe 1.exe no specs ping.exe no specs bin.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs package-service.exe package-service.exe no specs bin.exe no specs bin.exe no specs cmd.exe no specs reg.exe cmd.exe no specs #RMS winserv.exe reg.exe taskkill.exe no specs winserv.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3544"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\2dbd75da78f0c7ef746d8312a7d04895f1b1a20410a655beea5b2b00cbff608b.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3636"C:\Users\admin\AppData\Roaming\1.exe" C:\Users\admin\AppData\Roaming\1.exe
WINWORD.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2636"C:\Users\admin\AppData\Local\Temp\bin.exe" /f=CREATE_NO_WINDOW install.cmdC:\Users\admin\AppData\Local\Temp\bin.exe1.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2940cmd /c "install.cmd"C:\Windows\system32\cmd.exe
bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3216"C:\Users\admin\AppData\Roaming\1.exe" C:\Users\admin\AppData\Roaming\1.exeWINWORD.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
10
2396ping www.cloudflare.com -n 3 -w 3000C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3768"C:\Users\admin\AppData\Local\Temp\bin.exe" /f=CREATE_NO_WINDOW install.cmdC:\Users\admin\AppData\Local\Temp\bin.exe1.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3044cmd /c "install.cmd"C:\Windows\system32\cmd.exebin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3924ping www.cloudflare.com -n 3 -w 3000C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2780ping www.cloudflare.com -n 3 -w 1000C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 992
Read events
2 624
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
1
Text files
5
Unknown types
3

Dropped files

PID
Process
Filename
Type
3544WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9B4A.tmp.cvr
MD5:
SHA256:
3544WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\99D1F723.png
MD5:
SHA256:
3544WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Abctfhghghghghg.scThtml
MD5:910E88314D4E6EDA03E5C941E50EE805
SHA256:0688B472A493758EB48E6BB47D0ABBE05229642CB17CEEA06D7F751A426CDEAC
36361.exeC:\Users\admin\AppData\Local\Temp\install.cmdtext
MD5:844AE38CB4471AE1D68287A4DF8A9DAF
SHA256:28139C02DF3433B5AF287673F492D51779147E38F8C88A86E88B6BB1452F2EE3
3544WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\1[1].exeexecutable
MD5:BA071D7BCA387135F0ABA163A15B2F71
SHA256:58E4C84FABBC2DA147340908EE012EC7BFCF7F609F596AB03A9B6D361893E8B3
36361.exeC:\Users\admin\AppData\Local\Temp\libev.dllexecutable
MD5:1553998C1AF80CCE33ECE3F490CD79BC
SHA256:1F6DCCF692EF32DCF4C69327A39E0FCF02E860EFBA72EB3A4760C5B7291409F5
3544WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:E7BA2ED85B8B5FB2EDC15D7AA6383B85
SHA256:3D4B516E0CA068E8D37DE3F7A293FBD6443803140B395ED49537B825E9227A9B
4032winserv.exeC:\Users\admin\AppData\Roaming\RMS_settings\Logs\rms_log_2019-09.htmlhtml
MD5:786CE07F5240665D98996F5D4D92C03A
SHA256:8A63E45CF6A7B41068699C672EF0CB1AE7B70A863970B302BCB4573E666761E2
3200package-service.exeC:\ProgramData\Java Runtime Service\settings.datbinary
MD5:EBCE01DCFF8D73D2847951B32670E775
SHA256:DA3231F3F6F24F2EBD0240C7A16C9B9BB076D34707E3D34CCB3FCB46385741C4
3544WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$bd75da78f0c7ef746d8312a7d04895f1b1a20410a655beea5b2b00cbff608b.rtfpgc
MD5:F6EC53AF02C1968302215EDEB6F8015C
SHA256:C85C001EE2857288B970FB591A01136F71A3E1733E82B912FCB363DC50C73D1A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3544
WINWORD.EXE
GET
200
185.180.198.196:80
http://185.180.198.196/1.exe
US
executable
3.95 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4032
winserv.exe
91.245.224.82:5655
suspicious
3544
WINWORD.EXE
185.180.198.196:80
Hosting Solution Ltd.
US
malicious

DNS requests

Domain
IP
Reputation
www.cloudflare.com
  • 104.17.209.9
  • 104.17.210.9
whitelisted

Threats

PID
Process
Class
Message
3544
WINWORD.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3544
WINWORD.EXE
A Network Trojan was detected
ET TROJAN Single char EXE direct download likely trojan (multiple families)
3544
WINWORD.EXE
A Network Trojan was detected
ET TROJAN Possible Malicious Macro DL EXE Feb 2016
3544
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
3544
WINWORD.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3544
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
3544
WINWORD.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
1 ETPRO signatures available at the full report
Process
Message
winserv.exe
Error WTSQueryUserToken #1314
winserv.exe
19-09-2019_02:34:42:001#T:Error #20 @2