analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

RFQ.doc

Full analysis: https://app.any.run/tasks/742635bf-70cd-4198-931e-cc47faac0c48
Verdict: Malicious activity
Analysis date: July 18, 2019, 00:35:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CR line terminators
MD5:

556B73EC1649749F9E653D6897BB83CC

SHA1:

EFC45C00871BB59DE77B99DBA6BE3BC928FC8A06

SHA256:

3CDF22675EA6A500634B3A6181A8A93E5048C881FE8F49B45EA056F0F5CB3E99

SSDEEP:

96:w6BOgvq4BRmPLomAx/WV453+M2XOrxZeSFNqinKU3m:J7qSiUmAx/WVYODXO/QmW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • Setup.exe (PID: 3428)
      • WINWORD.EXE (PID: 2872)
      • EQNEDT32.EXE (PID: 2564)
      • EQNEDT32.EXE (PID: 3304)
      • WerFault.exe (PID: 3068)
      • WerFault.exe (PID: 2492)
      • EQNEDT32.EXE (PID: 2912)
      • svchost.exe (PID: 832)
      • explorer.exe (PID: 304)
    • Application was dropped or rewritten from another process

      • EQNEDT32.EXE (PID: 2564)
      • EQNEDT32.EXE (PID: 3304)
      • msohtmed.exe (PID: 3172)
      • EQNEDT32.EXE (PID: 2912)
  • SUSPICIOUS

    • Searches for installed software

      • Setup.exe (PID: 3428)
    • Executed via COM

      • Setup.exe (PID: 3428)
      • EQNEDT32.EXE (PID: 2564)
      • EQNEDT32.EXE (PID: 3304)
      • EQNEDT32.EXE (PID: 2912)
    • Executable content was dropped or overwritten

      • Setup.exe (PID: 3428)
      • MsiExec.exe (PID: 3156)
      • msiexec.exe (PID: 2552)
      • MsiExec.exe (PID: 3168)
      • MsiExec.exe (PID: 3984)
      • MsiExec.exe (PID: 2396)
      • MsiExec.exe (PID: 2972)
      • MsiExec.exe (PID: 3116)
      • MsiExec.exe (PID: 2796)
      • MsiExec.exe (PID: 3744)
      • MsiExec.exe (PID: 2452)
      • MsiExec.exe (PID: 2420)
    • Creates files in the Windows directory

      • msiexec.exe (PID: 2552)
    • Disables SEHOP

      • msiexec.exe (PID: 2552)
    • Starts Microsoft Office Application

      • msiexec.exe (PID: 2552)
    • Creates COM task schedule object

      • msohtmed.exe (PID: 3172)
      • msiexec.exe (PID: 2552)
    • Removes files from Windows directory

      • msiexec.exe (PID: 2552)
    • Modifies the open verb of a shell class

      • msiexec.exe (PID: 2552)
  • INFO

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 3156)
      • msiexec.exe (PID: 2552)
      • MsiExec.exe (PID: 3828)
      • MsiExec.exe (PID: 2292)
      • MsiExec.exe (PID: 2304)
      • MsiExec.exe (PID: 3984)
      • MsiExec.exe (PID: 3168)
      • MsiExec.exe (PID: 2396)
      • MsiExec.exe (PID: 3204)
      • MsiExec.exe (PID: 3748)
      • MsiExec.exe (PID: 2308)
      • MsiExec.exe (PID: 3084)
      • MsiExec.exe (PID: 4024)
      • MsiExec.exe (PID: 2312)
      • MsiExec.exe (PID: 2796)
      • MsiExec.exe (PID: 1908)
      • MsiExec.exe (PID: 3344)
      • MsiExec.exe (PID: 3532)
      • MsiExec.exe (PID: 2416)
      • MsiExec.exe (PID: 2452)
      • MsiExec.exe (PID: 3116)
      • MsiExec.exe (PID: 2972)
      • MsiExec.exe (PID: 2608)
      • MsiExec.exe (PID: 3744)
      • MsiExec.exe (PID: 1412)
      • MsiExec.exe (PID: 2420)
      • MSI4A6A.tmp (PID: 452)
      • MsiExec.exe (PID: 3616)
    • Starts Microsoft Office Application

      • explorer.exe (PID: 304)
    • Application was crashed

      • EQNEDT32.EXE (PID: 2564)
      • EQNEDT32.EXE (PID: 3304)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2872)
    • Reads Microsoft Office registry keys

      • Setup.exe (PID: 3428)
      • WINWORD.EXE (PID: 2872)
      • MsiExec.exe (PID: 3744)
      • msohtmed.exe (PID: 3172)
    • Application launched itself

      • msiexec.exe (PID: 2552)
    • Creates files in the program directory

      • MsiExec.exe (PID: 3828)
      • MsiExec.exe (PID: 2304)
      • MsiExec.exe (PID: 2308)
      • MsiExec.exe (PID: 3204)
      • msiexec.exe (PID: 2552)
      • MsiExec.exe (PID: 1908)
      • MsiExec.exe (PID: 3344)
      • MsiExec.exe (PID: 2608)
      • MsiExec.exe (PID: 3532)
      • MsiExec.exe (PID: 1412)
      • MsiExec.exe (PID: 3616)
    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 2552)
    • Dropped object may contain Bitcoin addresses

      • msiexec.exe (PID: 2552)
    • Creates a software uninstall entry

      • msiexec.exe (PID: 2552)
    • Application was dropped or rewritten from another process

      • MSI4A6A.tmp (PID: 452)
    • Starts application with an unusual extension

      • msiexec.exe (PID: 2552)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
74
Monitored processes
40
Malicious processes
6
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs eqnedt32.exe eqnedt32.exe setup.exe msiexec.exe msiexec.exe msiexec.exe no specs werfault.exe no specs werfault.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe msiexec.exe no specs msohtmed.exe no specs msi4a6a.tmp no specs addinutil.exe addinutil.exe no specs msiexec.exe msiexec.exe no specs eqnedt32.exe no specs svchost.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2872"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\RFQ.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3304"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2564"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3428"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Setup Bootstrapper
Exit code:
0
Version:
14.0.6010.1000
2552C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3156C:\Windows\system32\MsiExec.exe -Embedding CF5C8E86F1B1DB85A889294D8163C418C:\Windows\system32\MsiExec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3828C:\Windows\system32\MsiExec.exe -Embedding A457A55EDB2751DC910331D9962B5E54 M Global\MSI0000C:\Windows\system32\MsiExec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2492C:\Windows\system32\WerFault.exe -u -p 3304 -s 336C:\Windows\system32\WerFault.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3068C:\Windows\system32\WerFault.exe -u -p 2564 -s 332C:\Windows\system32\WerFault.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2292C:\Windows\system32\MsiExec.exe -Embedding 0E5ED0CD8CD4C047C9B6F3467A20C103C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Total events
23 370
Read events
12 207
Write events
0
Delete events
0

Modification events

No data
Executable files
380
Suspicious files
43
Text files
65
Unknown types
135

Dropped files

PID
Process
Filename
Type
2872WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE997.tmp.cvr
MD5:
SHA256:
2492WerFault.exeC:\Users\admin\AppData\Local\Temp\WERF9D4.tmp.WERInternalMetadata.xml
MD5:
SHA256:
2492WerFault.exeC:\Users\admin\AppData\Local\Temp\WERF9E4.tmp.hdmp
MD5:
SHA256:
2492WerFault.exeC:\Users\admin\AppData\Local\Temp\WERFAA1.tmp.mdmp
MD5:
SHA256:
2492WerFault.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_EQNEDT32.EXE_4190715f755948c31b6cd834465f11f658dcc09d_cab_09acfb4a\WERF9E4.tmp.hdmp
MD5:
SHA256:
3068WerFault.exeC:\Users\admin\AppData\Local\Temp\WER13E5.tmp.hdmp
MD5:
SHA256:
3068WerFault.exeC:\Users\admin\AppData\Local\Temp\WER14A1.tmp.mdmp
MD5:
SHA256:
3068WerFault.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_EQNEDT32.EXE_ad59c36926360e5a33660585748b16d7c2e3ff4_cab_0bed155a\WER13E5.tmp.hdmp
MD5:
SHA256:
2872WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$RFQ.docpgc
MD5:6D829DED53FE7F570C605835C252EB64
SHA256:C9CA8A59092A89E925CD7A3B00DAC200B6F7AF71AB99195369618315A897F41A
2492WerFault.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_EQNEDT32.EXE_4190715f755948c31b6cd834465f11f658dcc09d_cab_09acfb4a\WERFAA1.tmp.mdmpdmp
MD5:BA1BFB255955815FC840CEAA14B2F0A8
SHA256:EA48F705EA8E4F5BD31D70071FB0BB0F6962103AB147F2A8C4A67521F2137D5F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
msiexec.exe
Failed to release Service
addinutil.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
addinutil.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
addinutil.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
addinutil.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
addinutil.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
addinutil.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
addinutil.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
addinutil.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
addinutil.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302