analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

3de7152b38fa291592f749037908c01ab85705e138073ede18286dd2ac18fc4a

Full analysis: https://app.any.run/tasks/e3115c9a-e92a-4fe3-acc8-7a4bd58cf954
Verdict: Malicious activity
Analysis date: March 22, 2019, 06:05:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
exploit
CVE-2017-11882
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

4B481D1570E58DB9AFFAAFA65B41FF9F

SHA1:

0AB6E5FA13099B720FC64192CC5B887DD17EEC8C

SHA256:

3DE7152B38FA291592F749037908C01AB85705E138073EDE18286DD2AC18FC4A

SSDEEP:

12288:ysH4xo5xcCeaRsH4xo5xcCeagO+rVPn/u9csLZ70szoIo3PskLbFLUnUJbeN21MY:yczBczTSPGysLbzLqxLbu4fOY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ~AFER125419.tmp (PID: 1880)
      • ~AFER125419.tmp (PID: 1096)
      • ~AFER125419.tmp (PID: 3972)
      • ~AFER125419.tmp (PID: 3900)
      • ~AFER125419.tmp (PID: 1828)
      • ~AFER125419.tmp (PID: 2900)
    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3236)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3236)
    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3084)
      • cmd.exe (PID: 1376)
      • cmd.exe (PID: 2868)
    • Writes to a start menu file

      • cmd.exe (PID: 2548)
  • SUSPICIOUS

    • Starts application with an unusual extension

      • cmd.exe (PID: 2916)
      • ~AFER125419.tmp (PID: 1880)
    • Executable content was dropped or overwritten

      • cmd.exe (PID: 2948)
      • cmd.exe (PID: 2548)
    • Creates files in the user directory

      • cmd.exe (PID: 2548)
    • Reads internet explorer settings

      • EQNEDT32.EXE (PID: 3236)
    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 3236)
      • cmd.exe (PID: 1332)
    • Application launched itself

      • ~AFER125419.tmp (PID: 1880)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2448)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

InternalVersionNumber: 99
CharactersWithSpaces: 20
Characters: 18
Words: 3
Pages: 1
TotalEditTime: 3 minutes
RevisionNumber: 1
ModifyDate: 2019:03:12 13:33:00
CreateDate: 2019:03:12 13:30:00
LastModifiedBy: n3o
Author: n3o
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
20
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs eqnedt32.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs ping.exe no specs cmd.exe cmd.exe no specs ping.exe no specs cmd.exe no specs cmd.exe no specs ~afer125419.tmp no specs ping.exe no specs cmd.exe ~afer125419.tmp no specs ~afer125419.tmp no specs ~afer125419.tmp no specs ~afer125419.tmp no specs ~afer125419.tmp no specs

Process information

PID
CMD
Path
Indicators
Parent process
2448"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\3de7152b38fa291592f749037908c01ab85705e138073ede18286dd2ac18fc4a.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3236"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
1332cmd /c echo|set /p "=MZ">%temp%\~F9.TMPC:\Windows\system32\cmd.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2472C:\Windows\system32\cmd.exe /S /D /c" echo"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2940C:\Windows\system32\cmd.exe /S /D /c" set /p "=MZ" 1>C:\Users\admin\AppData\Local\Temp\~F9.TMP"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1376"C:\Windows\System32\cmd.exe" /c ping localhost -n 2C:\Windows\System32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
360ping localhost -n 2C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2948cmd /c copy /B %temp%\~F9.tmp+%temp%\~191AEF9.tmp %temp%\~AFER125419.tmpC:\Windows\system32\cmd.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3084"C:\Windows\System32\cmd.exe" /c ping localhost -n 2C:\Windows\System32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
660ping localhost -n 2C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 274
Read events
915
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
3
Unknown types
3

Dropped files

PID
Process
Filename
Type
2448WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8C0A.tmp.cvr
MD5:
SHA256:
3236EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\we[1].htahtml
MD5:C0266AC68A5DE7C08FEE0E7BD4B3B4AA
SHA256:E27D1D4DE73D75968CACC3A581E54F71FEF372A8661297C59A8D1A8CEA60A51D
2448WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:9B223D52F27D6AE02C2A47C6E1F60E21
SHA256:FE4622B09BDFB37BEFB68216A1FBBC80456B8C364A161278B1E749D0A6CB8AFF
2948cmd.exeC:\Users\admin\AppData\Local\Temp\~AFER125419.tmpexecutable
MD5:1A87B58569FBBC171F4D70CFF5AFB624
SHA256:85283D275950821F864D288AD0E8823E6AC545A5D34F8C254D80DA87AA0E3C8A
2448WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~191AEF9.tmpimage
MD5:BDADF981E802F20E50EB898F6B22629F
SHA256:1AD21411800F5ED166C23E4778DFDDDC15272C58731EF6B6EEE9A6F5E1E45D70
2448WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B11899F9.emfemf
MD5:39BE498AD2A2E6E0E23F2844100DBA0B
SHA256:1E10939E7E60AEF49FBCA8B0052993A6D94C835938C789FB3C7AF24FF0EF1777
2448WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$e7152b38fa291592f749037908c01ab85705e138073ede18286dd2ac18fc4a.rtfpgc
MD5:B4B498ECAE2B1E28695E0ED25617FEB6
SHA256:D66CB177690A07AE4DC730AD21A115B69BC79AD526D20AAB7EE8CA18BFF57501
2548cmd.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exeexecutable
MD5:1A87B58569FBBC171F4D70CFF5AFB624
SHA256:85283D275950821F864D288AD0E8823E6AC545A5D34F8C254D80DA87AA0E3C8A
2940cmd.exeC:\Users\admin\AppData\Local\Temp\~F9.TMPtext
MD5:AC6AD5D9B99757C3A878F2D275ACE198
SHA256:9B8DB510EF42B8ED54A3712636FDA55A4F8CFCD5493E20B74AB00CD4F3979F2D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3236
EQNEDT32.EXE
173.198.217.123:443
modernizingforeignassistance.net
Turnkey Internet Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
modernizingforeignassistance.net
  • 173.198.217.123
suspicious

Threats

No threats detected
No debug info