| File name: | factura.doc |
| Full analysis: | https://app.any.run/tasks/7e38e91d-5c7c-4fc2-bb45-f81fa9fae1ca |
| Verdict: | Malicious activity |
| Analysis date: | July 14, 2024, 19:39:58 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| MIME: | text/rtf |
| File info: | Rich Text Format data, version 7 |
| MD5: | 05C137D8E79CE59ED6E4B7CD78E5B8A2 |
| SHA1: | 3A41DE3774B6A17A34A8BEDF1A0881A3F08D492D |
| SHA256: | 5A31C77293AF2920D7020D5D0236691ADCEA2C57C2716658CE118A5CBA9D4913 |
| SSDEEP: | 192:TMv9/nrxOgNIVk04Pre4VqPuc+17rf14g/gjXKSDxX8VxrdPJH:Yv9/rsok+Prz1dZKXDsjtJH |
MALICIOUS
Equation Editor starts application (likely CVE-2017-11882)
- EQNEDT32.EXE (PID: 3264)
Suspicious connection from the Equation Editor
- EQNEDT32.EXE (PID: 3264)
SUSPICIOUS
Reads security settings of Internet Explorer
- EQNEDT32.EXE (PID: 3264)
Reads the Internet Settings
- EQNEDT32.EXE (PID: 3264)
INFO
Reads the machine GUID from the registry
- EQNEDT32.EXE (PID: 3264)
Checks supported languages
- EQNEDT32.EXE (PID: 3264)
Checks proxy server information
- EQNEDT32.EXE (PID: 3264)
Manual execution by a user
- WINWORD.EXE (PID: 3884)
- WINWORD.EXE (PID: 324)
- WINWORD.EXE (PID: 1828)
Reads the computer name
- EQNEDT32.EXE (PID: 3264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rtf | | | Rich Text Format (100) |
|---|
Total processes
49
Monitored processes
5
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 324 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\spanishjobs.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 1828 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\screenapproach.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 3264 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | ||||||||||||
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 3221225547 Version: 00110900 Modules
| |||||||||||||||
| 3380 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n C:\Users\admin\AppData\Local\Temp\factura.doc.rtf | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 3884 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\addmiddle.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
Total events
24 274
Read events
21 996
Write events
1 074
Delete events
1 204
Modification events
| (PID) Process: | (3380) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | 0<2 |
Value: 303C3200340D0000010000000000000000000000 | |||
| (PID) Process: | (3380) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (3380) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1041 |
Value: Off | |||
| (PID) Process: | (3380) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1046 |
Value: Off | |||
| (PID) Process: | (3380) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1036 |
Value: Off | |||
| (PID) Process: | (3380) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1031 |
Value: Off | |||
| (PID) Process: | (3380) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1040 |
Value: Off | |||
| (PID) Process: | (3380) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1049 |
Value: Off | |||
| (PID) Process: | (3380) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 3082 |
Value: Off | |||
| (PID) Process: | (3380) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1042 |
Value: Off | |||
Executable files
1
Suspicious files
23
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3380 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE480.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR179C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 1828 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3863.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 324 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR5A72.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3380 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7D1D0797-A238-489F-AC64-95DECA203820}.tmp | binary | |
MD5:5D4D94EE7E06BBB0AF9584119797B23A | SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 | |||
| 3380 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6E327AB3-3366-4C3A-B762-B92424542695}.tmp | binary | |
MD5:87B084D5B447E610FBB9A8141FF2CB94 | SHA256:973C438C0F95D2FF636AB5542F623C915C9AF0207793E0277B3F3B8AD01D75BC | |||
| 324 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | binary | |
MD5:01246E8DF959867FB30DB5590352B7B8 | SHA256:BBB39210701C9D7AF0980AC5737993C5FDA6A1C86E7D7A28624FF44B7CE47438 | |||
| 3884 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\addmiddle.rtf.LNK | binary | |
MD5:B060FEE53E594302A2F9C1314CBC8156 | SHA256:EDE2BECFA7663F6B890C29495794C3D18960E884780A8E1EB121433D961AB81B | |||
| 3380 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ctura.doc.rtf | binary | |
MD5:C68BB44F9D51B8329C845E29B5C5A7F4 | SHA256:EC23FB818AFE1B2DA8DE1D15331C47097FD4B71030F8FF2AC562FF5645D63B3D | |||
| 3884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BA14147A-A981-4803-BC8E-9BEF479E7942}.tmp | smt | |
MD5:5D4D94EE7E06BBB0AF9584119797B23A | SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
14
DNS requests
7
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1372 | svchost.exe | GET | 304 | 199.232.214.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33 | unknown | — | — | whitelisted |
1372 | svchost.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
3264 | EQNEDT32.EXE | GET | 404 | 185.36.74.48:80 | http://seed-bc.com/juop4/plwr/mklo/rbn/jan2.exe | unknown | — | — | malicious |
1372 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1060 | svchost.exe | GET | 304 | 217.20.57.18:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fbe613066ac7852b | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | whitelisted |
2564 | svchost.exe | 239.255.255.250:3702 | — | — | — | whitelisted |
1372 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1060 | svchost.exe | 224.0.0.252:5355 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3264 | EQNEDT32.EXE | 185.36.74.48:80 | seed-bc.com | Fastweb | IT | unknown |
1372 | svchost.exe | 199.232.214.172:80 | ctldl.windowsupdate.com | FASTLY | US | unknown |
1372 | svchost.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
1372 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
seed-bc.com |
| malicious |
settings-win.data.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3264 | EQNEDT32.EXE | Potentially Bad Traffic | ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile |