analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | da12467783b0af26686073cfc9b51c34.doc |
| Full analysis: | https://app.any.run/tasks/9db2d5aa-d5a1-4476-87cb-a449ea969515 |
| Verdict: | Malicious activity |
| Analysis date: | January 11, 2019, 08:29:20 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/rtf |
| File info: | Rich Text Format data, version 1, unknown character set |
| MD5: | DA12467783B0AF26686073CFC9B51C34 |
| SHA1: | B1EBC0CF1D2EE04D5A6C4695C52CB28BD379AB2B |
| SHA256: | 6A7E17E6699904D9509CE74F4BAA008C7CA5D687D9C766C42AEB354DAAAE8109 |
| SSDEEP: | 12288:RiKD+iKDYiKDViKDViKDqiKDqiKDqiKDqiKDqiKDqiKDqiKDhiKD+iKD+iKDdiKy:RixibiGiGililililililili6ixixiOe |
MALICIOUS
Suspicious connection from the Equation Editor
- EQNEDT32.EXE (PID: 3448)
Equation Editor starts application (CVE-2017-11882)
- EQNEDT32.EXE (PID: 3448)
SUSPICIOUS
Executes application which crashes
- EQNEDT32.EXE (PID: 3448)
Creates files in the user directory
- EQNEDT32.EXE (PID: 3448)
INFO
Creates files in the user directory
- WINWORD.EXE (PID: 2972)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 2972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rtf | | | Rich Text Format (100) |
|---|
EXIF
RTF
| InternalVersionNumber: | 24689 |
|---|---|
| CharactersWithSpaces: | 1773 |
| Characters: | 1511 |
| Words: | 265 |
| Pages: | 2 |
| TotalEditTime: | - |
| RevisionNumber: | 2 |
| LastPrinted: | 2018:12:12 16:35:00 |
| ModifyDate: | 2018:12:14 09:22:00 |
| CreateDate: | 2018:12:14 09:22:00 |
| LastModifiedBy: | Windows User |
| Author: | Mr.Duoc |
| Upr: | {CH??NG TRÌNH }{*{CH{ƯƠNG TRÌNH }}} |
Total processes
34
Monitored processes
3
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2972 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\da12467783b0af26686073cfc9b51c34.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
| 3448 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
| 3344 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
Total events
1 381
Read events
746
Write events
630
Delete events
5
Modification events
| (PID) Process: | (2972) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | }+0 |
Value: 7D2B30009C0B0000010000000000000000000000 | |||
| (PID) Process: | (2972) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (2972) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (2972) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | WORDFiles |
Value: 1311440917 | |||
| (PID) Process: | (2972) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1311441036 | |||
| (PID) Process: | (2972) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1311441037 | |||
| (PID) Process: | (2972) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
| Operation: | write | Name: | MTTT |
Value: 9C0B00002A3ECBC987A9D40100000000 | |||
| (PID) Process: | (2972) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | &,0 |
Value: 262C30009C0B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (2972) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | delete value | Name: | &,0 |
Value: 262C30009C0B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (2972) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
Executable files
0
Suspicious files
0
Text files
5
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2972 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6B5D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2972 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$12467783b0af26686073cfc9b51c34.doc.rtf | pgc | |
MD5:95439BC4F395F60EA8752AD63443FF55 | SHA256:1F0532F4C8F6C54C2CCF5A3D7641BD466348B46D8F515BE1848AE0CA41B10655 | |||
| 2972 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:6B01A4399B399324F54D1B8A2E65AF4E | SHA256:2053FC6E06AD503565098797E40EDDF8CC5E6604C5164B385EF69A4E5CF81581 | |||
| 3448 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bitly[1].txt | text | |
MD5:6DC572E799D6B80CB889CD396E43CFA3 | SHA256:C2A30F8165428CE6F38F81F8238CC8BCF9865D6A03FC14848562B369F8DC413F | |||
| 3448 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\warning[1].txt | html | |
MD5:2A82160964629165F8A2189B87BFADF0 | SHA256:F8ED89D5D57BC2D6DE6C3A83DE7C7BBC00106E04D491FE0A50FAF2A896557FEF | |||
| 3448 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Temp\1.exe | html | |
MD5:2A82160964629165F8A2189B87BFADF0 | SHA256:F8ED89D5D57BC2D6DE6C3A83DE7C7BBC00106E04D491FE0A50FAF2A896557FEF | |||
| 3448 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A | |||
| 3344 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs785E.tmp | text | |
MD5:4C361DEA398F7AEEF49953BDC0AB4A9B | SHA256:06D61C23E6CA59B9DDAD1796ECCC42C032CD8F6F424AF6CFEE5D085D36FF7DFD | |||
| 3344 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs784D.tmp | text | |
MD5:8CF6DDB5AA59B49F34B967CD46F013B6 | SHA256:EE06792197C3E025B84860A72460EAF628C66637685F8C52C5A08A9CC35D376C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3448 | EQNEDT32.EXE | GET | 302 | 67.199.248.10:80 | http://bit.ly/2C9JAy9 | US | html | 173 b | shared |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3448 | EQNEDT32.EXE | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
3448 | EQNEDT32.EXE | 67.199.248.14:443 | bitly.com | Bitly Inc | US | shared |
DNS requests
Domain | IP | Reputation |
|---|---|---|
bit.ly |
| shared |
bitly.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3448 | EQNEDT32.EXE | A Network Trojan was detected | MALWARE [PTsecurity] PowerShell.Downloader httpHeader |