analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

10857814e47867eed782ca5ee7fae530

Full analysis: https://app.any.run/tasks/5d514da8-6eb3-4003-9c4e-ce2e8a8119a3
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 12, 2020, 18:29:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
loader
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

10857814E47867EED782CA5EE7FAE530

SHA1:

CFE474BAE58382ACC34F7731512E2B068E1F83B3

SHA256:

7AB7604E26FF6BC378D1E88C55D8AAC5DB92423B7E90B5A54158FE71F3AA2047

SSDEEP:

192:OZyRgDauMqd/eiYzX8fq8zfgPb63kP8b7PMi7CuWkNYBg9+17yANerRxptFpLRSW:OXwqENX8i8stChW8Yi9+EAOxptFpV6FC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3192)

    • Application was dropped or rewritten from another process

      • kenlawefrnd57687.exe (PID: 2328)
      • kenlawefrnd57687.exe (PID: 3396)

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3192)

    • Changes the autorun value in the registry

      • kenlawefrnd57687.exe (PID: 2328)

    • Actions looks like stealing of personal data

      • kenlawefrnd57687.exe (PID: 2328)

    • Changes settings of System certificates

      • kenlawefrnd57687.exe (PID: 2328)

  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 3192)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3192)
      • kenlawefrnd57687.exe (PID: 2328)

    • Reads Internet Cache Settings

      • EQNEDT32.EXE (PID: 3192)

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3192)
      • kenlawefrnd57687.exe (PID: 2328)

    • Uses NETSH.EXE for network configuration

      • kenlawefrnd57687.exe (PID: 2328)

    • Reads the cookies of Google Chrome

      • kenlawefrnd57687.exe (PID: 2328)

    • Reads the cookies of Mozilla Firefox

      • kenlawefrnd57687.exe (PID: 2328)

    • Adds / modifies Windows certificates

      • kenlawefrnd57687.exe (PID: 2328)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 572)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 572)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe kenlawefrnd57687.exe no specs kenlawefrnd57687.exe netsh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
572"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\10857814e47867eed782ca5ee7fae530.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3192"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3396"C:\Users\admin\AppData\Roaming\kenlawefrnd57687.exe"C:\Users\admin\AppData\Roaming\kenlawefrnd57687.exeEQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2328"C:\Users\admin\AppData\Roaming\kenlawefrnd57687.exe"C:\Users\admin\AppData\Roaming\kenlawefrnd57687.exe
kenlawefrnd57687.exe
User:
admin
Integrity Level:
MEDIUM
2052"netsh" wlan show profileC:\Windows\system32\netsh.exekenlawefrnd57687.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
5 220
Read events
940
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
572WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRCA95.tmp.cvr
MD5:
SHA256:
2328kenlawefrnd57687.exeC:\Users\admin\AppData\Roaming\mdb2yzvw.j24\Chrome\Default\Cookies
MD5:
SHA256:
2328kenlawefrnd57687.exeC:\Users\admin\AppData\Roaming\mdb2yzvw.j24\Firefox\Profiles\qldyz51w.default\cookies.sqlite
MD5:
SHA256:
3192EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\kenlawfrndx[1].exeexecutable
MD5:7A06D76237AEC0C1B8CC4BC643E3D627
SHA256:E888883E6993AB7DF3EDD30EBA22F6282C33324A21FFBED661C6478393E2296E
572WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:C7547145D751AD56DE2628637324E6FB
SHA256:C60C9F9B434AEDD06857ACB6C26C0E3139E22D07286DDDD625737FB40B1D6751
2328kenlawefrnd57687.exeC:\Users\admin\AppData\Local\Temp\showmoneytwo\showmoneytwo.exeexecutable
MD5:7A06D76237AEC0C1B8CC4BC643E3D627
SHA256:E888883E6993AB7DF3EDD30EBA22F6282C33324A21FFBED661C6478393E2296E
572WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$857814e47867eed782ca5ee7fae530.rtfpgc
MD5:A0CAACB080253F78CEED7FEFFD028C1F
SHA256:1DE58CFE8B5EB601F45E1DDD3AD87157C0F969FFA73B427AA2FBFBC45774C412
3192EQNEDT32.EXEC:\Users\admin\AppData\Roaming\kenlawefrnd57687.exeexecutable
MD5:7A06D76237AEC0C1B8CC4BC643E3D627
SHA256:E888883E6993AB7DF3EDD30EBA22F6282C33324A21FFBED661C6478393E2296E
2328kenlawefrnd57687.exeC:\Users\admin\AppData\Roaming\mdb2yzvw.j24.zipcompressed
MD5:B2FDEE8DF6B71136E450939A67B6C10B
SHA256:1A6159B901B036F3AEF0795672EA7C4B73D2EDD3F58AA80E68E83F8518C09F2E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3192
EQNEDT32.EXE
GET
200
194.180.224.87:80
http://admaris.ir/kenlawfrndx/kenlawfrndx.exe
unknown
executable
751 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2328
kenlawefrnd57687.exe
5.77.32.186:587
dutchlogs.us
iomart Cloud Services Limited.
GB
suspicious
3192
EQNEDT32.EXE
194.180.224.87:80
admaris.ir
malicious

DNS requests

Domain
IP
Reputation
admaris.ir
  • 194.180.224.87
malicious
dutchlogs.us
  • 5.77.32.186
unknown

Threats

PID
Process
Class
Message
3192
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2328
kenlawefrnd57687.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
2328
kenlawefrnd57687.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
10857814e47867eed782ca5ee7fae530