analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

7e2e52618d8ab0f3793eb804090d83efff85816489fac45922336626fc8ef91d

Full analysis: https://app.any.run/tasks/3746641a-93b4-4ef4-8c3f-ac092325db8a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: September 10, 2019, 22:43:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
exploit
CVE-2017-11882
trojan
nanocore
rat
loader
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

0AFD822AAE10B7C81D9931AC6501D6E1

SHA1:

A28FE0556B14515B22ADAD9B0CB07BCF560BB548

SHA256:

7E2E52618D8AB0F3793EB804090D83EFFF85816489FAC45922336626FC8EF91D

SSDEEP:

96:lIWIUTtpX7aBCqUQhGVXaMKVKLf8ODPGbWVC64wH:CW5praB2QGVXaMKVoPsWR4wH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3476)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3476)
    • Changes the autorun value in the registry

      • plugin.exe (PID: 3576)
    • Application was dropped or rewritten from another process

      • plugin.exe (PID: 3576)
    • Connects to CnC server

      • RegAsm.exe (PID: 4080)
    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3476)
    • NANOCORE was detected

      • RegAsm.exe (PID: 4080)
  • SUSPICIOUS

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3476)
      • RegAsm.exe (PID: 4080)
    • Executed via COM

      • EQNEDT32.EXE (PID: 3476)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3476)
      • plugin.exe (PID: 3576)
    • Suspicious files were dropped or overwritten

      • plugin.exe (PID: 3576)
    • Connects to unusual port

      • RegAsm.exe (PID: 4080)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2720)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2720)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe plugin.exe #NANOCORE regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
2720"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\7e2e52618d8ab0f3793eb804090d83efff85816489fac45922336626fc8ef91d.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3476"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3576"C:\Users\admin\AppData\Roaming\plugin.exe"C:\Users\admin\AppData\Roaming\plugin.exe
EQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
4080"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
plugin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
Total events
1 204
Read events
854
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
2
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2720WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8B6C.tmp.cvr
MD5:
SHA256:
3576plugin.exeC:\Users\admin\AppData\MicrosoftEdgeDevTools\UsoClient.batexecutable
MD5:0CFEB0581FA14091BA77AEA9A7B29AB6
SHA256:EEEB7A9EFEAA8A9B0485404C3392B586DDB0D65AE5A1F08C0254C4D7AB07C65A
3476EQNEDT32.EXEC:\Users\admin\AppData\Roaming\plugin.exeexecutable
MD5:C3FB127C90D6D5065858AD86B317165D
SHA256:C212BA76C03C07F3B61473025182317E0279F8F269069DB2DB8CE04DE62554DF
4080RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\catalog.datbs
MD5:32D0AAE13696FF7F8AF33B2D22451028
SHA256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
4080RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\storage.datbinary
MD5:963D5E2C9C0008DFF05518B47C367A7F
SHA256:5EACF2974C9BB2C2E24CDC651C4840DD6F4B76A98F0E85E90279F1DBB2E6F3C0
3476EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\dj[1].exeexecutable
MD5:C3FB127C90D6D5065858AD86B317165D
SHA256:C212BA76C03C07F3B61473025182317E0279F8F269069DB2DB8CE04DE62554DF
4080RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dattext
MD5:53070D68D2584757B782EACAD78F1829
SHA256:AF1C0B0E1FDA047F1B1C4D757D5C5010E9B3F4A9A6B58F7257700EE62F550BD3
2720WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$2e52618d8ab0f3793eb804090d83efff85816489fac45922336626fc8ef91d.rtfpgc
MD5:8B34CAC37C97A6CF9668F355AA8D28B7
SHA256:C0B9DBFE60BAD83CE0FDAF80F91694FBB37BCF99DDD25FCE234BFFAC80DECE50
2720WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:0230FE820C986A89CB0F29043BDA1EE5
SHA256:41F6B08AA3E7181B6CBCA7A98D0621FAEF44EF0C9556E48037FE25CDA275CE56
4080RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\settings.binbinary
MD5:AE0F5E6CE7122AF264EC533C6B15A27B
SHA256:73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3476
EQNEDT32.EXE
GET
200
173.231.196.195:80
http://dj.kayamalimusavirlik.com/dj.exe
CN
executable
1.21 Mb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4080
RegAsm.exe
8.8.8.8:53
Google Inc.
US
whitelisted
3476
EQNEDT32.EXE
173.231.196.195:80
dj.kayamalimusavirlik.com
tzulo, inc.
CN
suspicious
4080
RegAsm.exe
185.105.236.157:4050
mymy1.ddns.net
Patron Technology Persia Ltd
IR
malicious

DNS requests

Domain
IP
Reputation
dj.kayamalimusavirlik.com
  • 173.231.196.195
suspicious
mymy1.ddns.net
  • 185.105.236.157
malicious

Threats

PID
Process
Class
Message
3476
EQNEDT32.EXE
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
3476
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4080
RegAsm.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 60B
4080
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
4080
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
4080
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
4080
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
4080
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
4080
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
27 ETPRO signatures available at the full report
No debug info