analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1570596409_1.doc

Full analysis: https://app.any.run/tasks/ff3e80d4-d74d-497e-a39e-1f4269e59165
Verdict: Malicious activity
Analysis date: October 09, 2019, 18:10:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
exploit
CVE-2017-11882
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

C4EAC56ABD34B83D19EADCA0E5215A00

SHA1:

9ED767991D1037D793FE5437F23D0EEAE4B2FFAF

SHA256:

8352CE62DFD4C10C15F733D777DBA559353162BFD25EADC59AEC36A50B2611C9

SSDEEP:

6144:JCxLmyzxwHkJuy4VAbJxxWjdKfVo7d0sRPL5z9UJVf6upFcujIpbqVWt3Xn:kV9HcdKfO50sRPLRIVCuvowVWtHn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2216)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2164)
    • Application was dropped or rewritten from another process

      • ldin.exe (PID: 880)
      • ldin.exe (PID: 2800)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2216)
  • SUSPICIOUS

    • Reads internet explorer settings

      • EQNEDT32.EXE (PID: 2164)
    • Executed via COM

      • EQNEDT32.EXE (PID: 2164)
    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 2164)
      • ldin.exe (PID: 880)
    • Application launched itself

      • ldin.exe (PID: 880)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2216)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2216)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winword.exe eqnedt32.exe no specs cmd.exe no specs ldin.exe no specs cmd.exe no specs ldin.exe

Process information

PID
CMD
Path
Indicators
Parent process
2216"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\1570596409_1.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2164"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEsvchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3796"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\ldin.exeC:\Windows\System32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225794
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
880"C:\Users\admin\AppData\Local\Temp\ldin.exe" C:\Users\admin\AppData\Local\Temp\ldin.exeWINWORD.EXE
User:
admin
Company:
I;LBE88CG<NMMALO?C
Integrity Level:
MEDIUM
Description:
ACH9=;NA7:<9@P7G7G9>JHO
Exit code:
0
Version:
7.11.14.18
2172"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\AppData\Local\Temp\ldin.exe:Zone.Identifier"C:\Windows\System32\cmd.exeldin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2800"C:\Users\admin\AppData\Local\Temp\ldin.exe"C:\Users\admin\AppData\Local\Temp\ldin.exe
ldin.exe
User:
admin
Company:
I;LBE88CG<NMMALO?C
Integrity Level:
MEDIUM
Description:
ACH9=;NA7:<9@P7G7G9>JHO
Version:
7.11.14.18
Total events
1 343
Read events
1 149
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1
Text files
3
Unknown types
4

Dropped files

PID
Process
Filename
Type
2216WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR102E.tmp.cvr
MD5:
SHA256:
2216WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{806EB8A4-4B22-4B1B-B962-EA2DC4F441A0}.tmp
MD5:
SHA256:
2216WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6C933EDE-68A3-4E74-BEB7-8584846E1C14}.tmp
MD5:
SHA256:
2216WINWORD.EXEC:\Users\admin\Desktop\~$70596409_1.doc.rtfpgc
MD5:DF86157B08CC348FBA404741CCA14206
SHA256:416E6DF40F0FA497600212FFB6C9B09BC41B667B4AE97712EAEDA3D231DE2543
2216WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:CB3C82791EBE849DC0D5EB8F46E52FBB
SHA256:47BD043ECBFAC0525E8AE216C4D85002DDBC371D371058E02ED4020608D23258
2216WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:DEF63BDED1EE3934080DE7F8BFF20B07
SHA256:12DC517B740E80053C268410CE063019919F7F74F9DBA7F3D3C35729CE52238F
2216WINWORD.EXEC:\Users\admin\AppData\Local\Temp\ldin.exeexecutable
MD5:E099D30F9565F697CA8945FFE60D4D95
SHA256:D706E5C758478F5118B038BD4A6ECE93C94B2ADAB51F49BB220B983DB97AA894
2216WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\1570596409_1.doc.rtf.LNKlnk
MD5:9B65D799F845DA25BB3F0DF0B29849A9
SHA256:51819374E31278BB296054071D5441EA818DB3842055E25BE5FEF3A5595661BE
2216WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{773FBAFA-8CCE-43FE-A78B-F83A3E08E2DA}.tmpbinary
MD5:37612005E4BDC097BD48133B727D5923
SHA256:FF9A96EF88720249DE9FE95C4AB9EF6EEF81435C794F315A2E50F24CB99197F1
2216WINWORD.EXEC:\Users\admin\AppData\Local\Temp\1.atext
MD5:DCD94CFCF3517AA9F1C9F47B75A08C0E
SHA256:0404FFE20E2F5CABC8913E3C9832EF6494D2EF47D5FACE1A78259BF9728BC13C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
30
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2800
ldin.exe
213.208.152.205:5200
Next Layer Telekommunikationsdienstleistungs- und Beratungs GmbH
AT
malicious

DNS requests

No data

Threats

No threats detected
No debug info