analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

8e48ff52d3b4bc3f4b533bffb78c9a07e1bce6e3e1c0af6073e18b37e4ef547f

Full analysis: https://app.any.run/tasks/21816850-5bc2-4291-8e44-860fb77a4a86
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: April 25, 2019, 08:24:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
loader
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

77A61172F1EDD373991371491BBA6622

SHA1:

6E98DBE9E2BA12038ABCFB046AECAB789251E334

SHA256:

8E48FF52D3B4BC3F4B533BFFB78C9A07E1BCE6E3E1C0AF6073E18B37E4EF547F

SSDEEP:

48:CvSQmqB+ybe+4xFJsyrfWTNa0d2dDCgRf2BN292TZfV8uACvdmfRR2:SSQmqMySnxzsyqgRfWoaaKaR2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • jhtucdujh.exe (PID: 1412)
      • jhtucdujh.exe (PID: 2888)
    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3288)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3288)
  • SUSPICIOUS

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3288)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3288)
    • Application launched itself

      • jhtucdujh.exe (PID: 1412)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1524)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe jhtucdujh.exe no specs jhtucdujh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1524"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\8e48ff52d3b4bc3f4b533bffb78c9a07e1bce6e3e1c0af6073e18b37e4ef547f.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3288"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
1412"C:\Users\admin\AppData\Local\Temp\jhtucdujh.exe"C:\Users\admin\AppData\Local\Temp\jhtucdujh.exeEQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Discloud
Exit code:
0
Version:
1.01.0007
2888C:\Users\admin\AppData\Local\Temp\jhtucdujh.exe"C:\Users\admin\AppData\Local\Temp\jhtucdujh.exejhtucdujh.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Discloud
Version:
1.01.0007
Total events
1 095
Read events
742
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
1
Text files
2
Unknown types
5

Dropped files

PID
Process
Filename
Type
1524WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR5EC5.tmp.cvr
MD5:
SHA256:
1524WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:BAEC04A54AC968DB29FEE2F2ABDA0EA1
SHA256:230C0E0381E2EA1B4CED9700B32635C2548CB4B0CE50C1D60F5BF49BA8E63985
3288EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\obvi[1].exeexecutable
MD5:44BA74AD94BD17DEB21983159A697444
SHA256:BA7E32F7C669929B59D81924700B467BDCE6747B75329C69915E5FC4BFA82FDE
1524WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:449D879606E8D694A5934134EF0FBB84
SHA256:A7256F8769FE58061B51F78761A7069387B2BC88B67ACE4C2D52A6C956BF02A9
3288EQNEDT32.EXEC:\Users\admin\AppData\Local\Temp\jhtucdujh.exeexecutable
MD5:44BA74AD94BD17DEB21983159A697444
SHA256:BA7E32F7C669929B59D81924700B467BDCE6747B75329C69915E5FC4BFA82FDE
1524WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\8e48ff52d3b4bc3f4b533bffb78c9a07e1bce6e3e1c0af6073e18b37e4ef547f.rtf.LNKlnk
MD5:F8467D212BFD2918EB7C8C4C5E4689CC
SHA256:4CF50BABC065F418F7B49C6246B4883F853F0AA9FEE488B74FA7603F21D5D1E3
1412jhtucdujh.exeC:\Users\admin\AppData\Local\Temp\~DF45693747AD65EC29.TMPbinary
MD5:F22CC7B60E9A9DC200DF590BC20EA7B1
SHA256:A3EBA7E8E3218C7A7ACC65A9CB7617DA20C6C8CD41C724A6AFEB6AD4DE9AB786
1524WINWORD.EXEC:\Users\admin\Downloads\~$48ff52d3b4bc3f4b533bffb78c9a07e1bce6e3e1c0af6073e18b37e4ef547f.rtfpgc
MD5:6AE53CD342D8933D00B31E39B8421563
SHA256:C79F9525DDA6111F648EE5BB18DD103F75D0F996F6ABF45CF787C88F574C2F16
3288EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3288
EQNEDT32.EXE
GET
200
112.213.89.40:80
http://tfvn.com.vn/images/gri/ob/obvi.exe
VN
executable
789 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3288
EQNEDT32.EXE
112.213.89.40:80
tfvn.com.vn
SUPERDATA
VN
malicious

DNS requests

Domain
IP
Reputation
tfvn.com.vn
  • 112.213.89.40
unknown

Threats

PID
Process
Class
Message
3288
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info