Malware analysis 3174a385107c6445c53bd8b541b0a43d Malicious activity | ANY.RUN - Malware Sandbox Online

analyze malware

Huge database of samples and IOCs
Custom VM setup
Unlimited submissions
Interactive approach

Sign up, it’s free

Add for printing

File name:	3174a385107c6445c53bd8b541b0a43d
Full analysis:	https://app.any.run/tasks/4a476d83-2c69-4e0d-960e-772c0d501694
Verdict:	Malicious activity
Analysis date:	June 19, 2019, 10:39:04
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	ole-embedded maldoc-13
MIME:	text/rtf
File info:	Rich Text Format data, version 1, unknown character set
MD5:	3174A385107C6445C53BD8B541B0A43D
SHA1:	5DB57F2F0C30E843A6440FDA476235100166B7C1
SHA256:	976F758665D17153F0E6A22810599939092FC8E4FAB91562C0DEF7860C7222A7
SSDEEP:	1536:miIIUewe3XVo622z1RlRKOjDwJ2GHqYnvNvpNiAWihpWFRIxPILSQWns3R:miIjCmxgLSQWno

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 560 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: on
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x64) - 14.12.25810 (14.12.25810.0)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.11.25325 (14.11.25325.0)
Microsoft Visual C++ 2017 x64 Additional Runtime - 14.12.25810 (14.12.25810)
Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.12.25810 (14.12.25810)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.11.25325 (14.11.25325)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.11.25325 (14.11.25325)
Mozilla Firefox 65.0.2 (x64 en-US) (65.0.2)
Mozilla Maintenance Service (65.0.2)
Notepad++ (64-bit x64) (7.5.1)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Hotfixes

Add for printing

MALICIOUS
- Requests a remote executable file from MS Office
  - WINWORD.EXE (PID: 2552)
SUSPICIOUS
- Reads Internet Cache Settings
  - WINWORD.EXE (PID: 2552)
INFO
- Creates files in the user directory
  - WINWORD.EXE (PID: 2552)
- Reads settings of System Certificates
  - WINWORD.EXE (PID: 2552)
- Reads the machine GUID from the registry
  - WINWORD.EXE (PID: 2552)
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 2552)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rtf	\|	Rich Text Format (100)

No data.

Add for printing

All screenshots are available in the full report

All screenshots are available in the full report

Add for printing

Total processes

33

Monitored processes

1

Malicious processes

1

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2552	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\3174a385107c6445c53bd8b541b0a43d.rtf"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE		explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.5123.5000

Add for printing

Total events

1 431

Read events

1 069

Write events

0

Delete events

0

Modification events

No data

Add for printing

Executable files

0

Suspicious files

0

Text files

4

Unknown types

4

Dropped files

PID	Process	Filename		Type
2552	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR565A.tmp.cvr		—
		MD5:—	SHA256:—
2552	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DCAE2F83.png		—
		MD5:—	SHA256:—
2552	WINWORD.EXE	C:\Users\admin\Desktop\~$74a385107c6445c53bd8b541b0a43d.rtf		pgc
		MD5:CDDC92F836CDB72D3FB86916713236EA	SHA256:EDD7CE9B4CCB0CA013099F4975AA7F75FD86014607F6204FAA131CB0C519163D
2552	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat		text
		MD5:BD573C9A3CDFFD4F4DDBCC1AA90979C3	SHA256:3BB3B1FF9633826D9E242B93728B272EEF3ACAD2BB57DAACC6D22ECF906631B3
2552	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\Abctfhghghghghg.sct		html
		MD5:D30215FCA6DD73F3DE2880E083C4D7EC	SHA256:A8A4F9A22D13AE84D154EE4F1975D41BF91F1176E7897086E20E54C548E1493E
2552	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\3174a385107c6445c53bd8b541b0a43d.LNK		lnk
		MD5:E32662C9B1CAD5993487E322D49F110E	SHA256:3A593EFB1089AD4C91EE0960B8E2E31659E3BBC670F6BE9D4974E1327EA805E6
2552	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\Abctfhghghghghg.sct:Zone.Identifier		text
		MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B	SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
2552	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex		text
		MD5:F3B25701FE362EC84616A93A45CE9998	SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

3

TCP/UDP connections

3

DNS requests

1

Threats

0

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2552	WINWORD.EXE	GET	404	199.101.103.22:443	https://tlkcloudem.com/file/photo.exe	US	html	331 b	suspicious
2552	WINWORD.EXE	GET	404	199.101.103.22:443	https://tlkcloudem.com/file/photo.exe	US	html	331 b	suspicious
2552	WINWORD.EXE	GET	404	199.101.103.22:443	https://tlkcloudem.com/file/photo.exe	US	html	331 b	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2552	WINWORD.EXE	199.101.103.22:443	tlkcloudem.com	QuickPacket, LLC	US	suspicious

DNS requests

Domain	IP	Reputation
tlkcloudem.com	199.101.103.22	suspicious

Threats

No threats detected

Add for printing

No debug info