analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

a0ea74368109ab689205421a0d49e476096c349de6e50367b721e482e8185da2

Full analysis: https://app.any.run/tasks/7267dc8b-9568-48ae-89e8-d7c084844d24
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: January 11, 2019, 11:29:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
trojan
exploit
CVE-2017-11882
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

242D743D9C97F6992B37A648566689C1

SHA1:

91B494AABE1EA74C20F8D38E4EF6C1D2430C24BA

SHA256:

A0EA74368109AB689205421A0D49E476096C349DE6E50367B721E482E8185DA2

SSDEEP:

6144:hQHpBQHpPQHp6QHp6QHplQHplQHplQHplQHplQHplQHplQHpuQHpBQHpBQHpSQH0:CA2zzMMMMMMMvAALhDORludXM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3460)

    • Application was dropped or rewritten from another process

      • toish.exe (PID: 2832)
      • 1.exe (PID: 3884)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3460)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3460)
      • 1.exe (PID: 3884)

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3460)
      • 1.exe (PID: 3884)

    • Starts itself from another location

      • 1.exe (PID: 3884)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2980)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

InternalVersionNumber: 24689
CharactersWithSpaces: 1773
Characters: 1511
Words: 265
Pages: 2
TotalEditTime: -
RevisionNumber: 2
LastPrinted: 2018:12:12 16:35:00
ModifyDate: 2018:12:14 09:22:00
CreateDate: 2018:12:14 09:22:00
LastModifiedBy: Windows User
Author: Mr.Duoc
Upr: {CH??NG TRÌNH }{*{CH{ƯƠNG TRÌNH }}}
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs eqnedt32.exe 1.exe toish.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2980"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\a0ea74368109ab689205421a0d49e476096c349de6e50367b721e482e8185da2.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3460"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3884C:\Users\admin\AppData\Local\Temp\1.exeC:\Users\admin\AppData\Local\Temp\1.exe
EQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2832"C:\Users\admin\AppData\Roaming\tsig\toish.exe"C:\Users\admin\AppData\Roaming\tsig\toish.exe1.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 104
Read events
747
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2980WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVREAF0.tmp.cvr
MD5:
SHA256:
38841.exeC:\Users\admin\AppData\Roaming\tsig\toish.exe:ZoneIdentifier
MD5:
SHA256:
2980WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:E19279658F5878C3F7E1BE1A1A466AB0
SHA256:E047B13A3169186D4D065FAF0C8D719E5386FBFCAC2620B1F5F7C86B7A012575
3460EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txttext
MD5:4113BE1544A4A68BD58181FE2AF4D400
SHA256:9AC7A1EECD9C879328BC938E7F9EC2B10ADC4011A7A59500B5A8D228824A4DF2
3460EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\5001261008[1].jpgexecutable
MD5:6A504692BA010F62C6556AEEC6D6A03D
SHA256:1F972FE9F4802A19039CC57D65CDF1233F0C4D816C71D46ADF197150C4519301
3460EQNEDT32.EXEC:\Users\admin\AppData\Local\Temp\1.exeexecutable
MD5:6A504692BA010F62C6556AEEC6D6A03D
SHA256:1F972FE9F4802A19039CC57D65CDF1233F0C4D816C71D46ADF197150C4519301
2980WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$ea74368109ab689205421a0d49e476096c349de6e50367b721e482e8185da2.rtfpgc
MD5:9EF86DA722E98EFB3B0A63F544BEF8B4
SHA256:93CD3A42F7BC166AFB78B9D16702EB0F281A8D66C5E176F0EA8C96699AB24AC2
38841.exeC:\Users\admin\AppData\Roaming\tsig\toish.exeexecutable
MD5:6A504692BA010F62C6556AEEC6D6A03D
SHA256:1F972FE9F4802A19039CC57D65CDF1233F0C4D816C71D46ADF197150C4519301
3460EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3460
EQNEDT32.EXE
GET
301
67.199.248.10:80
http://bit.ly/2M3YmuX
US
html
127 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3460
EQNEDT32.EXE
67.199.248.10:80
bit.ly
Bitly Inc
US
shared
3460
EQNEDT32.EXE
67.227.236.120:443
paragptfe.com
Liquid Web, L.L.C
US
malicious

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
paragptfe.com
  • 67.227.236.120
malicious

Threats

PID
Process
Class
Message
3460
EQNEDT32.EXE
A Network Trojan was detected
MALWARE [PTsecurity] PowerShell.Downloader httpHeader
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
a0ea74368109ab689205421a0d49e476096c349de6e50367b721e482e8185da2