analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

a7aead565341c4a3a3f8867a3ca3c9ab

Full analysis: https://app.any.run/tasks/0cc8d526-3e21-42c5-ba01-02c905d1f7d2
Verdict: Malicious activity
Analysis date: July 18, 2019, 03:14:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

A7AEAD565341C4A3A3F8867A3CA3C9AB

SHA1:

61EDA60023DA167657C1B89251E4C11CC40DF87A

SHA256:

A2D41FFA099E587EB692A7E90B37B978A4A49E4F2A00BA383027F1DBC10328AC

SSDEEP:

768:qaKf8YDEP6d3MzuuUdjTCMJhIS4NX8l0l/cHnQeEHpljeDXrdBj1ANlY7S4cwHNX:qfCqNdjOi4UHHQxJlwrdboY7Scttt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3976)
      • EXCEL.EXE (PID: 1324)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2844)
      • cmd.exe (PID: 3192)
      • cmd.exe (PID: 3648)
      • cmd.exe (PID: 3600)

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 3976)
      • EXCEL.EXE (PID: 1324)

    • Application was dropped or rewritten from another process

      • WScript.exe (PID: 3344)
      • amsi.dll (PID: 1860)
      • WScript.exe (PID: 3448)
      • WScript.exe (PID: 2648)
      • WScript.exe (PID: 3080)
      • amsi.dll (PID: 3724)

    • Loads dropped or rewritten executable

      • cmd.exe (PID: 3192)
      • svchost.exe (PID: 844)
      • cmd.exe (PID: 2844)
      • explorer.exe (PID: 292)
      • SearchProtocolHost.exe (PID: 1992)
      • WScript.exe (PID: 3344)
      • cmd.exe (PID: 3648)
      • cmd.exe (PID: 3600)
      • WScript.exe (PID: 3080)

  • SUSPICIOUS

    • Executed via COM

      • EXCEL.EXE (PID: 3976)
      • excelcnv.exe (PID: 1632)
      • EXCEL.EXE (PID: 1324)

    • Executes scripts

      • cmd.exe (PID: 2844)
      • cmd.exe (PID: 3192)
      • cmd.exe (PID: 3648)
      • cmd.exe (PID: 3600)

    • Starts itself from another location

      • WScript.exe (PID: 3344)

    • Starts application with an unusual extension

      • WScript.exe (PID: 3344)
      • WScript.exe (PID: 3080)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3344)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3684)
      • EXCEL.EXE (PID: 3976)

    • Starts Microsoft Office Application

      • explorer.exe (PID: 292)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3684)
      • EXCEL.EXE (PID: 3976)
      • excelcnv.exe (PID: 1632)
      • EXCEL.EXE (PID: 1324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

InternalVersionNumber: 57433
CharactersWithSpaces: 39
Characters: 34
Words: 6
Pages: 1
TotalEditTime: 2 minutes
RevisionNumber: 1
ModifyDate: 2019:06:16 21:53:00
CreateDate: 2019:06:16 21:51:00
LastModifiedBy: Karla
Author: Karla
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
21
Malicious processes
8
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs excel.exe cmd.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs wscript.exe no specs wscript.exe amsi.dll svchost.exe searchprotocolhost.exe no specs explorer.exe no specs excelcnv.exe no specs excel.exe cmd.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs wscript.exe no specs wscript.exe no specs amsi.dll

Process information

PID
CMD
Path
Indicators
Parent process
3684"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\a7aead565341c4a3a3f8867a3ca3c9ab.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3976"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
2844"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 3 > nul & start C:\Users\Public\WindowsDefender.vbsC:\Windows\System32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3192"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & start C:\Users\Public\atach.vbsC:\Windows\System32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2136ping 127.0.0.1 -n 3 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1356ping 127.0.0.1 -n 5 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3448"C:\Windows\System32\WScript.exe" "C:\Users\Public\WindowsDefender.vbs" C:\Windows\System32\WScript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3344"C:\Windows\System32\WScript.exe" "C:\Users\Public\atach.vbs" C:\Windows\System32\WScript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1860"C:\Users\Public\amsi.dll" "C:\Users\Public\atach.vbs"C:\Users\Public\amsi.dll
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
844C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 639
Read events
1 764
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
10
Unknown types
6

Dropped files

PID
Process
Filename
Type
3684WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRF8B8.tmp.cvr
MD5:
SHA256:
3976EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR182.tmp.cvr
MD5:
SHA256:
3976EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFE4D419492EA3C1DB.TMP
MD5:
SHA256:
1632excelcnv.exeC:\Users\admin\AppData\Local\Temp\CVRAD33.tmp.cvr
MD5:
SHA256:
3684WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFC914459B483F85A6.TMP
MD5:
SHA256:
1324EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRBE9.tmp.cvr
MD5:
SHA256:
844svchost.exeC:\Windows\appcompat\programs\RecentFileCache.bcftxt
MD5:E929AD9A619EBF5D337285414CE97C3D
SHA256:BAD478325EDBAF575E4F0C86C3B028CAB766089AE89740B0A8802D193EA39759
3976EXCEL.EXEC:\Users\Public\atach.vbstext
MD5:6A38E73B9B0B30879A19EF216E19AB91
SHA256:0E2DB9B565821E3DE073F9E3124F88EB1D795226B8241554A005086141EA4FCD
3976EXCEL.EXEC:\Users\Public\WindowsDefender.vbstext
MD5:7F2A202549A7CE9E21FA866B234E6E1F
SHA256:81D128737CE4EC69BCAB76FFA039B80C84A1E8001DB603029DA878E766BD0E9D
3976EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\yvyE642L[1].txttext
MD5:7F2A202549A7CE9E21FA866B234E6E1F
SHA256:81D128737CE4EC69BCAB76FFA039B80C84A1E8001DB603029DA878E766BD0E9D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3976
EXCEL.EXE
104.20.209.21:443
pastebin.com
Cloudflare Inc
US
shared
1324
EXCEL.EXE
104.20.209.21:443
pastebin.com
Cloudflare Inc
US
shared
1860
amsi.dll
104.20.209.21:443
pastebin.com
Cloudflare Inc
US
shared
3724
amsi.dll
104.20.209.21:443
pastebin.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
pastebin.com
  • 104.20.209.21
  • 104.20.208.21
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
a7aead565341c4a3a3f8867a3ca3c9ab