analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

4878.rtf

Full analysis: https://app.any.run/tasks/2c50a08a-034e-404a-a079-4ef5adad3c42
Verdict: Malicious activity
Analysis date: December 06, 2018, 06:34:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
Indicators:
MIME: application/octet-stream
File info: data
MD5:

DEB6EE45F62AEEA268382A2528541C55

SHA1:

60726EEF03144D8EA1472CAA98B71AD1CD7C8720

SHA256:

A5522BF1321906CAB067023B2523418F5881B829B883C19CA2AAF7AC0AF98234

SSDEEP:

24576:jDjkZMoBwFDxAvLfeDh4kqE3bn5ZMzDj6:r

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2964)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2964)

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2964)

    • Application was dropped or rewritten from another process

      • exe.exe (PID: 3192)
      • exe.exe (PID: 3576)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2512)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2336)
      • EQNEDT32.EXE (PID: 2512)
      • cmd.exe (PID: 2936)
      • help.exe (PID: 3876)

    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 2936)

    • Application launched itself

      • cmd.exe (PID: 2936)
      • exe.exe (PID: 3192)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2936)
      • cmd.exe (PID: 3944)
      • cmd.exe (PID: 3804)
      • cmd.exe (PID: 2324)
      • cmd.exe (PID: 1776)
      • cmd.exe (PID: 3764)
      • cmd.exe (PID: 3432)
      • cmd.exe (PID: 2708)
      • cmd.exe (PID: 3268)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2964)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2964)

    • Application was crashed

      • EQNEDT32.EXE (PID: 2512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
72
Monitored processes
36
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs eqnedt32.exe exe.exe no specs taskkill.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs exe.exe no specs reg.exe no specs help.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2964"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\4878.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
1
Version:
14.0.6024.1000
2336"C:\Windows\System32\cmd.exe" /C C:\Users\admin\AppData\Local\Temp\tAsK.bAtC:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2936C:\Windows\system32\cmd.exe /K C:\Users\admin\AppData\Local\Temp\2nd.batC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3396"C:\Windows\System32\cmd.exe" /C C:\Users\admin\AppData\Local\Temp\tAsK.bAtC:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3608TIMEOUT 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2512"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Version:
00110900
3192C:\Users\admin\AppData\Local\Temp\ExE.ExE C:\Users\admin\AppData\Local\Temp\exe.execmd.exe
User:
admin
Company:
BRoTHERS
Integrity Level:
MEDIUM
Description:
BRoTHERS
Exit code:
0
Version:
7.02.0006
3368TASKKILL /F /IM winword.exe C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3708CmD /C %TmP%\TasK.BaT & UUUUUUUU cC:\Windows\system32\CmD.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2592reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f C:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
643
Read events
620
Write events
20
Delete events
3

Modification events

(PID) Process:(2964) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:e`?
Value:
65603F00940B0000010000000000000000000000
(PID) Process:(2964) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2964) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2964) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1300627479
(PID) Process:(2964) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1300627600
(PID) Process:(2964) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1300627601
(PID) Process:(2964) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
940B00005ED451D62D8DD40100000000
(PID) Process:(2964) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:.b?
Value:
2E623F00940B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2964) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:.b?
Value:
2E623F00940B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2964) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
1
Suspicious files
2
Text files
3
Unknown types
3

Dropped files

PID
Process
Filename
Type
2964WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA8D6.tmp.cvr
MD5:
SHA256:
2964WINWORD.EXEC:\Users\admin\AppData\Local\Temp\task.bat
MD5:
SHA256:
2964WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C6D167F7-FCB2-45DA-964E-E06951D19568}.tmpbinary
MD5:4806FBB9076109B3B65745B4880BAD59
SHA256:DCA169FF0B14A55D084CC019E751C1AD417902BDCC53E55BE25E384752C1E0F0
2964WINWORD.EXEC:\Users\admin\AppData\Local\Temp\decoy.docimage
MD5:0527182A4A0A90CF60EDBD78B3258CC5
SHA256:708CF211951F86F8D3A8EF977EBE12FF4442CFD95A831D9EA53859BA48BB4760
2964WINWORD.EXEC:\Users\admin\AppData\Local\Temp\inteldriverupd1.sctxml
MD5:8DECDCAEB92D9F628B6BF95DE4C0597A
SHA256:E4F6B9DEF338FE9ACA9E8796E79C58C5E42168E697C41BFE149946513765036E
2964WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$4878.rtfpgc
MD5:B4B75A84C7F264E8706FC0AC40065000
SHA256:A1B3BBBE35AF8A8C7DCF290E816166D8FD022854C94698EE0A549E1E574C1FAD
2964WINWORD.EXEC:\Users\admin\AppData\Local\Temp\2nd.battext
MD5:57FF2666BFC47C63E05D5C182B0F89F3
SHA256:74249727C5D760E91B9277BE58B45A03FD89A587CC19E0B42503B50DB2E00356
2964WINWORD.EXEC:\Users\admin\AppData\Local\Temp\exe.exeexecutable
MD5:F9331B6D430F7BB7832A8F25CBA17E03
SHA256:577FD84B3582281CB3D5EFB235A4A29FEE63F7B8D484A0F900D2EA7F4AEF7FD3
3192exe.exeC:\Users\admin\AppData\Local\Temp\~DF03155A47DC7CFB28.TMPbinary
MD5:D00505E7C0BA985522356D318818CE69
SHA256:ADEDCA05F35DAE8E5EC0F429978E7F22A0AB0D05E27639D214C100B5DD4B39F8
2964WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:C9005899C42F58E9E7C96DCB3A5EE8E3
SHA256:BAAA4B86601B2CDBDAF8C9D3F3076A6A57EBB0E5FFD49CF53E039A90105750E4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
www.tkgxim.men
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
4878.rtf