analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2020 changing.rtf

Full analysis: https://app.any.run/tasks/5e3fcba8-7486-485e-b646-674b0e9abb1e
Verdict: Malicious activity
Analysis date: February 21, 2020, 19:11:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, ANSI
MD5:

DDD16573305B56DF277078FF605A167C

SHA1:

7424BA298AE218B4E3C8619673CF8975604CF622

SHA256:

AA40F830AEA68D7BD45D15CC9FB0396F107C373B0933D02D4B518F75C3AF0D4A

SSDEEP:

48:MUK2kJfM4m6qQrMrdYSDMMsUn6dDB9QmUCOve0Dvi5xEr+2:MxfMYrMrdHDMInWl9FUg02GC2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executed via COM

      • iexplore.exe (PID: 3620)

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 2952)

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 2952)

    • Reads internet explorer settings

      • WINWORD.EXE (PID: 2952)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2952)
      • iexplore.exe (PID: 3716)
      • iexplore.exe (PID: 2916)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2952)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3620)
      • iexplore.exe (PID: 3716)
      • iexplore.exe (PID: 2916)

    • Changes internet zones settings

      • iexplore.exe (PID: 3620)

    • Application launched itself

      • iexplore.exe (PID: 3620)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2916)
      • iexplore.exe (PID: 3716)
      • iexplore.exe (PID: 256)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3716)
      • iexplore.exe (PID: 2916)
      • iexplore.exe (PID: 3620)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3620)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe iexplore.exe iexplore.exe no specs iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2952"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\2020 changing.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3620"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
256"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3620 CREDAT:144385 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3716"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3620 CREDAT:333058 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2916"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3620 CREDAT:464132 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
6 657
Read events
2 194
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
44
Text files
98
Unknown types
30

Dropped files

PID
Process
Filename
Type
2952WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6C20.tmp.cvr
MD5:
SHA256:
2952WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Cab9331.tmp
MD5:
SHA256:
2952WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Tar9341.tmp
MD5:
SHA256:
3716iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabA4A5.tmp
MD5:
SHA256:
3716iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarA4A6.tmp
MD5:
SHA256:
2952WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF9BB6852C7D1AA976.TMP
MD5:
SHA256:
2952WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6der
MD5:0BF8CA519A1BB579E8672DCABC168EB6
SHA256:A843073F747AF0B48EFC63531005E73D361EE3A5D7C156EC44E29CEF803BB6EF
2952WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:FDB454671CF94C339D382326FF217F5F
SHA256:0006183F10565E32577160BB6D708D854F1A0474FFDE542453A03A028F6B7ACD
3716iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DATsmt
MD5:4A94F08FB4A765EDCC2875EBB60D3960
SHA256:69722B3609733957B9D7D3AB98B9B3F0A352A8E4DCABF4D8ED32CAE77A2DEB68
2952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\en[1].htmhtml
MD5:890EDE9328886FEDCF789F488B0C6CD3
SHA256:3378D30123515C76BE05ADCCD9C69F0C4EE1E0FF420DB50EB605F7ECC0CBC362
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
73
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2952
WINWORD.EXE
GET
301
152.199.16.36:80
http://www.starcruises.com/lt/en
US
whitelisted
2952
WINWORD.EXE
GET
301
152.199.16.36:80
http://www.starcruises.com/
US
whitelisted
2952
WINWORD.EXE
GET
301
152.199.16.36:80
http://www.starcruises.com/sg/en
US
whitelisted
3716
iexplore.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
3716
iexplore.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCv2pgtDmXnZAgAAAAALnDT
US
der
472 b
whitelisted
3716
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
3716
iexplore.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCgdZM8AVzzKAgAAAAALnDU
US
der
472 b
whitelisted
2952
WINWORD.EXE
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D
US
der
471 b
whitelisted
3716
iexplore.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCgdZM8AVzzKAgAAAAALnDU
US
der
472 b
whitelisted
3716
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2952
WINWORD.EXE
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2952
WINWORD.EXE
152.199.16.36:443
www.starcruises.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2916
iexplore.exe
152.199.16.36:443
www.starcruises.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2952
WINWORD.EXE
152.199.16.36:80
www.starcruises.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3716
iexplore.exe
152.199.16.36:443
www.starcruises.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3716
iexplore.exe
52.74.87.144:443
media.starcruises.com
Amazon.com, Inc.
SG
unknown
3716
iexplore.exe
172.217.22.14:443
www.google-analytics.com
Google Inc.
US
whitelisted
3716
iexplore.exe
172.217.22.40:443
www.googletagmanager.com
Google Inc.
US
whitelisted
3716
iexplore.exe
185.60.216.19:443
connect.facebook.net
Facebook, Inc.
IE
whitelisted
3716
iexplore.exe
74.125.140.156:443
stats.g.doubleclick.net
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.starcruises.com
  • 152.199.16.36
unknown
ocsp.digicert.com
  • 93.184.220.29
whitelisted
media.starcruises.com
  • 52.74.87.144
unknown
www.google-analytics.com
  • 172.217.22.14
whitelisted
www.googletagmanager.com
  • 172.217.22.40
whitelisted
ocsp.pki.goog
  • 172.217.16.131
whitelisted
connect.facebook.net
  • 185.60.216.19
whitelisted
s.yimg.com
  • 87.248.118.23
  • 87.248.118.22
shared
cdn-akamai.mookie1.com
  • 23.61.210.48
whitelisted
d.line-scdn.net
  • 72.247.224.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2020 changing.rtf