analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

z3r0.rtf

Full analysis: https://app.any.run/tasks/3d049e31-eecf-46f1-836e-5ec0153b7fee
Verdict: Malicious activity
Analysis date: November 08, 2019, 14:24:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CR, LF line terminators
MD5:

5858B1C68C8A91C565E875E3492EDD49

SHA1:

48B8DF7B68BA004E67AD5F4C8A0E9215F632AB04

SHA256:

B5572ED87256F85CC663EDBE6884820AC35AFFECD16891F28EC6A8817D1A2F88

SSDEEP:

48:5fU5NncuBCnb5S2vw3xMa279j+J5ffRKVr9z9UyDW3SkSNmhmXmw9sv5:NaBCnLvwWxBCRKVJzuyDW3SkuOmsv5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • Setup.exe (PID: 992)
      • EQNEDT32.EXE (PID: 1788)
      • EQNEDT32.EXE (PID: 2908)
      • WerFault.exe (PID: 2456)
      • WerFault.exe (PID: 2500)
      • WINWORD.EXE (PID: 2816)
      • svchost.exe (PID: 904)
      • explorer.exe (PID: 1936)

    • Application was dropped or rewritten from another process

      • EQNEDT32.EXE (PID: 2908)
      • EQNEDT32.EXE (PID: 1788)
      • msohtmed.exe (PID: 1012)
      • msohtmed.exe (PID: 564)

  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 1788)
      • EQNEDT32.EXE (PID: 2908)
      • Setup.exe (PID: 992)

    • Creates files in the user directory

      • explorer.exe (PID: 1936)

    • Executable content was dropped or overwritten

      • Setup.exe (PID: 992)
      • MsiExec.exe (PID: 1364)
      • MsiExec.exe (PID: 2288)
      • MsiExec.exe (PID: 1832)
      • msiexec.exe (PID: 1472)
      • MsiExec.exe (PID: 2528)
      • MsiExec.exe (PID: 1928)
      • MsiExec.exe (PID: 2972)
      • MsiExec.exe (PID: 1504)
      • MsiExec.exe (PID: 312)
      • MsiExec.exe (PID: 2564)

    • Reads the machine GUID from the registry

      • Setup.exe (PID: 992)
      • msiexec.exe (PID: 1472)
      • MsiExec.exe (PID: 1364)
      • MsiExec.exe (PID: 2632)
      • MsiExec.exe (PID: 2288)
      • MsiExec.exe (PID: 1832)
      • MsiExec.exe (PID: 2784)
      • MsiExec.exe (PID: 2356)
      • MsiExec.exe (PID: 2944)
      • MsiExec.exe (PID: 2528)
      • MsiExec.exe (PID: 2700)
      • MsiExec.exe (PID: 1928)
      • MsiExec.exe (PID: 2972)
      • MsiExec.exe (PID: 2660)
      • MsiExec.exe (PID: 312)
      • MsiExec.exe (PID: 2768)
      • MsiExec.exe (PID: 1504)
      • MsiExec.exe (PID: 2376)
      • MsiExec.exe (PID: 2564)
      • MsiExec.exe (PID: 480)
      • addinutil.exe (PID: 2440)
      • addinutil.exe (PID: 2672)

    • Searches for installed software

      • Setup.exe (PID: 992)

    • Creates files in the Windows directory

      • msiexec.exe (PID: 1472)

    • Creates COM task schedule object

      • msohtmed.exe (PID: 1012)
      • msiexec.exe (PID: 1472)
      • msohtmed.exe (PID: 564)

    • Starts Microsoft Office Application

      • msiexec.exe (PID: 1472)

    • Modifies the open verb of a shell class

      • msiexec.exe (PID: 1472)

    • Removes files from Windows directory

      • msiexec.exe (PID: 1472)

  • INFO

    • Application was crashed

      • EQNEDT32.EXE (PID: 1788)
      • EQNEDT32.EXE (PID: 2908)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2816)

    • Starts Microsoft Office Application

      • explorer.exe (PID: 1936)

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 2816)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2816)
      • Setup.exe (PID: 992)
      • msiexec.exe (PID: 1472)
      • msohtmed.exe (PID: 1012)
      • MsiExec.exe (PID: 2564)
      • msohtmed.exe (PID: 564)

    • Reads settings of System Certificates

      • Setup.exe (PID: 992)

    • Loads dropped or rewritten executable

      • msiexec.exe (PID: 1472)
      • MsiExec.exe (PID: 2632)
      • MsiExec.exe (PID: 1364)
      • MsiExec.exe (PID: 2784)
      • MsiExec.exe (PID: 1684)
      • MsiExec.exe (PID: 1832)
      • MsiExec.exe (PID: 2944)
      • MsiExec.exe (PID: 2260)
      • MsiExec.exe (PID: 2528)
      • MsiExec.exe (PID: 2356)
      • MsiExec.exe (PID: 2288)
      • MsiExec.exe (PID: 1092)
      • MsiExec.exe (PID: 2932)
      • MsiExec.exe (PID: 2660)
      • MsiExec.exe (PID: 2972)
      • MsiExec.exe (PID: 2488)
      • MsiExec.exe (PID: 3048)
      • MsiExec.exe (PID: 2700)
      • MsiExec.exe (PID: 1928)
      • MsiExec.exe (PID: 2608)
      • MsiExec.exe (PID: 1504)
      • MsiExec.exe (PID: 312)
      • MsiExec.exe (PID: 2768)
      • MsiExec.exe (PID: 2376)
      • MsiExec.exe (PID: 2552)
      • MsiExec.exe (PID: 2564)
      • MsiExec.exe (PID: 480)
      • MsiExec.exe (PID: 1772)
      • MsiExec.exe (PID: 1836)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 1472)

    • Creates files in the program directory

      • MsiExec.exe (PID: 2632)
      • MsiExec.exe (PID: 2784)
      • msiexec.exe (PID: 1472)
      • MsiExec.exe (PID: 2356)
      • MsiExec.exe (PID: 2944)
      • MsiExec.exe (PID: 2660)
      • MsiExec.exe (PID: 2700)
      • MsiExec.exe (PID: 2768)
      • MsiExec.exe (PID: 2376)
      • MsiExec.exe (PID: 480)

    • Application launched itself

      • msiexec.exe (PID: 1472)

    • Dropped object may contain Bitcoin addresses

      • msiexec.exe (PID: 1472)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 1472)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 1472)

    • Manual execution by user

      • IMEKLMG.EXE (PID: 2968)
      • runonce.exe (PID: 2112)
      • IMEKLMG.EXE (PID: 1376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
51
Malicious processes
7
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs eqnedt32.exe eqnedt32.exe setup.exe msiexec.exe msiexec.exe msiexec.exe no specs msiexec.exe no specs werfault.exe no specs werfault.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe no specs msohtmed.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe no specs msohtmed.exe no specs msiexec.exe no specs svchost.exe explorer.exe no specs msi809e.tmp no specs addinutil.exe addinutil.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs imeklmg.exe no specs imeklmg.exe no specs runonce.exe no specs imeklmg.exe no specs imeklmg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2816"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\z3r0.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.5123.5000
1788"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2908"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
992"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Setup Bootstrapper
Exit code:
1073807364
Version:
14.0.4755.1000
1472C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1364C:\Windows\system32\MsiExec.exe -Embedding 9FC01BC9E90E1CD9A7A08127AD00BBCFC:\Windows\system32\MsiExec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
124C:\Windows\syswow64\MsiExec.exe -Embedding 2429B2E20F24DB52ED6E71202754B6BAC:\Windows\syswow64\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2632C:\Windows\system32\MsiExec.exe -Embedding C1B2A60EBB73E99CD5DFBC654D71E3D9 E Global\MSI0000C:\Windows\system32\MsiExec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2500C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 380C:\Windows\SysWOW64\WerFault.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2456C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 384C:\Windows\SysWOW64\WerFault.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
35 846
Read events
22 818
Write events
0
Delete events
0

Modification events

No data
Executable files
402
Suspicious files
47
Text files
75
Unknown types
159

Dropped files

PID
Process
Filename
Type
2816WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR5011.tmp.cvr
MD5:
SHA256:
2500WerFault.exeC:\Users\admin\AppData\Local\Temp\WER6CB3.tmp.hdmp
MD5:
SHA256:
2500WerFault.exeC:\Users\admin\AppData\Local\Temp\WER6D8F.tmp.mdmp
MD5:
SHA256:
904svchost.exeC:\Windows\appcompat\programs\RecentFileCache.bcftxt
MD5:1F4EA661D0A10D6E1ACEFD5A096068AA
SHA256:71B9C6D945F9A9F4E0AA7FC26271CBE2B909C22BAFEF1845A480C0AD040E4432
2456WerFault.exeC:\Users\admin\AppData\Local\Temp\WERFB58.tmp.mdmp
MD5:
SHA256:
2500WerFault.exeC:\Users\admin\AppData\Local\Temp\WER6CA2.tmp.WERInternalMetadata.xmlxml
MD5:FE9482BD5D96FC6A0914FB6A739A5236
SHA256:D3F7590BB0E63E55664CCBEEC888DE825DA33BD130740626077E1C29A98584E2
2816WINWORD.EXEC:\Users\admin\Desktop\~$z3r0.rtfpgc
MD5:B681B4FC9F55778FF5CF57A99ADB8993
SHA256:EE2583E7F1550089BFE9FA42BAAEEA8385D1E6AD4F2B97E2234944F0C348259D
2500WerFault.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_EQNEDT32.EXE_67557343b893ec8761487d58d5a5eebb314b7_cab_09d56dda\WER6CA2.tmp.WERInternalMetadata.xmlxml
MD5:FE9482BD5D96FC6A0914FB6A739A5236
SHA256:D3F7590BB0E63E55664CCBEEC888DE825DA33BD130740626077E1C29A98584E2
1936explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-msautomaticdestinations-ms
MD5:7FFED926DF324BEACC2688E67CD177FE
SHA256:34CC28B76C6F62634864BED6AD1680E950ACC819F141FC32C32D41612FDF037F
1936explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\44a3621b32122d64.automaticDestinations-msautomaticdestinations-ms
MD5:EF91D819A1FF1D34ABBE52DCBDB53565
SHA256:861AC578BD3A8E65666B425D3C41C4FC87F70FB49298C8CF59BEE787057DA7F8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
teredo.ipv6.microsoft.com
whitelisted

Threats

No threats detected
Process
Message
msiexec.exe
Failed to release Service
msiexec.exe
Failed to release Service
addinutil.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\copyout.cpp, line 1302
addinutil.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
addinutil.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\copyout.cpp, line 1302
addinutil.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
addinutil.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\copyout.cpp, line 1302
addinutil.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
addinutil.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\copyout.cpp, line 1302
addinutil.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
z3r0.rtf