analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ORDER NO93829.doc

Full analysis: https://app.any.run/tasks/2cf1a909-6613-43d0-8895-fd06a9c2a1d4
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Analysis date: November 15, 2018, 10:54:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
rat
remcos
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

B4944E75DEF86A11F76E8E2EAF0D5F07

SHA1:

65D18EDC5461E038FF0A61EC8F115580944E187E

SHA256:

B9A877B5ED9D75CC9B44D638B322EB1B359CB0037EB4A465DF81CFF45B329449

SSDEEP:

6144:F7uMqOFvwOEYWWA4mpynUMo/jrWWeArRR:FyY5t7myxrWPRR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3944)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3944)
    • Application was dropped or rewritten from another process

      • math_igfxi.exe (PID: 3136)
      • datetimer.exe (PID: 3868)
      • datetimer.exe (PID: 940)
    • Changes the autorun value in the registry

      • WScript.exe (PID: 2116)
    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3944)
    • REMCOS RAT was detected

      • datetimer.exe (PID: 940)
  • SUSPICIOUS

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3944)
    • Executes scripts

      • math_igfxi.exe (PID: 3136)
    • Starts itself from another location

      • math_igfxi.exe (PID: 3136)
    • Executable content was dropped or overwritten

      • math_igfxi.exe (PID: 3136)
      • EQNEDT32.EXE (PID: 3944)
    • Application launched itself

      • datetimer.exe (PID: 3868)
    • Uses RUNDLL32.EXE to load library

      • control.exe (PID: 2828)
    • Connects to unusual port

      • datetimer.exe (PID: 940)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1308)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1308)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
9
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs eqnedt32.exe math_igfxi.exe wscript.exe datetimer.exe no specs #REMCOS datetimer.exe control.exe no specs rundll32.exe no specs timedate.cpl no specs

Process information

PID
CMD
Path
Indicators
Parent process
1308"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\ORDER NO93829.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3944"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3136C:\Users\admin\AppData\Roaming\math_igfxi.exeC:\Users\admin\AppData\Roaming\math_igfxi.exe
EQNEDT32.EXE
User:
admin
Company:
RAPPELLED
Integrity Level:
MEDIUM
Description:
Outheart
Exit code:
0
Version:
6.07
2116"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\datetimer\datetimer.vbs" C:\Windows\System32\WScript.exe
math_igfxi.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3868"C:\Users\admin\AppData\Local\Temp\datetimer\datetimer.exe" C:\Users\admin\AppData\Local\Temp\datetimer\datetimer.exemath_igfxi.exe
User:
admin
Company:
RAPPELLED
Integrity Level:
MEDIUM
Description:
Outheart
Exit code:
0
Version:
6.07
940C:\Users\admin\AppData\Local\Temp\datetimer\datetimer.exe" C:\Users\admin\AppData\Local\Temp\datetimer\datetimer.exe
datetimer.exe
User:
admin
Company:
RAPPELLED
Integrity Level:
MEDIUM
Description:
Outheart
Version:
6.07
2828"C:\Windows\System32\control.exe" "C:\Windows\system32\timedate.cpl",C:\Windows\System32\control.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Control Panel
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2052"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\timedate.cpl",C:\Windows\system32\rundll32.execontrol.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3148C:\Windows\system32\DllHost.exe /Processid:{9DF523B0-A6C0-4EA9-B5F1-F4565C3AC8B8}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 520
Read events
1 160
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
2
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
1308WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9BAF.tmp.cvr
MD5:
SHA256:
1308WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:256A3EF47ED32A3D3038855D49DF0319
SHA256:151B56C71BC28DD4D752808CE3A9352E96D9FA381320511F87B327A8208F5DD0
3136math_igfxi.exeC:\Users\admin\AppData\Local\Temp\~DF41D6313C5F66603F.TMPbinary
MD5:D0348B392A3E14285332C677D63B111D
SHA256:8024D20A4F57DD970DF90241D66F2FCC32FB436A95EC70D2C7302D2A80D83802
3868datetimer.exeC:\Users\admin\AppData\Local\Temp\~DFA8F91DEF35DA3E50.TMPbinary
MD5:D0348B392A3E14285332C677D63B111D
SHA256:8024D20A4F57DD970DF90241D66F2FCC32FB436A95EC70D2C7302D2A80D83802
3136math_igfxi.exeC:\Users\admin\AppData\Local\Temp\datetimer\datetimer.exeexecutable
MD5:371903DCC4F4E414BA38B230F3D1ADBA
SHA256:444F2C0E81DE08F0A584FC505D4F68CB19489E1A54C8C0668FA8DC9A4E855A68
3944EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\hrtree[1].exeexecutable
MD5:371903DCC4F4E414BA38B230F3D1ADBA
SHA256:444F2C0E81DE08F0A584FC505D4F68CB19489E1A54C8C0668FA8DC9A4E855A68
3944EQNEDT32.EXEC:\Users\admin\AppData\Roaming\math_igfxi.exeexecutable
MD5:371903DCC4F4E414BA38B230F3D1ADBA
SHA256:444F2C0E81DE08F0A584FC505D4F68CB19489E1A54C8C0668FA8DC9A4E855A68
1308WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$DER NO93829.docpgc
MD5:340490C40D8A0726785274AB30B0CAA4
SHA256:D7A0F648E5DD35C61277968F46F757DCA927EB530DFD48CB79A07BB0A9F9CD1D
3136math_igfxi.exeC:\Users\admin\AppData\Local\Temp\datetimer\datetimer.vbstext
MD5:966CF024D791BB07E700EA00933F0EFD
SHA256:C54C0675DA3D634634A01F1B87E80D7FE914A1390432CEA2FF796F682FA2E627
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
10
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3944
EQNEDT32.EXE
GET
200
198.54.126.123:80
http://micropcsystem.com/knrt/hrtree.exe
US
executable
550 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
940
datetimer.exe
185.148.241.49:1948
Ideal Hosting Sunucu Internet Hiz. Tic. Ltd. Sti.
TR
malicious
3944
EQNEDT32.EXE
198.54.126.123:80
micropcsystem.com
Namecheap, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
micropcsystem.com
  • 198.54.126.123
malicious

Threats

PID
Process
Class
Message
3944
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info