analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

bd1e7b42a9c265266b8cc5cc966470497c4f9cba2b247d1f036b6b3892106b52

Full analysis: https://app.any.run/tasks/7ebc0e6f-5295-4b33-96e6-3fa33a837054
Verdict: Malicious activity
Analysis date: April 23, 2019, 16:52:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
exploit
CVE-2017-11882
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, ANSI
MD5:

07544892999B91AE2C9280D8EE3C663A

SHA1:

28531BCFAAD25A5B1230F60F243CE617B6C237D2

SHA256:

BD1E7B42A9C265266B8CC5CC966470497C4F9CBA2B247D1F036B6B3892106B52

SSDEEP:

6144:gMnuUcvfZBaRCS1ubJ7aSRq8aV4RaGBbK6nQNQZNOyqVQSNyolVOEc2xvAk1A2CR:1uXnZBeC9+8aV4VDQa6yqY8qPzky

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • ScnCfg.exe (PID: 4064)
    • Application was dropped or rewritten from another process

      • ScnCfg.exe (PID: 4064)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 368)
    • Changes the autorun value in the registry

      • ScnCfg.exe (PID: 4064)
  • SUSPICIOUS

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3920)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3920)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2172)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2172)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

InternalVersionNumber: 24689
CharactersWithSpaces: 3570
Characters: 3044
Words: 533
Pages: 2
TotalEditTime: 5 minutes
RevisionNumber: 2
ModifyDate: 2018:01:17 09:09:00
CreateDate: 2018:01:17 09:04:00
LastModifiedBy: Windows User
Author: Windows User
Upr: {C¨¢c d? ¨¢n ?ng ph¨® bi?n ??i kh¨ª h?u: G?p nhi?u v??ng m?c}{*{C¨¢c d{ự ¨¢n ứng ph¨® biến đổi kh¨ª hậu: Gặp nhiều vướng mắc}}}
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs eqnedt32.exe no specs eqnedt32.exe eqnedt32.exe no specs scncfg.exe

Process information

PID
CMD
Path
Indicators
Parent process
2172"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\bd1e7b42a9c265266b8cc5cc966470497c4f9cba2b247d1f036b6b3892106b52.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
368"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEsvchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3920"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
EQNEDT32.EXE
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
1
Version:
00110900
2660"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEsvchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
4064"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\ScnCfg.exe" C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\ScnCfg.exe
explorer.exe
User:
admin
Company:
McAfee, Inc.
Integrity Level:
MEDIUM
Description:
VirusScan On-Demand Scan Task Properties
Version:
8.8.0.777
Total events
1 463
Read events
1 066
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
1
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
2172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR2EDD.tmp.cvr
MD5:
SHA256:
2172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\8.tbinary
MD5:4DC172D1B1A23B23A310E48CBEB1880B
SHA256:5CF920CDE20DB05C065645A633095BABA1B335E82F8AB7FD07EE20CA6EF174AA
2172WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:E0A6D871DF9AF8A843020CC2FC70CA4E
SHA256:33FAFDD37700ECE853AC83901FBEAB68A9A8E725B6B27DF6C65EDBF64767BE47
3920EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\vsodscpl.dllexecutable
MD5:91A650700F19249EF5183737689B2A26
SHA256:FFA2B23F6B6B7941D6CD1D410FF232F3B218BDE667CAAEDF7E20B3CD37A489E8
3920EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\ScnCfg.exeexecutable
MD5:BD19302A58133803622E119080A5CEDA
SHA256:77361B1CA09D6857D68CEA052A0BB857E03D776D3E1943897315A80A19F20FC2
3920EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Chrome.lnklnk
MD5:CAE5527B17AE49E3A0F8316752C70261
SHA256:A47B843751D340A79652E7F519821C7B636CD66450DC30D47FB853C356718887
2172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$1e7b42a9c265266b8cc5cc966470497c4f9cba2b247d1f036b6b3892106b52.rtfpgc
MD5:2C3B68BB8CFE4392851A5B4DA5C1C35B
SHA256:D38321FB2E5CF596500B811824ECEF63E7B756F6184DFE4F23996DEFB3481FE4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4064
ScnCfg.exe
GET
130.255.184.38:443
http://chip.pringleas.com:443/366727331E6677377B626111000504057000780C0000000E00003336363732373333314536363737333700555345522D5043000000000000000000000000000000000000000000000057696E3720537031207838360000000000000000000000000000000000000461646D696E0000000000000000000000000000000000000000000000000001000000020000003139322E3136382E3130302E31383800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000323031372D30362D3238000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
DE
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4064
ScnCfg.exe
130.255.184.38:80
chip.pringleas.com
Bradler & Krantz GmbH & Co. KG
DE
malicious
4064
ScnCfg.exe
130.255.184.38:8001
chip.pringleas.com
Bradler & Krantz GmbH & Co. KG
DE
malicious
4064
ScnCfg.exe
130.255.184.38:443
chip.pringleas.com
Bradler & Krantz GmbH & Co. KG
DE
malicious

DNS requests

Domain
IP
Reputation
chip.pringleas.com
  • 130.255.184.38
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info