analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

c580d77722d85238ed76689a17b0205b4d980c010bef9616b8611ffba21b142e.doc

Full analysis: https://app.any.run/tasks/c5f70ba8-778e-44e4-b313-f158d27c8288
Verdict: Malicious activity
Analysis date: June 12, 2019, 05:54:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
generated-doc
exploit
CVE-2017-11882
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

30528DC0C1E123DFF51F40301CC03204

SHA1:

398FB04CE9B2E30BCE932590E0B86B594C8A97EA

SHA256:

C580D77722D85238ED76689A17B0205B4D980C010BEF9616B8611FFBA21B142E

SSDEEP:

24576:0n41eIGgKYvdQkqmDtczpwCcN2DoE88zUgwan4ABtPJJbdH7uXP6syMWYKuxji4X:X

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2108)

    • Changes the autorun value in the registry

      • EQNEDT32.EXE (PID: 3320)

    • Application was dropped or rewritten from another process

      • iassvcs.exe (PID: 3224)

    • Loads dropped or rewritten executable

      • iassvcs.exe (PID: 3224)

  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 2108)

    • Application launched itself

      • EQNEDT32.EXE (PID: 2108)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3320)

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3320)
      • iassvcs.exe (PID: 3224)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3328)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

InternalVersionNumber: 32859
CharactersWithSpaces: -
Characters: -
Words: -
Pages: 1
TotalEditTime: -
RevisionNumber: 1
ModifyDate: 2018:04:23 01:01:00
CreateDate: 2018:04:23 01:01:00
LastModifiedBy: T
Author: T
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start winword.exe eqnedt32.exe no specs eqnedt32.exe iassvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
3328"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\c580d77722d85238ed76689a17b0205b4d980c010bef9616b8611ffba21b142e.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2108"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEsvchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3320"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
EQNEDT32.EXE
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3224"C:\Users\admin\AppData\Roaming\IISWebClient\iassvcs.exe" C:\Users\admin\AppData\Roaming\IISWebClient\iassvcs.exe
EQNEDT32.EXE
User:
admin
Company:
Symantec Corporation
Integrity Level:
MEDIUM
Description:
Symantec 802.1x Supplicant
Version:
11.0.4010.7
Total events
1 438
Read events
1 084
Write events
349
Delete events
5

Modification events

(PID) Process:(3328) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:ow>
Value:
6F773E00000D0000010000000000000000000000
(PID) Process:(3328) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3328) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3328) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1321992222
(PID) Process:(3328) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1321992336
(PID) Process:(3328) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1321992337
(PID) Process:(3328) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
000D00007C08E56AE320D50100000000
(PID) Process:(3328) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:$y>
Value:
24793E00000D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3328) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:$y>
Value:
24793E00000D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3328) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
3
Suspicious files
1
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
3328WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVREF3F.tmp.cvr
MD5:
SHA256:
3328WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A219C5DF.wmfwmf
MD5:82154D73906767D7B810864B32E3EBAD
SHA256:6FD66589D2ED5D42039174EA02F331F127EFEB166E61EA3558B0EA7A2B771A77
3328WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:1DBF94C52019F3FA68C5F190CC8E718C
SHA256:D3BE336F578B31B1E3E6BD5ABD73B111AB652DB1A9E30959ED3E7F3480EC098E
3320EQNEDT32.EXEC:\Users\admin\AppData\Roaming\IISWebClient\RasTls.dllexecutable
MD5:C6A73E29C770065B4911EF46285D6557
SHA256:EB0B848F18D8002AAF59FACA18B28941DF67DC46891868B96FA4DAF03018D148
3328WINWORD.EXEC:\Users\admin\AppData\Local\Temp\e.mbinary
MD5:98879AA18F90EA7008E6E4FC37CF5FEF
SHA256:9CBD76421366EEC743F78AD1A61B2F139D28BC1AB5BB315658E406B16E9D3434
3328WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$80d77722d85238ed76689a17b0205b4d980c010bef9616b8611ffba21b142e.docpgc
MD5:B45A359F80C9B79EA4A78A5077D807A1
SHA256:CB88F287FD333351A38F543F04991FE4D1D0AC1921AF7EE80443EF4CB41A740A
3320EQNEDT32.EXEC:\Users\admin\AppData\Roaming\IISWebClient\sqlite3.dllexecutable
MD5:FEE0B982AF421FF8C16C0187B376B086
SHA256:E342EEFB43249A3A1B62B8622F7C94FC391C0488BDAE7E1909E37CB125029F1C
3320EQNEDT32.EXEC:\Users\admin\AppData\Roaming\IISWebClient\iassvcs.exeexecutable
MD5:62944E26B36B1DCACE429AE26BA66164
SHA256:F9EBF6AEB3F0FB0C29BD8F3D652476CD1FE8BD9A0C11CB15C43DE33BBCE0BF68
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3224
iassvcs.exe
209.97.175.188:443
skylineqaz.crabdance.com
US
unknown

DNS requests

Domain
IP
Reputation
skylineqaz.crabdance.com
  • 209.97.175.188
unknown

Threats

No threats detected
Process
Message
WINWORD.EXE
ÿÿÿÿ
WINWORD.EXE
ÿÿÿÿ
WINWORD.EXE
WINWORD.EXE
Escape:
WINWORD.EXE
MathType
WINWORD.EXE
WINWORD.EXE
Escape:
WINWORD.EXE
ÿÿÿÿ
WINWORD.EXE
WINWORD.EXE
Escape:
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
c580d77722d85238ed76689a17b0205b4d980c010bef9616b8611ffba21b142e.doc