File name:

PO.doc

Full analysis: https://app.any.run/tasks/d871c340-eaaf-4731-980a-af2719e1f4bf
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 08:48:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
exploit
cve-2017-11882
rat
azorult
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

8A2325E7F1446F5204B2B838584DBE8A

SHA1:

D00A92AC5B488D28C5677651D94077AB2FBD370B

SHA256:

C5A2E16C54143D39709187E53EC5196587EB004D64F0D3AEFF35BC61F123279E

SSDEEP:

12288:GxvA3pjJx7BC0zqE5JB2Oo83D34CAlM+yhz0pfS4Xpl6kJIzau81m+l06jqf:Q43prBtbFD4BA0g4Xpl6kJIzV81Fmjf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2176)

    • Application was dropped or rewritten from another process

      • jkfnfjp.exe (PID: 2252)
      • jkfnfjp.exe (PID: 2888)

    • Changes settings of System certificates

      • jkfnfjp.exe (PID: 2888)

    • Connects to CnC server

      • jkfnfjp.exe (PID: 2888)

    • AZORULT was detected

      • jkfnfjp.exe (PID: 2888)

  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 2176)

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 2176)
      • jkfnfjp.exe (PID: 2888)

    • Reads Internet Cache Settings

      • EQNEDT32.EXE (PID: 2176)
      • jkfnfjp.exe (PID: 2888)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 2176)

    • Application launched itself

      • jkfnfjp.exe (PID: 2252)

    • Adds / modifies Windows certificates

      • jkfnfjp.exe (PID: 2888)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2100)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe jkfnfjp.exe no specs #AZORULT jkfnfjp.exe

Process information

PID
CMD
Path
Indicators
Parent process
2100"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\PO.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
2176"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2252C:\Users\admin\AppData\Roaming\jkfnfjp.exeC:\Users\admin\AppData\Roaming\jkfnfjp.exeEQNEDT32.EXE
User:
admin
Company:
RSA Security
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\roaming\jkfnfjp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2888C:\Users\admin\AppData\Roaming\jkfnfjp.exeC:\Users\admin\AppData\Roaming\jkfnfjp.exe
jkfnfjp.exe
User:
admin
Company:
RSA Security
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\system32\msvbvm60.dll
c:\users\admin\appdata\roaming\jkfnfjp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
1 488
Read events
760
Write events
587
Delete events
141

Modification events

(PID) Process:(2100) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:0l"
Value:
306C220034080000010000000000000000000000
(PID) Process:(2100) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2100) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2100) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2100) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2100) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2100) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2100) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2100) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2100) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
2
Suspicious files
6
Text files
5
Unknown types
6

Dropped files

PID
Process
Filename
Type
2100WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRAC10.tmp.cvr
MD5:
SHA256:
2176EQNEDT32.EXEC:\Users\admin\AppData\Local\Temp\CabDD71.tmp
MD5:
SHA256:
2176EQNEDT32.EXEC:\Users\admin\AppData\Local\Temp\TarDD72.tmp
MD5:
SHA256:
2888jkfnfjp.exeC:\Users\admin\AppData\Local\Temp\CabEBE8.tmp
MD5:
SHA256:
2888jkfnfjp.exeC:\Users\admin\AppData\Local\Temp\TarEBE9.tmp
MD5:
SHA256:
2100WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:
SHA256:
2100WINWORD.EXEC:\Users\admin\Desktop\~$PO.doc.rtfpgc
MD5:
SHA256:
2888jkfnfjp.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6Fbinary
MD5:
SHA256:
2888jkfnfjp.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203der
MD5:
SHA256:
2176EQNEDT32.EXEC:\Users\admin\AppData\Roaming\jkfnfjp.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
11
DNS requests
6
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2888
jkfnfjp.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D
US
der
1.47 Kb
whitelisted
1052
svchost.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
1052
svchost.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEA7yTSbUNi7CXXtef0luXqk%3D
US
der
279 b
whitelisted
2888
jkfnfjp.exe
POST
400
103.253.212.238:443
http://bprbalidananiaga.co.id:443/linkbaba/PL341/index.php
ID
html
483 b
malicious
2888
jkfnfjp.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2176
EQNEDT32.EXE
172.67.217.188:80
readcivil.com
US
malicious
2176
EQNEDT32.EXE
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2176
EQNEDT32.EXE
172.67.217.188:443
readcivil.com
US
malicious
2888
jkfnfjp.exe
13.107.42.13:443
onedrive.live.com
Microsoft Corporation
US
malicious
2888
jkfnfjp.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2888
jkfnfjp.exe
13.107.42.12:443
ss3siw.bl.files.1drv.com
Microsoft Corporation
US
suspicious
1052
svchost.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2888
jkfnfjp.exe
103.253.212.238:443
bprbalidananiaga.co.id
Rumahweb Indonesia CV.
ID
malicious

DNS requests

Domain
IP
Reputation
readcivil.com
  • 172.67.217.188
  • 104.18.42.26
  • 104.18.43.26
malicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted
onedrive.live.com
  • 13.107.42.13
shared
ss3siw.bl.files.1drv.com
  • 13.107.42.12
whitelisted
bprbalidananiaga.co.id
  • 103.253.212.238
malicious

Threats

PID
Process
Class
Message
2176
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious
2888
jkfnfjp.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2888
jkfnfjp.exe
A Network Trojan was detected
ET TROJAN Win32/AZORult V3.3 Client Checkin M2
2888
jkfnfjp.exe
A Network Trojan was detected
STEALER [PTsecurity] AZORult
2888
jkfnfjp.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PO.doc