analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

9892134317e1375c1bef7200b675854d.rtf

Full analysis: https://app.any.run/tasks/d4f7a9d0-528d-430d-9cbd-58b861144afa
Verdict: Malicious activity
Analysis date: May 24, 2019, 02:48:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
generated-doc
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

9892134317E1375C1BEF7200B675854D

SHA1:

018939B2982B4BC8A50D91E39A1ED569266A486B

SHA256:

CEC9252EFFD1FD99E7DB63C24DD1DCACA40DF5027FAA46E56081E52DAE96406D

SSDEEP:

1536:+rhwuzHlOQIZEr/YzpooU2mECSaTzaPECSbrcs6b4Tp6p7eacbmF0Fliy9GVdVle:+lwIipooDo3CBs6opMelVrVWKjWDBAvx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • EQNEDT32.EXE (PID: 3616)
      • WerFault.exe (PID: 2900)
    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 1672)
  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 3616)
  • INFO

    • Application was crashed

      • EQNEDT32.EXE (PID: 3616)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 1672)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

Author: Windows Óû§
LastModifiedBy: Windows Óû§
CreateDate: 2019:04:16 18:26:00
ModifyDate: 2019:04:16 18:26:00
RevisionNumber: 2
TotalEditTime: -
Pages: 1
Words: 3
Characters: 18
CharactersWithSpaces: 20
InternalVersionNumber: 49247
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe eqnedt32.exe werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1672"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\9892134317e1375c1bef7200b675854d.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3616"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2900C:\Windows\system32\WerFault.exe -u -p 3616 -s 336C:\Windows\system32\WerFault.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 244
Read events
841
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1
Text files
4
Unknown types
7

Dropped files

PID
Process
Filename
Type
1672WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRFA1C.tmp.cvr
MD5:
SHA256:
2900WerFault.exeC:\Users\admin\AppData\Local\Temp\WERAF6.tmp.WERInternalMetadata.xml
MD5:
SHA256:
2900WerFault.exeC:\Users\admin\AppData\Local\Temp\WERAF7.tmp.hdmp
MD5:
SHA256:
2900WerFault.exeC:\Users\admin\AppData\Local\Temp\WERBF2.tmp.mdmp
MD5:
SHA256:
1672WINWORD.EXEC:\Users\admin\AppData\Local\Temp\copyfile.dllexecutable
MD5:54FF120CF7D7074F5A4E35DC416EDB3D
SHA256:D5E1D8A7EE9E60A203C723BA21F24F345BB4AD92264FDB9C2983551CA20753B9
2900WerFault.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_EQNEDT32.EXE_4a46cad0181eeab2ca544a7e4c4fdc51adb1774_cab_0b460c9b\WERAF7.tmp.hdmpdmp
MD5:47BA09EE674A616FB87DBF8F4B9DD922
SHA256:99A4193099F7F26C3DFC80AB11B0A6E741D7D43542181C8D3B974F42E693100D
2900WerFault.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_EQNEDT32.EXE_4a46cad0181eeab2ca544a7e4c4fdc51adb1774_cab_0b460c9b\WERBF2.tmp.mdmpdmp
MD5:C73E93897EC1753C3FFB12569BA14700
SHA256:BF649BC467E948867734BA735A5C9C00D8133A122CE392BB338EF0FCE54E7E5F
2900WerFault.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_EQNEDT32.EXE_4a46cad0181eeab2ca544a7e4c4fdc51adb1774_cab_0b460c9b\WERAF6.tmp.WERInternalMetadata.xmlxml
MD5:1F65A97AA32566E40868AB9E5FFBBD8E
SHA256:999FD60CE4D78E7D8BC559EC809457E786EF3C2187FC9D31F293688321A2D182
2900WerFault.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_EQNEDT32.EXE_4a46cad0181eeab2ca544a7e4c4fdc51adb1774_cab_0b460c9b\Report.werbinary
MD5:4F1823C272071252A2BE6700F3A29115
SHA256:E01E4E564E9C688C697858912FECF093C1562A523820907E1E1A8599BDE873BD
1672WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$92134317e1375c1bef7200b675854d.rtfpgc
MD5:42AAEB660081D2980212424567BB2399
SHA256:A500814032CA2F69F39907CA1D9C42431FEE3F1B05034CEA7602C8450D3CE346
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info