Malware analysis 93d6fad4530958a6c48cb45b34d8f531ca132bab23462362.rtf Malicious activity | ANY.RUN - Malware Sandbox Online

analyze malware

Huge database of samples and IOCs
Custom VM setup
Unlimited submissions
Interactive approach

Sign up, it’s free

Add for printing

File name:	93d6fad4530958a6c48cb45b34d8f531ca132bab23462362.rtf
Full analysis:	https://app.any.run/tasks/189120f4-b1ed-4bc3-9266-4f278ce3a01c
Verdict:	Malicious activity
Analysis date:	January 18, 2019, 06:26:42
OS:	Windows Vista Business Service Pack 2 (build: 6002, 64 bit)
Indicators:
MIME:	text/rtf
File info:	Rich Text Format data, unknown version
MD5:	A3F72730D90B8A695D2E67CE24955E45
SHA1:	93D6FAD4530958A6C48CB45B34D8F531CA132BAB
SHA256:	D3658E835ABF468584629D6FFD5A92A9547EBC1955F99E26F1075870C98025C4
SSDEEP:	1536:3zfUoyfpfSdN5GDajbbH6jN9wGgDlc+bt94yH6:3zfFbbaAjjC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 7.0.6002.18005 undefined
7-Zip 18.01 (x64) (18.01)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
Adobe Reader XI (11.0.10) (11.0.10)
CCleaner (5.35)
FileZilla Client 3.31.0 (3.31.0)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Excel MUI (English) 2007 (12.0.4518.1014)
Microsoft Office Office 64-bit Components 2007 (12.0.4518.1014)
Microsoft Office Outlook MUI (English) 2007 (12.0.4518.1014)
Microsoft Office PowerPoint MUI (English) 2007 (12.0.4518.1014)
Microsoft Office Proof (English) 2007 (12.0.4518.1014)
Microsoft Office Proof (French) 2007 (12.0.4518.1014)
Microsoft Office Proof (Spanish) 2007 (12.0.4518.1014)
Microsoft Office Proofing (English) 2007 (12.0.4518.1014)
Microsoft Office Shared 64-bit MUI (English) 2007 (12.0.4518.1014)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (12.0.4518.1014)
Microsoft Office Shared MUI (English) 2007 (12.0.4518.1014)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (12.0.4518.1014)
Microsoft Office Standard 2007 (12.0.4518.1014)
Microsoft Office Word MUI (English) 2007 (12.0.4518.1014)
Microsoft Visual C++ 2017 Redistributable (x64) - 14.11.25325 (14.11.25325.0)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.11.25325 (14.11.25325.0)
Microsoft Visual C++ 2017 x64 Additional Runtime - 14.11.25325 (14.11.25325)
Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.11.25325 (14.11.25325)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.11.25325 (14.11.25325)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.11.25325 (14.11.25325)
Mozilla Firefox 50.0.2 (x86 en-US) (50.0.2)
Notepad++ (64-bit x64) (7.5.1)
Opera 12.15 (12.15.1748)
Skype™ 6.18 (6.18.106)
VLC media player (2.2.6)

Hotfixes

BusinessEdition
Client LanguagePack Package
Foundation Package
KB2999226
KB935509
KB937287
KB938371
KB955430
KB956250
KB970158
NetFx3 OC Package
Printing XPSServices Package
RecDisc SDP Package
Sidebar Killbits SDP Package
VistaSP1CEIP Package
VistaServicePack SysHiper SP1 Package
VistaServicePack UninstallRemoval Package
Windows Management Framework Core TopLevel

Add for printing

MALICIOUS
- Suspicious connection from the Equation Editor
  - EQNEDT32.EXE (PID: 1752)
SUSPICIOUS
- Creates files in the user directory
  - WINWORD.EXE (PID: 2240)
- Reads the machine GUID from the registry
  - WINWORD.EXE (PID: 2240)
- Reads Internet Cache Settings
  - EQNEDT32.EXE (PID: 1752)
INFO
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 2240)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rtf	\|	Rich Text Format (100)

No data.

Add for printing

All screenshots are available in the full report

All screenshots are available in the full report

Add for printing

Total processes

36

Monitored processes

3

Malicious processes

1

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2240	"C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde	C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Version: 12.0.4518.1014
2692	splwow64	C:\Windows\splwow64.exe	—	WINWORD.EXE
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Thunking Spooler APIS from 32 to 64 Process Version: 6.0.6001.18000 (longhorn_rtm.080118-1840)
1752	"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding	C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE		svchost.exe
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Version: 00110900

Add for printing

Total events

236

Read events

211

Write events

0

Delete events

0

Modification events

No data

Add for printing

Executable files

0

Suspicious files

0

Text files

0

Unknown types

2

Dropped files

PID	Process	Filename		Type
2240	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:31DDE9E6B05C60FA7EDFC3F81B07C541	SHA256:F47F0740FCECF45145AC6157FA82F19C2813D0D8D5C620AF9A260F251AC29705
2240	WINWORD.EXE	C:\Users\admin\Desktop\~$d6fad4530958a6c48cb45b34d8f531ca132bab23462362.rtf		pgc
		MD5:0CD18BC5C1766A597FE7528A4386B40F	SHA256:AC2FE6060ED138A5B323BF0887E97446D298BE3DBF66A098A2739DD8CA59F538

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

1

TCP/UDP connections

1

DNS requests

2

Threats

0

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1752	EQNEDT32.EXE	GET	—	51.75.90.104:80	http://goone-88.ga/z.exe	GB	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1752	EQNEDT32.EXE	51.75.90.104:80	goone-88.ga	—	GB	suspicious

DNS requests

Domain	IP	Reputation
wpad	—	unknown
goone-88.ga	51.75.90.104	malicious

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET INFO DNS Query for Suspicious .ga Domain

Add for printing

No debug info