analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

d81afd01caa25aad448ccd3677a728a504fc5c00ea607ecb007fd66d5a5c144d

Full analysis: https://app.any.run/tasks/cf64cc47-de98-48d8-b1e6-f557dae23854
Verdict: Malicious activity
Analysis date: December 06, 2019, 20:21:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

602F7A5D4EA7D86303C56536ADCA0111

SHA1:

CC365A4D05C3273717F29A9A8C9421BEF7F36A09

SHA256:

D81AFD01CAA25AAD448CCD3677A728A504FC5C00EA607ECB007FD66D5A5C144D

SSDEEP:

384:/NNNNNNNNNNLNF4v27YguE4x5+VsTM79tttttttttMAVGV:VihguE4WsI7sAo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 1800)

    • Application was dropped or rewritten from another process

      • test.exe (PID: 1780)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2432)

  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 2432)
      • EQNEDT32.EXE (PID: 2832)

    • Starts Microsoft Office Application

      • rundll32.exe (PID: 1584)

    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 2432)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1800)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1800)

    • Application was crashed

      • EQNEDT32.EXE (PID: 2832)
      • EQNEDT32.EXE (PID: 2432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
6
Malicious processes
1
Suspicious processes
3

Behavior graph

Click at the process to see the details
start rundll32.exe no specs winword.exe eqnedt32.exe eqnedt32.exe cmd.exe no specs test.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1584"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\d81afd01caa25aad448ccd3677a728a504fc5c00ea607ecb007fd66d5a5c144dC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1800"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\d81afd01caa25aad448ccd3677a728a504fc5c00ea607ecb007fd66d5a5c144d"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2832"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2432"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2648cmd.exe /c%tmp%\test.exe A CC:\Windows\system32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1780C:\Users\admin\AppData\Local\Temp\test.exe A CC:\Users\admin\AppData\Local\Temp\test.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.00
Total events
1 638
Read events
697
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
1800WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRBF34.tmp.cvr
MD5:
SHA256:
1800WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DD66F1B0-EEBA-459E-9D0E-0995773DADFC}.tmp
MD5:
SHA256:
1800WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$1afd01caa25aad448ccd3677a728a504fc5c00ea607ecb007fd66d5a5c144dpgc
MD5:4DBF1316457DAC52C536192660BF73ED
SHA256:7EBB093ED336407C394EF4495950AC8325713236F49BA7609C6BB7F4BE74C7D3
1800WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:E1263FB78C58B7DB7E413CA2CD16DDFA
SHA256:FC8EB7CF454401EB19A7F1FB98DFB8CE969A8E1BC09E8D01FAEBBBDA70E1970A
1800WINWORD.EXEC:\Users\admin\AppData\Local\Temp\test.exeexecutable
MD5:A386AFA06CEB88C4A94F160F4E4A13DC
SHA256:B7F3D7D5DCFCC5AF0A0A2D7B195D5EBC864F7CDAE4C743E7E53C6505B4505099
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
d81afd01caa25aad448ccd3677a728a504fc5c00ea607ecb007fd66d5a5c144d