analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Doc_7435.doc

Full analysis: https://app.any.run/tasks/7d0ad754-a303-4012-80a9-7a80f04fe058
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Analysis date: July 17, 2019, 11:07:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
exploit
CVE-2017-11882
trojan
rat
njrat
bladabindi
virut
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

B8E1A1EFB94A995E7447D51541F08DE9

SHA1:

2440429F66F1260F18E35DE3B7F749B746858CD1

SHA256:

EC21432052298640B54673391E93DF26375776F511D9CA1EFCF93FA939C2FF48

SSDEEP:

768:OvyXCdJWz7zpgegbFz8Lob2GR/yapptJdRH4v:cm7gJz/BrH74v

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • NJRAT was detected

      • RegAsm.exe (PID: 2200)
    • Application was dropped or rewritten from another process

      • 811567.exe (PID: 2248)
      • tmp2850.tmp.exe (PID: 3436)
    • Connects to CnC server

      • RegAsm.exe (PID: 2200)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2220)
    • Application was injected by another process

      • taskeng.exe (PID: 2012)
    • VIRUT was detected

      • taskeng.exe (PID: 2012)
    • Writes to a start menu file

      • tmp2850.tmp.exe (PID: 3436)
      • 811567.exe (PID: 2248)
    • Runs injected code in another process

      • tmp2850.tmp.exe (PID: 3436)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • RegAsm.exe (PID: 2200)
      • EQNEDT32.EXE (PID: 2800)
      • tmp2850.tmp.exe (PID: 3436)
      • 811567.exe (PID: 2248)
    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 2800)
      • 811567.exe (PID: 2248)
      • tmp2850.tmp.exe (PID: 3436)
    • Executed via COM

      • EQNEDT32.EXE (PID: 2220)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3872)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

Title: Not
Author: C
LastModifiedBy: Windows User
CreateDate: 2019:06:20 00:52:00
ModifyDate: 2019:06:20 00:52:00
RevisionNumber: 2
TotalEditTime: 1 minute
Pages: 1
Words: -
Characters: 4
CharactersWithSpaces: 4
InternalVersionNumber: 24689
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
11
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start inject winword.exe no specs eqnedt32.exe no specs eqnedt32.exe 811567.exe regasm.exe no specs #NJRAT regasm.exe regasm.exe no specs regasm.exe no specs regasm.exe no specs tmp2850.tmp.exe #VIRUT taskeng.exe

Process information

PID
CMD
Path
Indicators
Parent process
3872"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Doc_7435.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2220"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEsvchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2800"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
EQNEDT32.EXE
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2248C:\Users\admin\AppData\Roaming\811567.exeC:\Users\admin\AppData\Roaming\811567.exe
EQNEDT32.EXE
User:
admin
Company:
VersaVPN L.L.C
Integrity Level:
MEDIUM
Description:
VersaVPN
Exit code:
0
Version:
1.0.0.5
1464C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe811567.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
2200C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
811567.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
2496C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe811567.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
3116C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe811567.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
3472C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe811567.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
3436"C:\Users\admin\AppData\Local\Temp\tmp2850.tmp.exe" C:\Users\admin\AppData\Local\Temp\tmp2850.tmp.exe
RegAsm.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 960
Read events
1 559
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
1
Text files
1
Unknown types
4

Dropped files

PID
Process
Filename
Type
3872WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRF84B.tmp.cvr
MD5:
SHA256:
2800EQNEDT32.EXEC:\Users\admin\AppData\Roaming\811567.exe
MD5:
SHA256:
3436tmp2850.tmp.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Paint.lnklnk
MD5:B9058655F58AB19BBA9BD047AD0980A8
SHA256:CBD628CD3C0D338CD5068D84FBA8FC111018C076BD390B71AD172B8F5EC124FF
3872WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:0B4F87476DA447C1C656481A00718A55
SHA256:FF80064184ACC996698EC4FC263AD99E38BB89C102D0850877D92AE369355BC4
3872WINWORD.EXEC:\Users\admin\AppData\Local\Temp\wd32PrvSE.wmfbinary
MD5:C8BBD69BB58F455FD68CE82892139525
SHA256:DA65E5D170765F586BD067BC32648B01E6FFDBBDC55FBED9DA5AAD8F5724E84B
2800EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\3[1].exeexecutable
MD5:A1F0BA4951E43A05D5C05DE6E7BDF44C
SHA256:045EFFC81057CB6E8E94899EAF9B522768CFD3D81F0CBE029D1C15346961EB1D
3872WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$c_7435.docpgc
MD5:03EEEAE541193079E92F839D7AB1B5DF
SHA256:89977099B0B851A2B1E8C6F9E76652A09F82B72B5F045A9BC69F88792CD5E073
2248811567.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\filename.exeexecutable
MD5:0177FE7E5A852CF74039DC757E2097E9
SHA256:25BC5B363DD13BA2C9857681987D9BC3B477B28240CDB4F73971A0C91E78B575
2800EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@put[1].txttext
MD5:A9757CD3DF7E3C9C09D7F85469DDDDA3
SHA256:E01B6EA892F4CEC4B982BC488C501EDDDF7FA5E1AF1EB519C499BF87AED8CAEE
3436tmp2850.tmp.exeC:\Users\admin\AppData\Roaming\Paint.exeexecutable
MD5:5A7F6775172FAD86EB4D448745B7F46F
SHA256:D6427D4C692BC7FE6A62EB2018075B91CC5551E794383391CD1E4D715F55550B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
11
DNS requests
59
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2200
RegAsm.exe
104.20.208.21:443
pastebin.com
Cloudflare Inc
US
shared
2012
taskeng.exe
148.81.111.121:80
ilo.brenz.pl
Naukowa I Akademicka Siec Komputerowa Instytut Badawczy
PL
malicious
2012
taskeng.exe
93.188.2.51:443
krogia.com
Loopia AB
SE
malicious
2012
taskeng.exe
107.170.223.154:443
addxyz.com
Digital Ocean, Inc.
US
malicious
2800
EQNEDT32.EXE
104.27.143.252:443
m.put.re
Cloudflare Inc
US
shared
2200
RegAsm.exe
185.247.228.236:7707
malicious
2012
taskeng.exe
83.133.119.197:80
euNetworks Managed Services GmbH
unknown

DNS requests

Domain
IP
Reputation
m.put.re
  • 104.27.143.252
  • 104.27.142.252
suspicious
pastebin.com
  • 104.20.208.21
  • 104.20.209.21
shared
ilo.brenz.pl
  • 148.81.111.121
unknown
imjffu.com
unknown
ant.trenz.pl
  • 148.81.111.121
malicious
ynoqtq.com
unknown
uoemzq.com
unknown
addxyz.com
  • 107.170.223.154
malicious
oeyxlh.com
unknown
eismgo.com
unknown

Threats

PID
Process
Class
Message
2200
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] njRAT/Bladabindi (Lime-RAT)
A Network Trojan was detected
ET TROJAN Known Hostile Domain ilo.brenz .pl Lookup
2012
taskeng.exe
A Network Trojan was detected
MALWARE [PTsecurity] Backdor.W32/Virut
A Network Trojan was detected
ET TROJAN Known Hostile Domain ant.trenz .pl Lookup
2012
taskeng.exe
A Network Trojan was detected
MALWARE [PTsecurity] Backdor.W32/Virut
5 ETPRO signatures available at the full report
No debug info