analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ec21432052298640b54673391e93df26375776f511d9ca1efcf93fa939c2ff48.doc

Full analysis: https://app.any.run/tasks/8d9ca9af-3e1b-44d8-8210-627733acc64d
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Analysis date: July 17, 2019, 18:39:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
exploit
CVE-2017-11882
trojan
rat
njrat
bladabindi
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

B8E1A1EFB94A995E7447D51541F08DE9

SHA1:

2440429F66F1260F18E35DE3B7F749B746858CD1

SHA256:

EC21432052298640B54673391E93DF26375776F511D9CA1EFCF93FA939C2FF48

SSDEEP:

768:OvyXCdJWz7zpgegbFz8Lob2GR/yapptJdRH4v:cm7gJz/BrH74v

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 4004)
    • NJRAT was detected

      • RegAsm.exe (PID: 3564)
    • Application was dropped or rewritten from another process

      • 408812.exe (PID: 2540)
    • Connects to CnC server

      • RegAsm.exe (PID: 3564)
  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 4004)
    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 2784)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 2784)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2876)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

InternalVersionNumber: 24689
CharactersWithSpaces: 4
Characters: 4
Words: -
Pages: 1
TotalEditTime: 1 minute
RevisionNumber: 2
ModifyDate: 2019:06:20 00:52:00
CreateDate: 2019:06:20 00:52:00
LastModifiedBy: Windows User
Author: C
Title: Not
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
9
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe no specs eqnedt32.exe 408812.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs #NJRAT regasm.exe regasm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2876"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\ec21432052298640b54673391e93df26375776f511d9ca1efcf93fa939c2ff48.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
4004"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEsvchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2784"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
EQNEDT32.EXE
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2540C:\Users\admin\AppData\Roaming\408812.exeC:\Users\admin\AppData\Roaming\408812.exeEQNEDT32.EXE
User:
admin
Company:
VersaVPN L.L.C
Integrity Level:
MEDIUM
Description:
VersaVPN
Version:
1.0.0.5
2944C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe408812.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
3064C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe408812.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
3256C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe408812.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
3564C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
408812.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
3716C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe408812.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
Total events
1 321
Read events
926
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2876WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA6A0.tmp.cvr
MD5:
SHA256:
2784EQNEDT32.EXEC:\Users\admin\AppData\Roaming\408812.exe
MD5:
SHA256:
2876WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{760F9511-AC49-4459-AC82-94C68079F9F8}.tmp
MD5:
SHA256:
2876WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{685A853B-101B-4282-BEAD-0A9F4249BC95}.tmp
MD5:
SHA256:
2784EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@put[1].txttext
MD5:6329036A66FA92B49BBF3EE896726D27
SHA256:B41E1224B902374D91DDABDCC24D4123700248FACA88CEF2EFC751582272C8C4
2784EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\3[1].exeexecutable
MD5:A1F0BA4951E43A05D5C05DE6E7BDF44C
SHA256:045EFFC81057CB6E8E94899EAF9B522768CFD3D81F0CBE029D1C15346961EB1D
2876WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{AE97265E-088F-4E4F-9DF7-2C0271EBD231}.tmpbinary
MD5:75B31CD62066E79EAD889CB6029D6FE0
SHA256:30C379593CE76020667CB2058D379656A08D6079A7C9FC8212F5F4404A0936D1
2876WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:F2DE1431816F1A887F11E37F0E5B78C1
SHA256:AC75C28502BA69F35891655C9ADFC2B4C73730F00CE0F6C22519E9B5B48762BD
2876WINWORD.EXEC:\Users\admin\AppData\Local\Temp\wd32PrvSE.wmfbinary
MD5:C8BBD69BB58F455FD68CE82892139525
SHA256:DA65E5D170765F586BD067BC32648B01E6FFDBBDC55FBED9DA5AAD8F5724E84B
2876WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$21432052298640b54673391e93df26375776f511d9ca1efcf93fa939c2ff48.docpgc
MD5:C4AC655CFC2B2DEB2E682E8C11173C19
SHA256:4B4905F4A1F3E225442F94B051670BDA07342CBFE008A50067402CDFD1A91765
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
5
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2784
EQNEDT32.EXE
104.27.143.252:443
m.put.re
Cloudflare Inc
US
shared
2784
EQNEDT32.EXE
104.27.142.252:443
m.put.re
Cloudflare Inc
US
shared
3564
RegAsm.exe
104.20.208.21:443
pastebin.com
Cloudflare Inc
US
shared
3564
RegAsm.exe
185.247.228.236:7707
malicious

DNS requests

Domain
IP
Reputation
m.put.re
  • 104.27.142.252
  • 104.27.143.252
suspicious
dns.msftncsi.com
  • 131.107.255.255
shared
pastebin.com
  • 104.20.208.21
  • 104.20.209.21
shared

Threats

PID
Process
Class
Message
3564
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] njRAT/Bladabindi (Lime-RAT)
1 ETPRO signatures available at the full report
No debug info