analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ecdf806bb7ac876bac8250a1f0ff40395faf7a6738df6e0f62553c4164fdf16d (1)

Full analysis: https://app.any.run/tasks/99df30b4-05c1-4867-81f6-ca952a0cc707
Verdict: Malicious activity
Analysis date: October 02, 2019, 17:08:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
generated-doc
exploit
CVE-2017-11882
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

9665501EFE1F37F0B8A1B2301EA2E63D

SHA1:

FB05BFFCA1A3FEC9A94CCD013847B4BFCC26EFE2

SHA256:

ECDF806BB7AC876BAC8250A1F0FF40395FAF7A6738DF6E0F62553C4164FDF16D

SSDEEP:

3072:SRWU1K3cSyXSIenVz1/yj2PQrJhTZdk/uOurL008mLDdkV7GgSQmge/03/hA5rHl:SRWUwMSyCDVzp8hTZlO36C7G7z8A5Dl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • MsMpEng.exe (PID: 2432)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2644)
    • Starts CertUtil for decode files

      • EQNEDT32.EXE (PID: 3372)
    • Application was dropped or rewritten from another process

      • MsMpEng.exe (PID: 2432)
    • Changes the autorun value in the registry

      • EQNEDT32.EXE (PID: 3372)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • certutil.exe (PID: 4052)
      • certutil.exe (PID: 3720)
    • Executed via COM

      • EQNEDT32.EXE (PID: 2644)
    • Creates files in the program directory

      • EQNEDT32.EXE (PID: 3372)
      • certutil.exe (PID: 4052)
      • certutil.exe (PID: 3720)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2940)
    • Manual execution by user

      • explorer.exe (PID: 2664)
      • MsMpEng.exe (PID: 2432)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2940)
    • Dropped object may contain Bitcoin addresses

      • EQNEDT32.EXE (PID: 3372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

Pages: 1
RevisionNumber: 1
ModifyDate: 2019:06:05 12:56:00
CreateDate: 2019:06:05 12:56:00
LastModifiedBy: MAK
Author: MAK
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs eqnedt32.exe no specs eqnedt32.exe certutil.exe certutil.exe explorer.exe no specs msmpeng.exe

Process information

PID
CMD
Path
Indicators
Parent process
2940"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\ecdf806bb7ac876bac8250a1f0ff40395faf7a6738df6e0f62553c4164fdf16d (1).rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2644"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEsvchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3372"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
EQNEDT32.EXE
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3720"C:\Windows\System32\certutil.exe" -decode C:\ProgramData\MsMpEng\MsMpEng.txt C:\ProgramData\MsMpEng\MsMpEng.exeC:\Windows\System32\certutil.exe
EQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4052"C:\Windows\System32\certutil.exe" -decode C:\ProgramData\MsMpEng\MpSvc.txt C:\ProgramData\MsMpEng\MpSvc.dllC:\Windows\System32\certutil.exe
EQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2664"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2432"C:\ProgramData\MsMpEng\MsMpEng.exe" C:\ProgramData\MsMpEng\MsMpEng.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Antimalware Service Executable
Version:
3.0.8402.0
Total events
1 025
Read events
647
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
1
Text files
3
Unknown types
3

Dropped files

PID
Process
Filename
Type
2940WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR120.tmp.cvr
MD5:
SHA256:
2940WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\ecdf806bb7ac876bac8250a1f0ff40395faf7a6738df6e0f62553c4164fdf16d (1).rtf.LNKlnk
MD5:3EEE3ED70EB11FFB41F16CFC0CCAB800
SHA256:7DEF5A6653A344051A0EF4413B7A7FA424ED73F9D770F50AB7ADFB1CFEC57FAA
3720certutil.exeC:\ProgramData\MsMpEng\MsMpEng.exeexecutable
MD5:CFCE43B70CA0CC4DCC8ADB62B792B173
SHA256:227F64B151B502D1D67BD6FEBADA3A567CFF2219305459C70BF1B17D1CD5BE3A
3372EQNEDT32.EXEC:\ProgramData\MsMpEng\MsMpEng.txttext
MD5:6A71D508C88E3CBAFB39B9B0AA05D417
SHA256:AE15D39C477D7913EEE692BCDC471F213C55A6FAB05DFAC5B894E72F8F20D2BD
2940WINWORD.EXEC:\Users\admin\Desktop\~$df806bb7ac876bac8250a1f0ff40395faf7a6738df6e0f62553c4164fdf16d (1).rtfpgc
MD5:D72FFA27ACEC6CE1B1439016F892FA3E
SHA256:722D275C1383C9ADE496D97D26E293287A0ABC9075BE5E81B9AD914E8D67989D
2940WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:270A0065C7906739ED7BE9B68CC1176A
SHA256:26214F4759884E7AA05E89D04D6898D06AA12EFA66F565A1A3F98723E3A387C6
4052certutil.exeC:\ProgramData\MsMpEng\MpSvc.dllexecutable
MD5:BAA9C1C8917392EAD0B7CDA409573823
SHA256:25E971105C9562ED3C7256DB719942A36E23363A8E024FF3EDBDCA5C3E854C70
2940WINWORD.EXEC:\Users\admin\AppData\Local\Temp\wd32PrvSE.wmfbinary
MD5:36B8ED0DBEEAEB89B9124FFFDE08C06E
SHA256:AE524C0B4ED94D5489D7336DB4E92C9B6A8CA3FE581C7226CA141420A0A4C081
3372EQNEDT32.EXEC:\ProgramData\MsMpEng\MpSvc.txttext
MD5:5AE20B52216D144FE3A556A293BBD1E1
SHA256:88161164D444905501E2953938285F1A6C13399C75623F9B3FAAC9695201BD53
2940WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:8C7C284A357F8C4652AAD4B50AE7BBEC
SHA256:F4227CEAEB6D19145747785B4187F6569D80FD2EA87AF3FE31FDC8A3FFA233C6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2432
MsMpEng.exe
139.59.83.108:8080
coreldraw.kozow.com
Digital Ocean, Inc.
IN
unknown

DNS requests

Domain
IP
Reputation
www.msn.com
  • 204.79.197.203
whitelisted
coreldraw.kozow.com
  • 139.59.83.108
unknown

Threats

No threats detected
No debug info