analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Al_Ali_Engineering__Co_W_L_L.doc

Full analysis: https://app.any.run/tasks/68709a23-ad20-4978-96cb-89ed11a0a585
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: September 18, 2019, 18:41:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
exploit
CVE-2017-11882
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

9D190987EB597D3C71F6602B9BB12788

SHA1:

BB1CF422EDA915E014854E9029A980F57A9B0E65

SHA256:

FD11CCB53F6DD14FE719D1E3E84E8A42AFF8840C27F007F8B63C737C2B8654DF

SSDEEP:

96:b/GMrS8zlnA2UCtx32xBmmnpQMP+QChoWQL9zoou4CojzhDGwHtVk3duX/:DGh0LU2I8mnt+Plj4HvhqwNVB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • qsdfghjklkjhgfd.exe (PID: 3768)
      • qsdfghjklkjhgfd.exe (PID: 2236)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2996)
  • SUSPICIOUS

    • Application launched itself

      • qsdfghjklkjhgfd.exe (PID: 3768)
    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 2996)
    • Executed via COM

      • EQNEDT32.EXE (PID: 2996)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 2996)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3108)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe qsdfghjklkjhgfd.exe no specs qsdfghjklkjhgfd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3108"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Al_Ali_Engineering__Co_W_L_L.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2996"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3768"C:\Users\admin\AppData\Roaming\qsdfghjklkjhgfd.exe"C:\Users\admin\AppData\Roaming\qsdfghjklkjhgfd.exeEQNEDT32.EXE
User:
admin
Company:
FEMURfauvisms
Integrity Level:
MEDIUM
Exit code:
0
Version:
2.04.0006
2236"C:\Users\admin\AppData\Roaming\qsdfghjklkjhgfd.exe"C:\Users\admin\AppData\Roaming\qsdfghjklkjhgfd.exeqsdfghjklkjhgfd.exe
User:
admin
Company:
FEMURfauvisms
Integrity Level:
MEDIUM
Version:
2.04.0006
Total events
953
Read events
591
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
2
Unknown types
5

Dropped files

PID
Process
Filename
Type
3108WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8DAE.tmp.cvr
MD5:
SHA256:
2996EQNEDT32.EXEC:\Users\admin\AppData\Roaming\qsdfghjklkjhgfd.exeexecutable
MD5:DB341EC529891A44DD0BE96D3304491C
SHA256:2ABD73DFE70767A5A4E06E1CA7283B72364215D202F4A5F955A16B53FA92C696
3108WINWORD.EXEC:\Users\admin\Desktop\~$_Ali_Engineering__Co_W_L_L.doc.rtfpgc
MD5:1EF7B05C1EB0CBC0E71890F0A4539C4C
SHA256:770E01A1FAE10B31544EB9B1CA5B9F4C38CF220E18F90D9379A5D8D8EC3C31A8
3108WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Al_Ali_Engineering__Co_W_L_L.doc.rtf.LNKlnk
MD5:2D246DF95498C3595B8E4FD18C819E7A
SHA256:594C0EC1BE1EB385D81834F49E325041D1C62A583280E2E4B2AA7D22089CB4BB
3108WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:6C06FD78DC335374FE82F952B9C910FC
SHA256:2CE6D2B0AE57D06D3516F2D607986D7937227D439488C2F03C2F790890FCAB01
3108WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:F6E063EE2DC1883B72BBCDB40BA01A35
SHA256:8D966ADEDDAA812F4B0757731FE170F600BDDC609C581A6581E72B172F4AD9AB
2996EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\prty[1].exeexecutable
MD5:DB341EC529891A44DD0BE96D3304491C
SHA256:2ABD73DFE70767A5A4E06E1CA7283B72364215D202F4A5F955A16B53FA92C696
2996EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2996
EQNEDT32.EXE
112.213.89.40:443
tfvn.com.vn
SUPERDATA
VN
malicious

DNS requests

Domain
IP
Reputation
tfvn.com.vn
  • 112.213.89.40
unknown

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info