analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

INVOICE NO. BKC-003-2019 SMS AIR 04 CTN - STYLE# 1000049650.doc

Full analysis: https://app.any.run/tasks/ac2ac9dd-c49f-4195-bf18-45d764997579
Verdict: Malicious activity
Analysis date: January 18, 2019, 13:36:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
Indicators:
MIME: application/octet-stream
File info: data
MD5:

D090E7E33FBE4BDD8E86453E59EA9E8A

SHA1:

14446C6B0EE6D5F0C970E5C2AFD65C49235B0291

SHA256:

16CDFFBB5F5F2C44B1ABC3839B1AF0F0117F33940CB991822EB7BC2F11594D37

SSDEEP:

96:HJpWT5pUq/yWEm+P5Gk3Jl6AxFJ5iKr6OsWGwcEvwMn1Vg56SyoZTdCQVOkUTNcj:PW2p5P5l6AxF/Q2c01q5tZT38p6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3268)
    • Application was dropped or rewritten from another process

      • fedwser657.exe (PID: 3104)
    • Writes to a start menu file

      • fedwser657.exe (PID: 3104)
    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3268)
    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3268)
    • Changes the autorun value in the registry

      • RegAsm.exe (PID: 3224)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3268)
      • fedwser657.exe (PID: 3104)
    • Creates files in the user directory

      • fedwser657.exe (PID: 3104)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3000)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3000)
    • Dropped object may contain Bitcoin addresses

      • EQNEDT32.EXE (PID: 3268)
      • fedwser657.exe (PID: 3104)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe fedwser657.exe regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
3000"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\INVOICE NO. BKC-003-2019 SMS AIR 04 CTN - STYLE# 1000049650.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3268"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3104"C:\Users\admin\AppData\Local\Temp\fedwser657.exe" C:\Users\admin\AppData\Local\Temp\fedwser657.exe
EQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.3.9600.16441 (winblue_gdr.131021-1506)
3224"C:\Users\admin\AppData\Local\Temp\fedwser657.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
fedwser657.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.6.1055.0 built by: NETFXREL2
Total events
1 430
Read events
1 083
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
3000WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVREA35.tmp.cvr
MD5:
SHA256:
3000WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:E19279658F5878C3F7E1BE1A1A466AB0
SHA256:E047B13A3169186D4D065FAF0C8D719E5386FBFCAC2620B1F5F7C86B7A012575
3268EQNEDT32.EXEC:\Users\admin\AppData\Local\Temp\fedwser657.exeexecutable
MD5:AD708D9F8D4C49B8A0FCB0B0013B5C87
SHA256:834A5674D75F985562D2DF08A8B1CA467CE0838CB8D6493629C76BF69992E209
3104fedwser657.exeC:\Users\admin\AppData\Roaming\khpljqiirw\gtvdaykqyhrsxji.exeexecutable
MD5:AD708D9F8D4C49B8A0FCB0B0013B5C87
SHA256:834A5674D75F985562D2DF08A8B1CA467CE0838CB8D6493629C76BF69992E209
3104fedwser657.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gtvdaykqyhrsxji.eu.urlini
MD5:8E5660FE8328648FA34E05627D39CFEF
SHA256:E583B3845082500DB009097855B92143E89E83DF64FBAB8C7C18F7994DAFFE70
3000WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$VOICE NO. BKC-003-2019 SMS AIR 04 CTN - STYLE# 1000049650.docpgc
MD5:AEF83929CB625D4BDF928D85410345B1
SHA256:B2BFAC9DEA6C6938D8F363D65E349743CF2984DB1EB973B0AFB124BCC422D78B
3268EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\windows-update[1].123executable
MD5:AD708D9F8D4C49B8A0FCB0B0013B5C87
SHA256:834A5674D75F985562D2DF08A8B1CA467CE0838CB8D6493629C76BF69992E209
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3268
EQNEDT32.EXE
GET
200
195.123.228.117:80
http://irnportcargo.com/ComBat-Engineer/windows-update.123
BG
executable
680 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3268
EQNEDT32.EXE
195.123.228.117:80
irnportcargo.com
ITL Company
BG
suspicious

DNS requests

Domain
IP
Reputation
irnportcargo.com
  • 195.123.228.117
suspicious

Threats

PID
Process
Class
Message
3268
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3268
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
3268
EQNEDT32.EXE
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
No debug info