analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

421203cbb4b6499e087a1de5f5fa3aac9977907137e1c55cafe06cb4993e51b7.doc

Full analysis: https://app.any.run/tasks/6e149f4d-0091-439b-80a2-bd855a639fc4
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Analysis date: March 14, 2019, 05:39:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
generated-doc
trojan
exploit
CVE-2017-11882
loader
rat
azorult
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

1C504CA490E3637BC6E99E24482EC7BA

SHA1:

083328CBC5E15DAA99B222BB7A12F8FF5E8E2547

SHA256:

421203CBB4B6499E087A1DE5F5FA3AAC9977907137E1C55CAFE06CB4993E51B7

SSDEEP:

3072:+QyD7+DsYjuLxWzW6dbbZhzMjlZiYC8ZF:+QyDe6LxWKcj/mZF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 3.exe (PID: 3040)
      • mqewo.exe (PID: 3920)
      • mqewo.exe (PID: 3548)
    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3424)
    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3424)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3424)
    • Connects to CnC server

      • mqewo.exe (PID: 3548)
    • Writes to a start menu file

      • mqewo.exe (PID: 3920)
    • AZORULT was detected

      • mqewo.exe (PID: 3548)
  • SUSPICIOUS

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3424)
      • 3.exe (PID: 3040)
      • mqewo.exe (PID: 3920)
    • Starts itself from another location

      • 3.exe (PID: 3040)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3424)
      • 3.exe (PID: 3040)
    • Application launched itself

      • mqewo.exe (PID: 3920)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2960)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

InternalVersionNumber: 85
CharactersWithSpaces: 4
Characters: 4
Words: -
Pages: 1
TotalEditTime: -
RevisionNumber: 2
ModifyDate: 2019:01:20 14:19:00
CreateDate: 2019:01:20 14:19:00
LastModifiedBy: Windows User
Author: Windows User
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs eqnedt32.exe 3.exe mqewo.exe #AZORULT mqewo.exe

Process information

PID
CMD
Path
Indicators
Parent process
2960"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\421203cbb4b6499e087a1de5f5fa3aac9977907137e1c55cafe06cb4993e51b7.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3424"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3040C:\Users\Public\3.exeC:\Users\Public\3.exe
EQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3920"C:\Users\admin\AppData\Roaming\nctwe\mqewo.exe"C:\Users\admin\AppData\Roaming\nctwe\mqewo.exe
3.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3548"C:\Users\admin\AppData\Roaming\nctwe\mqewo.exe"C:\Users\admin\AppData\Roaming\nctwe\mqewo.exe
mqewo.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
1 405
Read events
762
Write events
638
Delete events
5

Modification events

(PID) Process:(2960) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:{w,
Value:
7B772C00900B0000010000000000000000000000
(PID) Process:(2960) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2960) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2960) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1315831831
(PID) Process:(2960) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1315831952
(PID) Process:(2960) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1315831953
(PID) Process:(2960) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
900B00009A061F5328DAD40100000000
(PID) Process:(2960) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:4y,
Value:
34792C00900B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2960) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:4y,
Value:
34792C00900B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2960) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
3
Suspicious files
0
Text files
2
Unknown types
3

Dropped files

PID
Process
Filename
Type
2960WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE3FB.tmp.cvr
MD5:
SHA256:
30403.exeC:\Users\admin\AppData\Roaming\nctwe\mqewo.exe:ZoneIdentifier
MD5:
SHA256:
3424EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txttext
MD5:BA37E247C2ADFEBC3863A8B48B50AAF2
SHA256:861D7EBFDF139E650F787E7E1F97B2496FE2FCA675C45E0B65C623463FE27126
2960WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:023BC5776958FF1E24F1BC9A10D56BD0
SHA256:6F920E732616A1C75B8BCF5F153476C4C0526345F51E6514277D774B008A645F
30403.exeC:\Users\admin\AppData\Roaming\nctwe\mqewo.exeexecutable
MD5:96D7B92EC79BA64EADB90990B78F1E91
SHA256:3B35946B934A880D4E61A9CA72A7F5070B769E2C82D5845B2CF298BB221929AF
2960WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$1203cbb4b6499e087a1de5f5fa3aac9977907137e1c55cafe06cb4993e51b7.doc.rtfpgc
MD5:C652C2D1B78C3D0362009DA2E36C9239
SHA256:4A0BB56D0EE2A145E29529ADE830A05DE900788F7FDC5A2726EA66FC80861F2A
3424EQNEDT32.EXEC:\Users\Public\3.exeexecutable
MD5:96D7B92EC79BA64EADB90990B78F1E91
SHA256:3B35946B934A880D4E61A9CA72A7F5070B769E2C82D5845B2CF298BB221929AF
3424EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\98410[1].jpgexecutable
MD5:96D7B92EC79BA64EADB90990B78F1E91
SHA256:3B35946B934A880D4E61A9CA72A7F5070B769E2C82D5845B2CF298BB221929AF
3920mqewo.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nctwe.vbstext
MD5:57D2510AAB708704D9FE9996CD9CD281
SHA256:4057FBB911704E92188E969797BBF9AA4E380F30FEC223FFC61BFDEC78E8BB8E
3424EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3424
EQNEDT32.EXE
GET
200
45.67.14.199:80
http://v39t67xz.ru/98410.jpg
unknown
executable
757 Kb
malicious
3424
EQNEDT32.EXE
GET
301
67.199.248.10:80
http://bit.ly/2O3wisM
US
html
115 b
shared
3548
mqewo.exe
POST
200
185.195.236.146:80
http://sakixx.ga/6oit/index.php
AT
text
4 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3424
EQNEDT32.EXE
67.199.248.10:80
bit.ly
Bitly Inc
US
shared
3424
EQNEDT32.EXE
45.67.14.199:80
v39t67xz.ru
suspicious
3548
mqewo.exe
185.195.236.146:80
sakixx.ga
Cristi Scumpu
AT
malicious

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
v39t67xz.ru
  • 45.67.14.199
malicious
sakixx.ga
  • 185.195.236.146
malicious

Threats

PID
Process
Class
Message
3424
EQNEDT32.EXE
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
3424
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
3424
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN Windows Executable Downloaded With Image Content-Type Header
3424
EQNEDT32.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
3424
EQNEDT32.EXE
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ga Domain
3548
mqewo.exe
A Network Trojan was detected
ET TROJAN AZORult Variant.4 Checkin M2
3548
mqewo.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult client request
3548
mqewo.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult.Stealer HTTP Header
3548
mqewo.exe
Potentially Bad Traffic
ET INFO HTTP POST Request to Suspicious *.ga Domain
3 ETPRO signatures available at the full report
No debug info