analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

bfad291d000b56ddd8a331d7283685b2_bfad291d000b56ddd8a331d7283685b2.doc.zip

Full analysis: https://app.any.run/tasks/20a6fb3b-8be9-481d-9953-0e0dc1ce5dd6
Verdict: Malicious activity
Analysis date: October 14, 2019, 13:42:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

1E815A32A3FD0DB3EC6022601779672D

SHA1:

CFF1E5F39CA619D41536B16CFAD0A8F37BC282C5

SHA256:

44055D730B636EEE349C8558C795D154AADBD502B63FDFFDE7105A0279931312

SSDEEP:

6144:/QfCHHgIwbApfb9sBZ/yoq2+2SUT4Ps0NGodaRIPrkyxkRtQJHOg0etF42f+:opwSHyoqR9XDGoairkyxkDQJOg0e7422

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • EQNEDT32.EXE (PID: 2612)

    • Application was dropped or rewritten from another process

      • write.exe (PID: 3944)
      • write.exe (PID: 3416)

    • Loads the Task Scheduler COM API

      • mmc.exe (PID: 3856)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2612)

    • Loads dropped or rewritten executable

      • write.exe (PID: 3416)

    • Actions looks like stealing of personal data

      • write.exe (PID: 3416)

  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 2612)

    • Creates files in the program directory

      • EQNEDT32.EXE (PID: 2612)
      • write.exe (PID: 3416)

    • Reads internet explorer settings

      • EQNEDT32.EXE (PID: 2612)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 2612)

    • Creates files in the user directory

      • notepad++.exe (PID: 3840)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1556)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1556)

    • Manual execution by user

      • WINWORD.EXE (PID: 1556)
      • mmc.exe (PID: 2548)
      • mmc.exe (PID: 3856)
      • notepad++.exe (PID: 3840)
      • write.exe (PID: 3416)
      • notepad++.exe (PID: 3968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2019:10:11 11:44:21
ZipCRC: 0xba86eef0
ZipCompressedSize: 353031
ZipUncompressedSize: 2655192
ZipFileName: bfad291d000b56ddd8a331d7283685b2_bfad291d000b56ddd8a331d7283685b2.doc
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
10
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs winword.exe no specs eqnedt32.exe write.exe no specs mmc.exe no specs mmc.exe notepad++.exe gup.exe write.exe notepad++.exe

Process information

PID
CMD
Path
Indicators
Parent process
1584"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\bfad291d000b56ddd8a331d7283685b2_bfad291d000b56ddd8a331d7283685b2.doc.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1556"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\bfad291d000b56ddd8a331d7283685b2_bfad291d000b56ddd8a331d7283685b2.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2612"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3944"C:\ProgramData\AuthyFiles\write.exe" C:\ProgramData\AuthyFiles\write.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Write
Exit code:
3221225794
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2548"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /sC:\Windows\system32\mmc.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Management Console
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3856"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /sC:\Windows\system32\mmc.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Management Console
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3840"C:\Program Files\Notepad++\notepad++.exe" "C:\ProgramData\AuthyFiles\write.exe.config"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Version:
7.51
2420"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
4294967295
Version:
4.1
3416"C:\ProgramData\AuthyFiles\write.exe" C:\ProgramData\AuthyFiles\write.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Write
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3968"C:\Program Files\Notepad++\notepad++.exe" "C:\ProgramData\AuthyFiles\Authy"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
Total events
2 592
Read events
1 447
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
4
Text files
12
Unknown types
4

Dropped files

PID
Process
Filename
Type
1556WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR2B5.tmp.cvr
MD5:
SHA256:
3416write.exeC:\Users\admin\AppData\Local\Temp\tmp802D.tmp
MD5:
SHA256:
3416write.exeC:\Users\admin\AppData\Local\Temp\tmp8C82.tmp
MD5:
SHA256:
3416write.exeC:\Users\admin\AppData\Roaming\AuthyDat\tm4a2dlv.jjm.flc
MD5:
SHA256:
3416write.exeC:\Users\admin\AppData\Local\Temp\tmpBC78.tmp
MD5:
SHA256:
2612EQNEDT32.EXEC:\ProgramData\AuthyFiles\write.exe.configxml
MD5:70ECD7E0BDF8F8D01F7F58BE6525E079
SHA256:B1FA0771099733E7A9FA296ACC7518C1E36C4E473B59EEC7ACBFB89D80252757
1584WinRAR.exeC:\Users\admin\Desktop\bfad291d000b56ddd8a331d7283685b2_bfad291d000b56ddd8a331d7283685b2.doctext
MD5:BFAD291D000B56DDD8A331D7283685B2
SHA256:B1417D7EE62878EF75381E4A3A4F388AC08AC4D4BBD9999B126345691E82B0C2
1556WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\bfad291d000b56ddd8a331d7283685b2_bfad291d000b56ddd8a331d7283685b2.doc.LNKlnk
MD5:265876D71C0366FE7D4B1BACD7B1524B
SHA256:D1F399CCB3C5F11E7BBECFF927A216C30DBED4CAE3CB3B19B2616D6A5761C65D
2612EQNEDT32.EXEC:\ProgramData\AuthyFiles\PROPSYS.dllexecutable
MD5:5D1056347EADD7580C9912957B105290
SHA256:66F75B4A2BE3C4504A9915781966057B7DFB49AFCC8875D56BE36FEFC5CB225A
1556WINWORD.EXEC:\Users\admin\Desktop\~$ad291d000b56ddd8a331d7283685b2_bfad291d000b56ddd8a331d7283685b2.docpgc
MD5:5E837F75E08643BB58E501E55D5252B9
SHA256:DCD03A4BD5521D66AC0D5241A35C2B350A09D07B7342EE9DB3F98569DA496E26
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
6
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
95.101.72.151:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
GET
200
95.101.72.151:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgMpeSsuddjFyk25ZqSQ83ahjg%3D%3D
unknown
der
527 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2420
gup.exe
2.57.89.199:443
notepad-plus-plus.org
suspicious
3416
write.exe
178.62.190.33:443
trans-can.net
Digital Ocean, Inc.
NL
unknown
95.101.72.151:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
notepad-plus-plus.org
  • 2.57.89.199
whitelisted
trans-can.net
  • 178.62.190.33
malicious
isrg.trustid.ocsp.identrust.com
  • 95.101.72.151
  • 95.101.72.176
whitelisted
ocsp.int-x3.letsencrypt.org
  • 95.101.72.151
  • 95.101.72.191
whitelisted

Threats

No threats detected
Process
Message
mmc.exe
Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
notepad++.exe
VerifyLibrary: certificate revocation checking is disablŒ
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
bfad291d000b56ddd8a331d7283685b2_bfad291d000b56ddd8a331d7283685b2.doc.zip