analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

bfad291d000b56ddd8a331d7283685b2_bfad291d000b56ddd8a331d7283685b2.doc.zip

Full analysis: https://app.any.run/tasks/512b8f84-3bca-4cb4-8cbd-601365f3cd13
Verdict: Malicious activity
Analysis date: October 14, 2019, 14:11:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

1E815A32A3FD0DB3EC6022601779672D

SHA1:

CFF1E5F39CA619D41536B16CFAD0A8F37BC282C5

SHA256:

44055D730B636EEE349C8558C795D154AADBD502B63FDFFDE7105A0279931312

SSDEEP:

6144:/QfCHHgIwbApfb9sBZ/yoq2+2SUT4Ps0NGodaRIPrkyxkRtQJHOg0etF42f+:opwSHyoqR9XDGoairkyxkDQJOg0e7422

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • write.exe (PID: 2732)
      • write.exe (PID: 2416)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2332)

    • Changes the autorun value in the registry

      • EQNEDT32.EXE (PID: 2332)

    • Loads dropped or rewritten executable

      • write.exe (PID: 2416)

    • Actions looks like stealing of personal data

      • write.exe (PID: 2416)

  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 2332)

    • Reads internet explorer settings

      • EQNEDT32.EXE (PID: 2332)

    • Creates files in the program directory

      • EQNEDT32.EXE (PID: 2332)
      • write.exe (PID: 2416)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 2332)

    • Creates files in the user directory

      • notepad++.exe (PID: 3300)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 3272)

  • INFO

    • Manual execution by user

      • WINWORD.EXE (PID: 1732)
      • write.exe (PID: 2416)
      • notepad++.exe (PID: 3300)
      • notepad++.exe (PID: 3304)
      • chrome.exe (PID: 3272)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1732)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1732)

    • Reads the hosts file

      • chrome.exe (PID: 4068)
      • chrome.exe (PID: 3272)

    • Reads settings of System Certificates

      • chrome.exe (PID: 4068)

    • Application launched itself

      • chrome.exe (PID: 3272)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2019:10:11 11:44:21
ZipCRC: 0xba86eef0
ZipCompressedSize: 353031
ZipUncompressedSize: 2655192
ZipFileName: bfad291d000b56ddd8a331d7283685b2_bfad291d000b56ddd8a331d7283685b2.doc
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
90
Monitored processes
44
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs winword.exe no specs eqnedt32.exe write.exe no specs write.exe notepad++.exe gup.exe notepad++.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2420"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\bfad291d000b56ddd8a331d7283685b2_bfad291d000b56ddd8a331d7283685b2.doc.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1732"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\bfad291d000b56ddd8a331d7283685b2_bfad291d000b56ddd8a331d7283685b2.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2332"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2732"C:\ProgramData\AuthyFiles\write.exe" C:\ProgramData\AuthyFiles\write.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Write
Exit code:
3221225794
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2416"C:\ProgramData\AuthyFiles\write.exe" C:\ProgramData\AuthyFiles\write.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Write
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3300"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Roaming\AuthyDat\wnbyhoyk.2fh.sif"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
2296"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
4294967295
Version:
4.1
3304"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Roaming\AuthyDat\rss45qae.40o.flc"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Version:
7.51
3272"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2748"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6a58a9d0,0x6a58a9e0,0x6a58a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
Total events
3 791
Read events
2 439
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
71
Text files
271
Unknown types
17

Dropped files

PID
Process
Filename
Type
1732WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRFB14.tmp.cvr
MD5:
SHA256:
2416write.exeC:\Users\admin\AppData\Local\Temp\tmp5BA2.tmp
MD5:
SHA256:
2416write.exeC:\Users\admin\AppData\Local\Temp\tmp6875.tmp
MD5:
SHA256:
2416write.exeC:\Users\admin\AppData\Roaming\AuthyDat\rss45qae.40o.flc
MD5:
SHA256:
2416write.exeC:\Users\admin\AppData\Local\Temp\tmpC7E6.tmp
MD5:
SHA256:
2332EQNEDT32.EXEC:\ProgramData\AuthyFiles\PROPSYS.dllexecutable
MD5:01F36C6AAA4C015529DB7F10DDB7A691
SHA256:2D49838B0BA9D0A8A1CE4EA949BCA4D6D19279DFBBF1D516F5D4DFEACC073120
1732WINWORD.EXEC:\Users\admin\Desktop\~$ad291d000b56ddd8a331d7283685b2_bfad291d000b56ddd8a331d7283685b2.docpgc
MD5:2BF68188F97FC666118DE7245EB1C6DB
SHA256:8ECD6A7D0F6D000886D2F8F82B3C788D72EAC6318257B3099763F660E5C0949F
1732WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:7C0A1CBA2DCD53BE61CFCA997C97D1AD
SHA256:1711DE5B8210605202FF2AE6E368B7CA5F79D84A2BC793E265289E8C14C2F561
2332EQNEDT32.EXEC:\ProgramData\AuthyFiles\write.exe.configxml
MD5:70ECD7E0BDF8F8D01F7F58BE6525E079
SHA256:B1FA0771099733E7A9FA296ACC7518C1E36C4E473B59EEC7ACBFB89D80252757
1732WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:401D75681251BEF4EAB52B95A5927BBC
SHA256:92146D175D9B94B9B1D1EAD04B0800BF7B7FD4037B1917A7952E55B5C2DF3429
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
86
DNS requests
66
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4068
chrome.exe
GET
302
172.217.22.110:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
508 b
whitelisted
GET
200
95.101.72.151:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgMpeSsuddjFyk25ZqSQ83ahjg%3D%3D
unknown
der
527 b
whitelisted
4068
chrome.exe
GET
302
172.217.22.110:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
513 b
whitelisted
GET
200
95.101.72.176:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
4068
chrome.exe
GET
200
74.125.4.216:80
http://r2---sn-aigzrney.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=185.92.25.20&mm=28&mn=sn-aigzrney&ms=nvh&mt=1571062399&mv=m&mvi=1&pl=24&shardbypass=yes
US
crx
293 Kb
whitelisted
4068
chrome.exe
GET
200
13.107.4.50:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
57.0 Kb
whitelisted
4068
chrome.exe
GET
200
52.222.149.36:80
http://x.ss2.us/x.cer
US
der
1.27 Kb
whitelisted
4068
chrome.exe
GET
200
74.125.4.169:80
http://r4---sn-aigzrne7.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=185.92.25.20&mm=28&mn=sn-aigzrne7&ms=nvh&mt=1571062399&mv=m&mvi=3&pl=24&shardbypass=yes
US
crx
862 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4068
chrome.exe
172.217.21.195:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2416
write.exe
178.62.190.33:443
trans-can.net
Digital Ocean, Inc.
NL
unknown
4068
chrome.exe
216.58.206.13:443
accounts.google.com
Google Inc.
US
whitelisted
2296
gup.exe
2.57.89.199:443
notepad-plus-plus.org
suspicious
4068
chrome.exe
172.217.18.10:443
fonts.googleapis.com
Google Inc.
US
whitelisted
4068
chrome.exe
216.58.207.35:443
www.google.com.ua
Google Inc.
US
whitelisted
4068
chrome.exe
172.217.18.99:443
www.gstatic.com
Google Inc.
US
whitelisted
4068
chrome.exe
172.217.22.46:443
apis.google.com
Google Inc.
US
whitelisted
4068
chrome.exe
172.217.22.99:443
www.google.co.uk
Google Inc.
US
whitelisted
4068
chrome.exe
172.217.16.142:443
ogs.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
trans-can.net
  • 178.62.190.33
malicious
notepad-plus-plus.org
  • 2.57.89.199
whitelisted
clientservices.googleapis.com
  • 172.217.21.195
whitelisted
accounts.google.com
  • 216.58.206.13
shared
www.google.com.ua
  • 216.58.207.35
whitelisted
fonts.googleapis.com
  • 172.217.18.10
whitelisted
www.gstatic.com
  • 172.217.18.99
whitelisted
fonts.gstatic.com
  • 172.217.21.195
whitelisted
apis.google.com
  • 172.217.22.46
whitelisted
ogs.google.com
  • 172.217.16.142
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
bfad291d000b56ddd8a331d7283685b2_bfad291d000b56ddd8a331d7283685b2.doc.zip