analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Amended_INVOICE.doc

Full analysis: https://app.any.run/tasks/aab97e12-d24e-43cd-bd30-5e1d029eeb72
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: December 18, 2018, 13:47:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
exploit
CVE-2017-11882
loader
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

B975B190C7375B3112DEBB2584176ABC

SHA1:

88315DE7E73286FCE01B854BD6106072544AA5A1

SHA256:

604EB30D8A7C1B340C03274374A7547439E5DB0F00F962D5214363248970E5B0

SSDEEP:

24576:M3h/A6ESkgtTD0ZA9oAOF6xsjuuUR41x4J04/lQM8PBRc:k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 234345.bat (PID: 3236)
    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3332)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3332)
    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3332)
    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2968)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3332)
    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3332)
    • Suspicious files were dropped or overwritten

      • EQNEDT32.EXE (PID: 3332)
    • Starts application with an unusual extension

      • EQNEDT32.EXE (PID: 3332)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2968)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start winword.exe eqnedt32.exe 234345.bat no specs

Process information

PID
CMD
Path
Indicators
Parent process
2968"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Amended_INVOICE.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3332"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3236"C:\Users\admin\234345.bat"C:\Users\admin\234345.batEQNEDT32.EXE
User:
admin
Company:
dispensible9
Integrity Level:
MEDIUM
Description:
kakogo
Version:
7.02.0008
Total events
1 087
Read events
740
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2968WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRAB28.tmp.cvr
MD5:
SHA256:
2968WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:09303C5EF5F12FB31111FE016D1250EF
SHA256:E3B323EC5BCD000A96D19845402FBE80DA41F448031A57FF21933795FC09823D
2968WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$ended_INVOICE.docpgc
MD5:BBEDBE7D9065D57153EF2E459B3E4EE8
SHA256:D66A69ADEFD85DE688E974C6AF21468FC5CE05D8F7AE33ADF21ADE988D91A110
3332EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txttext
MD5:B88A497C92250F0F21EB6EE91EA47A7D
SHA256:780B1AFE55D28B3A0892DDB153A9EFC3BA403614066C2D6665E908AFC684528A
3332EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\qazxswqaz[1].jpgexecutable
MD5:18DDE9ADA9AB3D86BCA598BCDDB838EB
SHA256:3A6408DE460E3D57B0BEA55615AA5ED9F84773513A6A2B978133F1D44B391822
3332EQNEDT32.EXEC:\Users\admin\234345.batexecutable
MD5:18DDE9ADA9AB3D86BCA598BCDDB838EB
SHA256:3A6408DE460E3D57B0BEA55615AA5ED9F84773513A6A2B978133F1D44B391822
2968WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D2AB82A5.jpgexecutable
MD5:00FC8849E20E33C626902ED2DE1721A1
SHA256:E5A413375CBB7B0F0ED5CD08B951B3B538F64478D18CED653B62379214591ED4
3332EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3332
EQNEDT32.EXE
GET
200
221.121.138.114:80
http://com2c.com.au/qazxswqaz.jpg
AU
executable
630 Kb
malicious
3332
EQNEDT32.EXE
GET
301
67.199.248.10:80
http://bit.ly/2rDJDgP
US
html
120 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3332
EQNEDT32.EXE
67.199.248.10:80
bit.ly
Bitly Inc
US
shared
3332
EQNEDT32.EXE
221.121.138.114:80
com2c.com.au
Wholesale Services Provider
AU
suspicious

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
com2c.com.au
  • 221.121.138.114
malicious

Threats

PID
Process
Class
Message
3332
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3332
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
3332
EQNEDT32.EXE
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious behavior, PE instead image from server
3332
EQNEDT32.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
1 ETPRO signatures available at the full report
No debug info