analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://107.173.219.56/document.doc

Full analysis: https://app.any.run/tasks/f9a40a0e-f550-4df1-a7a0-82d36d55e684
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: October 20, 2020, 02:44:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
loader
Indicators:
MD5:

5678E5CF52EF18D3D10972E408770A49

SHA1:

10451576EE78685F6D6BFA3659AC283F21C173DF

SHA256:

77096A6066ED6F80D9F8A833623D01B24B61A48323A7215458E5B9065BF37C1F

SSDEEP:

3:N1Kt4PckNHpR1d:COPc6Jzd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • vbc.exe (PID: 3420)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 1500)
    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 1500)
    • Downloads executable files from IP

      • EQNEDT32.EXE (PID: 1500)
  • SUSPICIOUS

    • Application launched itself

      • WINWORD.EXE (PID: 4056)
    • Starts Microsoft Office Application

      • firefox.exe (PID: 2636)
      • WINWORD.EXE (PID: 4056)
    • Reads Internet Cache Settings

      • EQNEDT32.EXE (PID: 1500)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 1500)
    • Executed via COM

      • EQNEDT32.EXE (PID: 1500)
    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 1500)
  • INFO

    • Reads CPU info

      • firefox.exe (PID: 2636)
    • Creates files in the program directory

      • firefox.exe (PID: 2636)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2452)
      • WINWORD.EXE (PID: 4056)
    • Reads Internet Cache Settings

      • firefox.exe (PID: 2636)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 4056)
      • firefox.exe (PID: 2636)
    • Application launched itself

      • firefox.exe (PID: 2492)
      • firefox.exe (PID: 2636)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
11
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe winword.exe no specs winword.exe no specs eqnedt32.exe vbc.exe no specs regasm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2492"C:\Program Files\Mozilla Firefox\firefox.exe" "http://107.173.219.56/document.doc"C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
2636"C:\Program Files\Mozilla Firefox\firefox.exe" http://107.173.219.56/document.docC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
68.0.1
4064"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2636.0.1125798496\1080676078" -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2636 "\\.\pipe\gecko-crash-server-pipe.2636" 1160 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
68.0.1
2700"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2636.3.1606212534\1822977404" -childID 1 -isForBrowser -prefsHandle 1660 -prefMapHandle 1352 -prefsLen 1 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2636 "\\.\pipe\gecko-crash-server-pipe.2636" 1748 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
68.0.1
3276"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2636.13.1289876982\292655811" -childID 2 -isForBrowser -prefsHandle 2800 -prefMapHandle 2804 -prefsLen 5996 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2636 "\\.\pipe\gecko-crash-server-pipe.2636" 2816 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
68.0.1
3552"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2636.20.265852868\1227283005" -childID 3 -isForBrowser -prefsHandle 3548 -prefMapHandle 3488 -prefsLen 6718 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2636 "\\.\pipe\gecko-crash-server-pipe.2636" 3632 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
68.0.1
4056"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\document.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEfirefox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2452"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
1500"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3420"C:\Users\admin\AppData\Roaming\vbc.exe" C:\Users\admin\AppData\Roaming\vbc.exeEQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Sad
Exit code:
0
Version:
0.0.0.0
Total events
3 304
Read events
2 537
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
49
Text files
33
Unknown types
45

Dropped files

PID
Process
Filename
Type
2636firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
2636firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
2636firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
2636firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
2636firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
MD5:
SHA256:
2636firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm
MD5:
SHA256:
2636firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp
MD5:
SHA256:
2636firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-child-current.binbinary
MD5:5027177F513CDAE07DB2330E1DED5934
SHA256:0C53F16051E738287A4612F68E296238087627E594CFD6DDFA1FECC2E998328B
2636firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4jsonlz4
MD5:6D378E0D40B6EACA22C8BCE899A1C5C1
SHA256:ADA2467B2477ACEFF837AC7820C435AD1EBBE844B2DA31C7AB9AE8D010C7A639
2636firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.binbinary
MD5:DE9496ACA551ADE408EF6466A11833A1
SHA256:8F9C7FDB3E0BC01024E43A8E242468FC4DD4F74C725E32A883571635203DC10A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
17
DNS requests
58
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2636
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2636
firefox.exe
GET
200
107.173.219.56:80
http://107.173.219.56/document.doc
US
text
11.6 Kb
suspicious
2636
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2636
firefox.exe
POST
200
172.217.23.99:80
http://ocsp.pki.goog/gts1o1core
US
der
472 b
whitelisted
2636
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
1500
EQNEDT32.EXE
GET
200
107.173.219.56:80
http://107.173.219.56/uuu.exe
US
executable
574 Kb
suspicious
2636
firefox.exe
POST
200
172.217.23.99:80
http://ocsp.pki.goog/gts1o1core
US
der
472 b
whitelisted
2636
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt
US
text
8 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2636
firefox.exe
34.107.221.82:80
detectportal.firefox.com
US
whitelisted
2636
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2636
firefox.exe
107.173.219.56:80
ColoCrossing
US
suspicious
2636
firefox.exe
216.58.205.234:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2636
firefox.exe
172.217.23.99:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2636
firefox.exe
35.161.199.137:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
2636
firefox.exe
99.86.7.30:443
content-signature-2.cdn.mozilla.net
AT&T Services, Inc.
US
unknown
2636
firefox.exe
99.86.7.101:443
firefox.settings.services.mozilla.com
AT&T Services, Inc.
US
suspicious
2636
firefox.exe
99.86.7.78:443
snippets.cdn.mozilla.net
AT&T Services, Inc.
US
unknown
2636
firefox.exe
52.26.249.11:443
push.services.mozilla.com
Amazon.com, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
whitelisted
search.services.mozilla.com
  • 35.161.199.137
  • 54.148.7.60
  • 52.13.211.193
whitelisted
search.r53-2.services.mozilla.com
  • 52.13.211.193
  • 54.148.7.60
  • 35.161.199.137
whitelisted
push.services.mozilla.com
  • 52.26.249.11
whitelisted
autopush.prod.mozaws.net
  • 52.26.249.11
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
cs9.wac.phicdn.net
  • 93.184.220.29
whitelisted
snippets.cdn.mozilla.net
  • 99.86.7.78
  • 99.86.7.80
  • 99.86.7.36
  • 99.86.7.110
whitelisted
d228z91au11ukj.cloudfront.net
  • 99.86.7.110
  • 99.86.7.36
  • 99.86.7.80
  • 99.86.7.78
whitelisted

Threats

PID
Process
Class
Message
2636
firefox.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DOC Request
Potentially Bad Traffic
ET INFO Observed DNS Query to .cloud TLD
Potentially Bad Traffic
ET INFO Observed DNS Query to .cloud TLD
1500
EQNEDT32.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
1500
EQNEDT32.EXE
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
1500
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
1500
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1500
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
1500
EQNEDT32.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
No debug info