analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

7d2cc57e27e849fb0617a3a73d68d302c6efc6d849c05fcb0776b82a74d4de9c

Full analysis: https://app.any.run/tasks/2f692880-c8a6-4955-9ff6-4741428f23bf
Verdict: Malicious activity
Analysis date: November 08, 2019, 14:22:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

02DD4A91651B0DDADE7F32D040A27ED0

SHA1:

C58351BD3B38EE593DD9A03BFFAD18B2F0D94705

SHA256:

7D2CC57E27E849FB0617A3A73D68D302C6EFC6D849C05FCB0776B82A74D4DE9C

SSDEEP:

192:fMY3bfPwBgAyLCM0rzaGefWIgHa1uDv4YLLdm1C7lqKrT/rTRrTNGf:/LfkuirgfWINQv4YfdmQ57rT/rTRrTcf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 2740)

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 2568)

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 2568)

  • INFO

    • Application was crashed

      • EQNEDT32.EXE (PID: 2740)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2568)

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 2568)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

XMP

Description: -
Creator: Windows User
Subject: -
Title: -

XML

ModifyDate: 2019:08:29 10:59:00Z
CreateDate: 2019:07:17 10:07:00Z
RevisionNumber: 7
LastModifiedBy: Windows User
Keywords: -
AppVersion: 12
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 31
LinksUpToDate: No
Company: -
ScaleCrop: No
Paragraphs: 1
Lines: 1
DocSecurity: None
Application: Microsoft Office Word
Characters: 28
Words: 4
Pages: 1
TotalEditTime: 11 minutes
Template: BA481970.tmp

ZIP

ZipFileName: word/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2019:08:29 12:00:16
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe eqnedt32.exe

Process information

PID
CMD
Path
Indicators
Parent process
2568"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\7d2cc57e27e849fb0617a3a73d68d302c6efc6d849c05fcb0776b82a74d4de9c.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.5123.5000
2740"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Total events
1 660
Read events
905
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
22
Text files
8
Unknown types
3

Dropped files

PID
Process
Filename
Type
2568WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR4F75.tmp.cvr
MD5:
SHA256:
2568WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{D4D9940D-3C3C-4098-8F37-0C336C61EFB6}
MD5:
SHA256:
2568WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{173B1E30-46FE-4E0C-ADC9-4081F9DFE23B}.tmp
MD5:
SHA256:
2568WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:2DB66D5BA1607038A4F7E63B2EA35F1D
SHA256:C3135C12755140D5EE6FC59247FAAFE743E145C3E4D69AC02960AE9B2B3186E9
2568WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:0F09BB032DAE1443D2B4CF31FB8FA698
SHA256:E5A96B74BECB6BD89F0E006EE6341EDB54255118ABE6E27715CD0059690E635C
2568WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{135D7336-E01D-49D4-8B8E-05C9E26A2A26}binary
MD5:D178B6D860494B1192DC7768F051E139
SHA256:D30E1B03AEF4CF815389CAAE4301012992631DF48DB50D11A2C0168DCB3B18D2
2568WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{AEFBC2D1-B597-41C1-A7C8-B1140E4358B3}.FSDbinary
MD5:EAAFD053966757DC2C60EAAC9B3420CC
SHA256:9281D954CF14E1164BD726706B6790C070748F7FA8C5EBC2A7F0A18645FBC157
2568WINWORD.EXEC:\Users\admin\Desktop\~$2cc57e27e849fb0617a3a73d68d302c6efc6d849c05fcb0776b82a74d4de9c.docxpgc
MD5:EC88F4D49578741ECD82349CC9D90C7F
SHA256:33A16B95E14E580BCD2E9C09B4522DACF6C6D9DACA3832C272D57362E60B0A75
2568WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{541EFFAF-1635-450E-BB8A-96061EEFB99C}.FSDbinary
MD5:B528699555AFAFE5A104CA358A2ED764
SHA256:8E03AFCA02F1EA88FC90A7E9649710B35FD7CA02CF91A7CBB0A3007C49A92BF2
2568WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSFbinary
MD5:D572496DB63A1A41CF4DD119F03E0A80
SHA256:E4BC48A6CEAF193C628824368ACDD39C9C3DE4CAF88A0B71DA33966C80CD158F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
5
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2568
WINWORD.EXE
HEAD
200
203.124.44.32:80
http://comglobal.com.pk/wp-content/g
PK
suspicious
876
svchost.exe
OPTIONS
301
203.124.44.32:80
http://comglobal.com.pk/wp-content
PK
suspicious
876
svchost.exe
OPTIONS
203.124.44.32:80
http://www.comglobal.com.pk/wp-content
PK
suspicious
2568
WINWORD.EXE
OPTIONS
200
203.124.44.32:80
http://comglobal.com.pk/wp-content/
PK
suspicious
2568
WINWORD.EXE
HEAD
200
203.124.44.32:80
http://comglobal.com.pk/wp-content/g
PK
text
9.13 Kb
suspicious
2568
WINWORD.EXE
GET
200
203.124.44.32:80
http://comglobal.com.pk/wp-content/g
PK
text
9.13 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
876
svchost.exe
203.124.44.32:80
comglobal.com.pk
Commission on Science and Technology for
PK
suspicious
2568
WINWORD.EXE
203.124.44.32:80
comglobal.com.pk
Commission on Science and Technology for
PK
suspicious

DNS requests

Domain
IP
Reputation
comglobal.com.pk
  • 203.124.44.32
suspicious
www.comglobal.com.pk
  • 203.124.44.32
suspicious

Threats

PID
Process
Class
Message
2568
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS DRIVEBY GENERIC ShellExecute in Hex No Seps
2568
WINWORD.EXE
Potentially Bad Traffic
ET INFO Possible RTF File With Obfuscated Version Header
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
7d2cc57e27e849fb0617a3a73d68d302c6efc6d849c05fcb0776b82a74d4de9c