analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

7d2cc57e27e849fb0617a3a73d68d302c6efc6d849c05fcb0776b82a74d4de9c.docx

Full analysis: https://app.any.run/tasks/863ae8fc-87b6-42c5-a37a-1b0d2908c018
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 08, 2019, 14:25:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
exploit
CVE-2017-11882
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

02DD4A91651B0DDADE7F32D040A27ED0

SHA1:

C58351BD3B38EE593DD9A03BFFAD18B2F0D94705

SHA256:

7D2CC57E27E849FB0617A3A73D68D302C6EFC6D849C05FCB0776B82A74D4DE9C

SSDEEP:

192:fMY3bfPwBgAyLCM0rzaGefWIgHa1uDv4YLLdm1C7lqKrT/rTRrTNGf:/LfkuirgfWINQv4YfdmQ57rT/rTRrTcf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3064)

    • Application was dropped or rewritten from another process

      • grv.exe (PID: 1560)

    • Changes the autorun value in the registry

      • grv.exe (PID: 1560)

    • Downloads executable files with a strange extension

      • EQNEDT32.EXE (PID: 3064)

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3064)

  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 3064)
      • explorer.exe (PID: 3096)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3064)
      • grv.exe (PID: 1560)

    • Creates files in the user directory

      • grv.exe (PID: 1560)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 896)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 896)

    • Application was crashed

      • EQNEDT32.EXE (PID: 3064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

XMP

Description: -
Creator: Windows User
Subject: -
Title: -

XML

ModifyDate: 2019:08:29 10:59:00Z
CreateDate: 2019:07:17 10:07:00Z
RevisionNumber: 7
LastModifiedBy: Windows User
Keywords: -
AppVersion: 12
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 31
LinksUpToDate: No
Company: -
ScaleCrop: No
Paragraphs: 1
Lines: 1
DocSecurity: None
Application: Microsoft Office Word
Characters: 28
Words: 4
Pages: 1
TotalEditTime: 11 minutes
Template: BA481970.tmp

ZIP

ZipFileName: word/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2019:08:29 12:00:16
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winword.exe eqnedt32.exe explorer.exe no specs explorer.exe no specs grv.exe

Process information

PID
CMD
Path
Indicators
Parent process
896"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\7d2cc57e27e849fb0617a3a73d68d302c6efc6d849c05fcb0776b82a74d4de9c.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3064"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
836"C:\Windows\explorer.exe" C:\$Wl\grv.exeC:\Windows\explorer.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3096C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1560"C:\$Wl\grv.exe" C:\$Wl\grv.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
6.1.7600.16386
Total events
1 793
Read events
1 047
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
24
Text files
6
Unknown types
2

Dropped files

PID
Process
Filename
Type
896WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA66C.tmp.cvr
MD5:
SHA256:
896WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{544A9139-955B-480D-9983-2D7CD4C2DF33}
MD5:
SHA256:
896WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{7A38EEE5-7802-47A2-BA37-F270258EDE7E}
MD5:
SHA256:
3064EQNEDT32.EXEC:\$Wl\grv
MD5:
SHA256:
896WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7B23DD1F-9169-4342-AE0E-7E4815B971B6}.tmp
MD5:
SHA256:
896WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:08CB95F851F2FF70A6C812DBA3163B23
SHA256:48B06D91C7AD9E777C4D5956D523D7A0E6618E1D8B28B635C06DD73399F075FD
896WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:8B378DCC62035BBABEF8B1C2A131A338
SHA256:7C1F83E56B3CF1632E1D1DDD8BFD13219F8133599041726FA2EA3FB98B22B275
896WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{E74FBE59-32C7-428A-85C8-649BA5CD06F2}.FSDbinary
MD5:74F8D820731DE7DA205C6C1FED5EB5FC
SHA256:E3595B506114420E754ACFABD7AC9775BB18699CB001327B070181383D81C89D
896WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:76C9AC18B5A467F6108ABDA78EF4BE60
SHA256:358BB15FE925AE4B84DE042633B450BA0E33C9319E1F80F878815D5CB26BF2D3
3064EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\g[1].txtexecutable
MD5:3C25A6F5E2B047214AFB4C907F10CD47
SHA256:D92D6B4DDDECCF6339AB783133E8382B2BB67E33AA71DA83C9223585C004B0FD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
11
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1000
svchost.exe
OPTIONS
301
203.124.44.32:80
http://comglobal.com.pk/
PK
suspicious
896
WINWORD.EXE
OPTIONS
203.124.44.32:80
http://comglobal.com.pk/wp-content/
PK
suspicious
1000
svchost.exe
OPTIONS
203.124.44.32:80
http://www.comglobal.com.pk/
PK
suspicious
1560
grv.exe
POST
200
162.222.215.179:80
http://tvnservereventlog.net/tqwewr.php
US
suspicious
1560
grv.exe
POST
200
162.222.215.179:80
http://tvnservereventlog.net/tqwewr.php
US
suspicious
1000
svchost.exe
OPTIONS
403
203.124.44.32:80
http://www.comglobal.com.pk/
PK
html
42.4 Kb
suspicious
3064
EQNEDT32.EXE
GET
200
210.56.11.11:80
http://nim.gov.pk/img/g.txt
PK
executable
55.7 Kb
malicious
1560
grv.exe
POST
200
162.222.215.179:80
http://tvnservereventlog.net/tqwewr.php
US
suspicious
1560
grv.exe
POST
200
162.222.215.179:80
http://tvnservereventlog.net/tqwewr.php
US
suspicious
1000
svchost.exe
OPTIONS
403
203.124.44.32:80
http://www.comglobal.com.pk/
PK
html
42.4 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3064
EQNEDT32.EXE
210.56.11.11:80
nim.gov.pk
Commission on Science and Technology for
PK
malicious
1560
grv.exe
162.222.215.179:80
tvnservereventlog.net
Admo.net LLC
US
suspicious
896
WINWORD.EXE
203.124.44.32:80
comglobal.com.pk
Commission on Science and Technology for
PK
suspicious
1000
svchost.exe
203.124.44.32:80
comglobal.com.pk
Commission on Science and Technology for
PK
suspicious

DNS requests

Domain
IP
Reputation
comglobal.com.pk
  • 203.124.44.32
suspicious
nim.gov.pk
  • 210.56.11.11
malicious
www.comglobal.com.pk
  • 203.124.44.32
suspicious
tvnservereventlog.net
  • 162.222.215.179
suspicious

Threats

PID
Process
Class
Message
3064
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3064
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN Possible Windows executable sent when remote host claims to send a Text File
3064
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
3064
EQNEDT32.EXE
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
7d2cc57e27e849fb0617a3a73d68d302c6efc6d849c05fcb0776b82a74d4de9c.docx