analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

invoice_11154.doc

Full analysis: https://app.any.run/tasks/7a31062f-a627-4dc4-acfa-df51ddc17e89
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: March 31, 2020, 01:18:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
exploit
CVE-2017-11882
loader
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

FEA305C794061FEB3DE9E74EA2B17665

SHA1:

5DF3D3A234B61236177F7C866B6215DEA856CB03

SHA256:

7EA775CE3D1BBEC6A0956B651D6FAA66C9C56C7C9FABB700CC8F4F2A972E6AA2

SSDEEP:

3072:eqAVMsdDxYjSqptRStTk6EtyOv2IpTPwGccPr4aldBbJzrCAk9:eBVVdDUp3StPseIp8GccPr7nzi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • vbc.exe (PID: 304)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3376)
    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3376)
  • SUSPICIOUS

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3376)
    • Executed via COM

      • EQNEDT32.EXE (PID: 3376)
    • Reads Internet Cache Settings

      • EQNEDT32.EXE (PID: 3376)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3376)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3440)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe vbc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3440"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\invoice_11154.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3376"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
304"C:\Users\admin\AppData\Roaming\vbc.exe" C:\Users\admin\AppData\Roaming\vbc.exeEQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Total events
1 835
Read events
1 231
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
3440WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6CBC.tmp.cvr
MD5:
SHA256:
3440WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$voice_11154.docpgc
MD5:D73E45B6DB5EF2F74FA2EE53F58F540A
SHA256:65211F6950CE6D0D2E32DF7091BBDA943960103346D8F934B97C4C58FE599736
3376EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\winlog[1].exeexecutable
MD5:68F44B2C0569666F3FD153760D3DF754
SHA256:1ED138BB060F9ADAA33073CB429BB31646C7DC2EFF46E41989D39A32286DDF01
3440WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:13B9A1AA81EF2E2C842E89662D536BE3
SHA256:10364BB14E47C68B53C561CB8C947020A5A9966287FF5C6B71541A0CC8E8041B
3376EQNEDT32.EXEC:\Users\admin\AppData\Roaming\vbc.exeexecutable
MD5:68F44B2C0569666F3FD153760D3DF754
SHA256:1ED138BB060F9ADAA33073CB429BB31646C7DC2EFF46E41989D39A32286DDF01
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3376
EQNEDT32.EXE
GET
200
103.140.250.215:80
http://kungfrdyeducationalinvestment8agender.duckdns.org/kungdoc/winlog.exe
unknown
executable
1.55 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3376
EQNEDT32.EXE
103.140.250.215:80
kungfrdyeducationalinvestment8agender.duckdns.org
malicious

DNS requests

Domain
IP
Reputation
kungfrdyeducationalinvestment8agender.duckdns.org
  • 103.140.250.215
malicious

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3376
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS winlog.exe in URI Probable Process Dump/Trojan Download
3376
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info