analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

RFQ 491160 PO-CARANA-11-2018-109159.doc

Full analysis: https://app.any.run/tasks/7675e88a-a791-4ddb-96ae-295b457ecebb
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: November 08, 2018, 10:23:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
exploit
CVE-2017-11882
pony
fareit
loader
autoit
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF, CR line terminators, with escape sequences
MD5:

973B90347B0CA720B054B51C04A57703

SHA1:

7053DF57307B19C5858336DF2FD1EFACC064E44D

SHA256:

BE47E164CC43350CDC93DD76B81392634F7542CAE60C0946A5B34CA1DCE16EAF

SSDEEP:

192:wuDiyjxqyjgxyL0ZSMXn+bi3NRISzrmyCKyu6WOR7pUJhFV:Dqy0h6yNRISzrmyCKyrWwdUTFV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3120)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3120)
    • Application was dropped or rewritten from another process

      • 1.pif (PID: 2816)
      • cox.exe (PID: 2916)
      • cox.exe (PID: 984)
    • Connects to CnC server

      • RegSvcs.exe (PID: 1052)
    • Detected Pony/Fareit Trojan

      • RegSvcs.exe (PID: 1052)
    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3120)
    • Downloads executable files with a strange extension

      • EQNEDT32.EXE (PID: 3120)
    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 1052)
  • SUSPICIOUS

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3120)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3120)
      • 1.pif (PID: 2816)
    • Starts application with an unusual extension

      • EQNEDT32.EXE (PID: 3120)
    • Drop AutoIt3 executable file

      • 1.pif (PID: 2816)
    • Starts CMD.EXE for commands execution

      • RegSvcs.exe (PID: 1052)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3644)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3644)
    • Dropped object may contain Bitcoin addresses

      • cox.exe (PID: 2916)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
7
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs eqnedt32.exe 1.pif cox.exe no specs cox.exe no specs #PONY regsvcs.exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3644"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\RFQ 491160 PO-CARANA-11-2018-109159.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3120"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2816C:\Users\admin\AppData\Local\Temp\1.pifC:\Users\admin\AppData\Local\Temp\1.pif
EQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2916"C:\Users\admin\AppData\Local\Temp\37255866\cox.exe" otg=ohc C:\Users\admin\AppData\Local\Temp\37255866\cox.exe1.pif
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 5
984C:\Users\admin\AppData\Local\Temp\37255866\cox.exe C:\Users\admin\AppData\Local\Temp\37255866\EMDMOC:\Users\admin\AppData\Local\Temp\37255866\cox.execox.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 5
1052"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
cox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Exit code:
0
Version:
4.6.1055.0 built by: NETFXREL2
2784cmd /c ""C:\Users\admin\AppData\Local\Temp\1599031.bat" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "C:\Windows\system32\cmd.exeRegSvcs.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 801
Read events
1 445
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
49
Unknown types
3

Dropped files

PID
Process
Filename
Type
3644WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR31B9.tmp.cvr
MD5:
SHA256:
3644WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:A4DC25B40AAEF92DCDE38C506EC93C7B
SHA256:E23A1AB7F6A3E45A91FB7675584C3AA1C13252B68A9E32AFCC33F21FA3324896
3120EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txttext
MD5:026AF22A3DE48865F7F718BB051A3C0F
SHA256:96DE977CBB44DDD203470BA2E7E901C04A8947D4B7FD44D8BC055054562A1BAD
3120EQNEDT32.EXEC:\Users\admin\AppData\Local\Temp\1.pifexecutable
MD5:DC5EAFDDE5A0948FABE08662545BB4DD
SHA256:DAFF04EAAA25D729082584AFB2348DEC126C1F3DF8C8676CA0DDE7071044580A
28161.pifC:\Users\admin\AppData\Local\Temp\37255866\otg=ohctext
MD5:4B086BC366E559905A79115F9ABB0107
SHA256:2AB2BF211278220B178B5B1A78DB027699F919684C8B3602DBCC0E79B60D89A1
28161.pifC:\Users\admin\AppData\Local\Temp\37255866\bvm.pdftext
MD5:B31F4E334F5D505FA8538B573F9A75F0
SHA256:D6D9A6A02D378234E19A18A59A24C4882E96CD47D1F4E334FA5375D3AF6F7B72
28161.pifC:\Users\admin\AppData\Local\Temp\37255866\iwt.icotext
MD5:734A9C50F949AF596D4A0EB1302286B5
SHA256:DD891745DE1841B2AD2B2BA007E74E8323378C5E4C4DE1DB89652832E4D9BFA8
3644WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$Q 491160 PO-CARANA-11-2018-109159.docpgc
MD5:2111F8DDBA48B2C658F3CCC24D10EB63
SHA256:C2A60604FD266ED7B9AE1B926C1E6B9F1B80E70CDD481C657A20693913635ECD
28161.pifC:\Users\admin\AppData\Local\Temp\37255866\cpl.dattext
MD5:F63BA22E6FB847DA2D65B67231D62A55
SHA256:03ED91F7CE246BAEBB5BF6281F282511475FC86B31687C0C467B779F4D696170
3120EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\nnnjj[1].pngexecutable
MD5:DC5EAFDDE5A0948FABE08662545BB4DD
SHA256:DAFF04EAAA25D729082584AFB2348DEC126C1F3DF8C8676CA0DDE7071044580A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3120
EQNEDT32.EXE
GET
200
221.121.138.114:80
http://com2c.com.au/nnnjj.png
AU
executable
735 Kb
malicious
1052
RegSvcs.exe
POST
111.90.144.65:80
http://aveiro-maroc.cf/server/gate.php
MY
malicious
3120
EQNEDT32.EXE
GET
301
67.199.248.10:80
http://bit.ly/2D9mdqL
US
html
116 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3120
EQNEDT32.EXE
67.199.248.10:80
bit.ly
Bitly Inc
US
shared
1052
RegSvcs.exe
111.90.144.65:80
aveiro-maroc.cf
Shinjiru Technology Sdn Bhd
MY
malicious
3120
EQNEDT32.EXE
221.121.138.114:80
com2c.com.au
Wholesale Services Provider
AU
suspicious

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
com2c.com.au
  • 221.121.138.114
malicious
aveiro-maroc.cf
  • 111.90.144.65
malicious

Threats

PID
Process
Class
Message
3120
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3120
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
3120
EQNEDT32.EXE
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious behavior, PE instead image from server
3120
EQNEDT32.EXE
Misc activity
POLICY [PTsecurity] PE as Image Content type mismatch
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .cf Domain
1052
RegSvcs.exe
Potential Corporate Privacy Violation
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
1052
RegSvcs.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no referer
1052
RegSvcs.exe
Potentially Bad Traffic
ET INFO HTTP POST Request to Suspicious *.cf Domain
1052
RegSvcs.exe
A Network Trojan was detected
ET TROJAN Fareit/Pony Downloader Checkin 2
1052
RegSvcs.exe
A Network Trojan was detected
ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98
1 ETPRO signatures available at the full report
No debug info