File name:

OVER DUE INVOICE PAYMENT.docx

Full analysis: https://app.any.run/tasks/2f29d15b-b350-4c9b-8cb8-cf9dadcb84d3
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: July 05, 2024, 00:58:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
cve-2017-0199
exploit
cve-2017-11882
evasion
snake
keylogger
smtp
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

9F3FD4E8AA2AD81966D0C2A036D1E901

SHA1:

80A58393ACB58FCC666E56B514994D98BA3F4716

SHA256:

CD9CF022180C8C6F6C4FB0D76476BF2E9382128D28A4686114C50448934E5381

SSDEEP:

384:IqcbcXNjeU2bSLSxnindXUclBy/m9dEbEYH4LynCYk1o:M8CU7LSxidXDeAibErWCg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (likely CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3684)

    • CVE-2017-0199 detected

      • WINWORD.EXE (PID: 3400)

    • Drops the executable file immediately after the start

      • EQNEDT32.EXE (PID: 3684)

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3684)

    • SNAKE has been detected (YARA)

      • obi23456.scr (PID: 3920)

    • Steals credentials from Web Browsers

      • obi23456.scr (PID: 3920)

    • Actions looks like stealing of personal data

      • obi23456.scr (PID: 3920)

  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • svchost.exe (PID: 816)

    • Abuses WebDav for code execution

      • svchost.exe (PID: 816)

    • Reads the Internet Settings

      • EQNEDT32.EXE (PID: 3684)
      • obi23456.scr (PID: 3920)

    • Reads security settings of Internet Explorer

      • EQNEDT32.EXE (PID: 3684)

    • Checks Windows Trust Settings

      • EQNEDT32.EXE (PID: 3684)

    • Reads settings of System Certificates

      • EQNEDT32.EXE (PID: 3684)
      • obi23456.scr (PID: 3920)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3684)

    • Starts application with an unusual extension

      • EQNEDT32.EXE (PID: 3684)
      • obi23456.scr (PID: 936)

    • Application launched itself

      • obi23456.scr (PID: 936)

    • Checks for external IP

      • obi23456.scr (PID: 3920)

    • Accesses Microsoft Outlook profiles

      • obi23456.scr (PID: 3920)

    • Loads DLL from Mozilla Firefox

      • obi23456.scr (PID: 3920)

    • Connects to SMTP port

      • obi23456.scr (PID: 3920)

  • INFO

    • Checks supported languages

      • EQNEDT32.EXE (PID: 3684)
      • obi23456.scr (PID: 936)
      • obi23456.scr (PID: 3920)

    • Reads the computer name

      • EQNEDT32.EXE (PID: 3684)
      • obi23456.scr (PID: 936)
      • obi23456.scr (PID: 3920)

    • Reads the machine GUID from the registry

      • EQNEDT32.EXE (PID: 3684)
      • obi23456.scr (PID: 936)
      • obi23456.scr (PID: 3920)

    • Checks proxy server information

      • EQNEDT32.EXE (PID: 3684)

    • Reads the software policy settings

      • EQNEDT32.EXE (PID: 3684)
      • obi23456.scr (PID: 3920)

    • Creates files or folders in the user directory

      • EQNEDT32.EXE (PID: 3684)

    • Reads Environment values

      • obi23456.scr (PID: 3920)

    • Disables trace logs

      • obi23456.scr (PID: 3920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

SnakeKeylogger

(PID) Process(3920) obi23456.scr
Keys
DES6fc98cd6
Options
SMTP Userreservation@artefes.com
SMTP PasswordArtEfes4765*+
SMTP Hostmail.artefes.com
SMTP SendToreservation@artefes.com
SMTP Port587
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2024:07:04 02:08:32
ZipCRC: 0x3795fcdd
ZipCompressedSize: 341
ZipUncompressedSize: 1312
ZipFileName: [Content_Types].xml

XML

Template: Normal.dotm
TotalEditTime: 19 minutes
Pages: 7
Words: 3177
Characters: 18113
Application: Microsoft Office Word
DocSecurity: None
Lines: 150
Paragraphs: 42
ScaleCrop: No
Company: -
LinksUpToDate: No
CharactersWithSpaces: 21248
SharedDoc: No
HyperlinksChanged: No
AppVersion: 12
LastModifiedBy: Modexcomm
RevisionNumber: 7
CreateDate: 2023:03:27 22:13:00Z
ModifyDate: 2023:08:16 13:25:00Z

XMP

Creator: Modexcomm
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
5
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #CVE-2017-0199 winword.exe eqnedt32.exe obi23456.scr no specs #SNAKE obi23456.scr svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
816C:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\System32\svchost.exe
services.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
936"C:\Users\admin\AppData\Roaming\obi23456.scr"C:\Users\admin\AppData\Roaming\obi23456.scrEQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Shroud
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\obi23456.scr
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3400"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\OVER DUE INVOICE PAYMENT.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
3684"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3920"C:\Users\admin\AppData\Roaming\obi23456.scr"C:\Users\admin\AppData\Roaming\obi23456.scr
obi23456.scr
User:
admin
Integrity Level:
MEDIUM
Description:
Shroud
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\obi23456.scr
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
SnakeKeylogger
(PID) Process(3920) obi23456.scr
Keys
DES6fc98cd6
Options
SMTP Userreservation@artefes.com
SMTP PasswordArtEfes4765*+
SMTP Hostmail.artefes.com
SMTP SendToreservation@artefes.com
SMTP Port587
Total events
24 274
Read events
23 333
Write events
685
Delete events
256

Modification events

(PID) Process:(3400) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:h=2
Value:
683D3200480D0000010000000000000000000000
(PID) Process:(3400) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3400) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(3400) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(3400) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(3400) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(3400) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(3400) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(3400) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(3400) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
3
Suspicious files
16
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
3400WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE5B9.tmp.cvr
MD5:
SHA256:
3400WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:C1EF68B12A6ED73F8F23ACC292393101
SHA256:8C94FBE8CD43B93AF1F7FFB012AC8E540B345C07472DC4C31A8F76AC7CA97C3B
3400WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:4148433CA11D1A1E5840059F3C6FFAE0
SHA256:6839A489C7E9B03CB433551A275744DB26F398CF416441E85EAB77AB31EED39B
3400WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:E32CDDD803EDDCD9D8E90730B4C8C8F9
SHA256:856B226F42F5A4B5ABE9BE85907149CC5AACCDD41B201AF106F106D7902E618E
3400WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{3E236B26-A687-4DF1-A016-37EB4A21001B}binary
MD5:C25A3148298FC4E03317155303CF39EC
SHA256:E630ED491F9AC8DAF9593F0BA291AE7737881254B4F98167824BA4AE8A6926AE
3400WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\obb[1].doctext
MD5:3F9A089317AFA13A17B61D5E0F95B75E
SHA256:09CC281D7242AEDDD2DE25D63EF16E9B8D190BD06D31928410FDAEF1E5A5C351
3684EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\obb[1].screxecutable
MD5:F7BDADAFF67E573F145D2E8E32E32CD8
SHA256:FE80EEADE269CE2B6688E039296FC9E9743E24F881341ADAD24E220967312316
3400WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:1BFE0A81DB078EA084FF82FE545176FE
SHA256:5BA8817F13EEE00E75158BAD93076AB474A068C6B52686579E0F728FDA68499F
3400WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:0793630FAE4021AA4CA655FE3BE757F9
SHA256:4E2C48455889948BFBA73D8048E1BBE6E1695554C9DA6FB5DF7050177759B57F
3400WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{68F1A21B-DD8D-4EE8-B211-F55FEE96EAD2}binary
MD5:0793630FAE4021AA4CA655FE3BE757F9
SHA256:4E2C48455889948BFBA73D8048E1BBE6E1695554C9DA6FB5DF7050177759B57F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
21
DNS requests
9
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3400
WINWORD.EXE
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ba9e8e5522de732c
unknown
unknown
3400
WINWORD.EXE
GET
200
172.217.18.99:80
http://c.pki.goog/r/gsr1.crl
unknown
unknown
3400
WINWORD.EXE
GET
200
172.217.18.99:80
http://c.pki.goog/r/r4.crl
unknown
unknown
1372
svchost.exe
GET
200
95.101.54.122:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
104.79.89.142:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
3920
obi23456.scr
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
unknown
3920
obi23456.scr
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
unknown
3920
obi23456.scr
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
unknown
3920
obi23456.scr
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
unknown
3920
obi23456.scr
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
3400
WINWORD.EXE
188.114.97.3:443
riell.top
CLOUDFLARENET
NL
unknown
3400
WINWORD.EXE
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
3400
WINWORD.EXE
172.217.18.99:80
c.pki.goog
GOOGLE
US
whitelisted
816
svchost.exe
188.114.97.3:443
riell.top
CLOUDFLARENET
NL
unknown
1372
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1372
svchost.exe
95.101.54.122:80
crl.microsoft.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
riell.top
  • 188.114.97.3
  • 188.114.96.3
unknown
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
c.pki.goog
  • 172.217.18.99
unknown
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 95.101.54.122
  • 95.101.54.128
whitelisted
www.microsoft.com
  • 104.79.89.142
whitelisted
checkip.dyndns.org
  • 132.226.8.169
  • 132.226.247.73
  • 158.101.44.242
  • 193.122.130.0
  • 193.122.6.168
shared
reallyfreegeoip.org
  • 188.114.96.3
  • 188.114.97.3
malicious
mail.artefes.com
  • 162.55.80.143
unknown

Threats

PID
Process
Class
Message
1060
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
1060
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
3920
obi23456.scr
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
3920
obi23456.scr
Device Retrieving External IP Address Detected
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
1060
svchost.exe
Misc activity
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
3920
obi23456.scr
Misc activity
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
3920
obi23456.scr
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
3920
obi23456.scr
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
3920
obi23456.scr
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
3920
obi23456.scr
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OVER DUE INVOICE PAYMENT.docx