analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

OVER DUE INVOICE PAYMENT.docx

Full analysis: https://app.any.run/tasks/2f29d15b-b350-4c9b-8cb8-cf9dadcb84d3
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: July 05, 2024, 00:58:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
cve-2017-0199
exploit
cve-2017-11882
evasion
snake
keylogger
smtp
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

9F3FD4E8AA2AD81966D0C2A036D1E901

SHA1:

80A58393ACB58FCC666E56B514994D98BA3F4716

SHA256:

CD9CF022180C8C6F6C4FB0D76476BF2E9382128D28A4686114C50448934E5381

SSDEEP:

384:IqcbcXNjeU2bSLSxnindXUclBy/m9dEbEYH4LynCYk1o:M8CU7LSxidXDeAibErWCg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • CVE-2017-0199 detected

      • WINWORD.EXE (PID: 3400)

    • Equation Editor starts application (likely CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3684)

    • Drops the executable file immediately after the start

      • EQNEDT32.EXE (PID: 3684)

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3684)

    • Steals credentials from Web Browsers

      • obi23456.scr (PID: 3920)

    • SNAKE has been detected (YARA)

      • obi23456.scr (PID: 3920)

    • Actions looks like stealing of personal data

      • obi23456.scr (PID: 3920)

  • SUSPICIOUS

    • Abuses WebDav for code execution

      • svchost.exe (PID: 816)

    • Uses RUNDLL32.EXE to load library

      • svchost.exe (PID: 816)

    • Reads security settings of Internet Explorer

      • EQNEDT32.EXE (PID: 3684)

    • Checks Windows Trust Settings

      • EQNEDT32.EXE (PID: 3684)

    • Reads the Internet Settings

      • EQNEDT32.EXE (PID: 3684)
      • obi23456.scr (PID: 3920)

    • Reads settings of System Certificates

      • EQNEDT32.EXE (PID: 3684)
      • obi23456.scr (PID: 3920)

    • Starts application with an unusual extension

      • EQNEDT32.EXE (PID: 3684)
      • obi23456.scr (PID: 936)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3684)

    • Application launched itself

      • obi23456.scr (PID: 936)

    • Checks for external IP

      • obi23456.scr (PID: 3920)

    • Accesses Microsoft Outlook profiles

      • obi23456.scr (PID: 3920)

    • Loads DLL from Mozilla Firefox

      • obi23456.scr (PID: 3920)

    • Connects to SMTP port

      • obi23456.scr (PID: 3920)

  • INFO

    • Checks supported languages

      • EQNEDT32.EXE (PID: 3684)
      • obi23456.scr (PID: 936)
      • obi23456.scr (PID: 3920)

    • Reads the machine GUID from the registry

      • EQNEDT32.EXE (PID: 3684)
      • obi23456.scr (PID: 936)
      • obi23456.scr (PID: 3920)

    • Reads the computer name

      • EQNEDT32.EXE (PID: 3684)
      • obi23456.scr (PID: 936)
      • obi23456.scr (PID: 3920)

    • Checks proxy server information

      • EQNEDT32.EXE (PID: 3684)

    • Creates files or folders in the user directory

      • EQNEDT32.EXE (PID: 3684)

    • Reads the software policy settings

      • EQNEDT32.EXE (PID: 3684)
      • obi23456.scr (PID: 3920)

    • Reads Environment values

      • obi23456.scr (PID: 3920)

    • Disables trace logs

      • obi23456.scr (PID: 3920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

SnakeKeylogger

(PID) Process(3920) obi23456.scr
Keys
DES6fc98cd6
Options
SMTP User[email protected]
SMTP PasswordArtEfes4765*+
SMTP Hostmail.artefes.com
SMTP SendTo[email protected]
SMTP Port587
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

XMP

Creator: Modexcomm

XML

ModifyDate: 2023:08:16 13:25:00Z
CreateDate: 2023:03:27 22:13:00Z
RevisionNumber: 7
LastModifiedBy: Modexcomm
AppVersion: 12
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 21248
LinksUpToDate: No
Company: -
ScaleCrop: No
Paragraphs: 42
Lines: 150
DocSecurity: None
Application: Microsoft Office Word
Characters: 18113
Words: 3177
Pages: 7
TotalEditTime: 19 minutes
Template: Normal.dotm

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1312
ZipCompressedSize: 341
ZipCRC: 0x3795fcdd
ZipModifyDate: 2024:07:04 02:08:32
ZipCompression: Deflated
ZipBitFlag: 0x0002
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
5
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start svchost.exe #CVE-2017-0199 winword.exe eqnedt32.exe obi23456.scr no specs #SNAKE obi23456.scr

Process information

PID
CMD
Path
Indicators
Parent process
816C:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\System32\svchost.exe
services.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3400"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\OVER DUE INVOICE PAYMENT.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
3684"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
936"C:\Users\admin\AppData\Roaming\obi23456.scr"C:\Users\admin\AppData\Roaming\obi23456.scrEQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Shroud
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\obi23456.scr
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3920"C:\Users\admin\AppData\Roaming\obi23456.scr"C:\Users\admin\AppData\Roaming\obi23456.scr
obi23456.scr
User:
admin
Integrity Level:
MEDIUM
Description:
Shroud
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\obi23456.scr
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
SnakeKeylogger
(PID) Process(3920) obi23456.scr
Keys
DES6fc98cd6
Options
SMTP User[email protected]
SMTP PasswordArtEfes4765*+
SMTP Hostmail.artefes.com
SMTP SendTo[email protected]
SMTP Port587
Total events
24 274
Read events
23 333
Write events
685
Delete events
256

Modification events

(PID) Process:(3400) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:h=2
Value:
683D3200480D0000010000000000000000000000
(PID) Process:(3400) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3400) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(3400) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(3400) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(3400) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(3400) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(3400) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(3400) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(3400) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
3
Suspicious files
16
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
3400WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE5B9.tmp.cvr
MD5:
SHA256:
3400WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12der
MD5:2365869258DF7A66A2121B802CA4AFD9
SHA256:D6B1932822BBD72A8E78C771717D992142348F67D625A42393719FEFBE59B0ED
3400WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:FE696FA3F37F2BB3A4321E7E56D814BE
SHA256:D2E375254E49303B20C3FAFA3A0546584F5C50F205F3E7E112A27D2F21898C3F
3400WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{3E236B26-A687-4DF1-A016-37EB4A21001B}binary
MD5:C25A3148298FC4E03317155303CF39EC
SHA256:E630ED491F9AC8DAF9593F0BA291AE7737881254B4F98167824BA4AE8A6926AE
3400WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:C25A3148298FC4E03317155303CF39EC
SHA256:E630ED491F9AC8DAF9593F0BA291AE7737881254B4F98167824BA4AE8A6926AE
3400WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:1BFE0A81DB078EA084FF82FE545176FE
SHA256:5BA8817F13EEE00E75158BAD93076AB474A068C6B52686579E0F728FDA68499F
3400WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:D471A0BB5F0B8A9AC834E0172491B7F9
SHA256:418B6AE0A39787583DCD77DA0ED040F8C3DDA03410E71D04C235EE6E736F298F
3400WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:E32CDDD803EDDCD9D8E90730B4C8C8F9
SHA256:856B226F42F5A4B5ABE9BE85907149CC5AACCDD41B201AF106F106D7902E618E
3400WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:C1EF68B12A6ED73F8F23ACC292393101
SHA256:8C94FBE8CD43B93AF1F7FFB012AC8E540B345C07472DC4C31A8F76AC7CA97C3B
3400WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:0793630FAE4021AA4CA655FE3BE757F9
SHA256:4E2C48455889948BFBA73D8048E1BBE6E1695554C9DA6FB5DF7050177759B57F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
21
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3400
WINWORD.EXE
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ba9e8e5522de732c
unknown
unknown
3400
WINWORD.EXE
GET
200
172.217.18.99:80
http://c.pki.goog/r/gsr1.crl
unknown
unknown
3400
WINWORD.EXE
GET
200
172.217.18.99:80
http://c.pki.goog/r/r4.crl
unknown
unknown
1372
svchost.exe
GET
200
95.101.54.122:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
3920
obi23456.scr
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
unknown
1372
svchost.exe
GET
200
104.79.89.142:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
3920
obi23456.scr
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
unknown
3920
obi23456.scr
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
unknown
3920
obi23456.scr
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
unknown
3920
obi23456.scr
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
3400
WINWORD.EXE
188.114.97.3:443
riell.top
CLOUDFLARENET
NL
unknown
3400
WINWORD.EXE
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
3400
WINWORD.EXE
172.217.18.99:80
c.pki.goog
GOOGLE
US
whitelisted
816
svchost.exe
188.114.97.3:443
riell.top
CLOUDFLARENET
NL
unknown
1372
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1372
svchost.exe
95.101.54.122:80
crl.microsoft.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
riell.top
  • 188.114.97.3
  • 188.114.96.3
unknown
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
c.pki.goog
  • 172.217.18.99
unknown
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 95.101.54.122
  • 95.101.54.128
whitelisted
www.microsoft.com
  • 104.79.89.142
whitelisted
checkip.dyndns.org
  • 132.226.8.169
  • 132.226.247.73
  • 158.101.44.242
  • 193.122.130.0
  • 193.122.6.168
shared
reallyfreegeoip.org
  • 188.114.96.3
  • 188.114.97.3
malicious
mail.artefes.com
  • 162.55.80.143
unknown

Threats

PID
Process
Class
Message
1060
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
1060
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
3920
obi23456.scr
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
3920
obi23456.scr
Device Retrieving External IP Address Detected
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
1060
svchost.exe
Misc activity
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
3920
obi23456.scr
Misc activity
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
3920
obi23456.scr
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
3920
obi23456.scr
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
3920
obi23456.scr
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
3920
obi23456.scr
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
OVER DUE INVOICE PAYMENT.docx