analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://sub2chnfmanglobalbusinessexytwowsdy2.duckdns.org/office/invoice_22113.doc

Full analysis: https://app.any.run/tasks/0ff188ce-f06b-406b-ac69-b9a87a551700
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 21, 2020, 15:59:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
exploit
CVE-2017-11882
Indicators:
MD5:

6CF68E5DDD90B72946DADBD8148EA4E0

SHA1:

335BBC3C78365C242E08E3E2DF4A74D8B1275C03

SHA256:

F58722E10FB5114FF0B24B91FFFAF63E4DBED7D7C945C4754044DAA75D69A4C9

SSDEEP:

3:N1KNQHQMNyWR0sclC9WiLbTKMsyX:CCw+REuWCbGMsY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • vbc.exe (PID: 2776)
      • vbc.exe (PID: 3768)
      • vbc.exe (PID: 1352)
      • vbc.exe (PID: 4080)
      • vbc.exe (PID: 3184)
      • vbc.exe (PID: 912)
      • vbc.exe (PID: 1544)
      • vbc.exe (PID: 3324)
      • vbc.exe (PID: 1748)
      • vbc.exe (PID: 3104)
      • vbc.exe (PID: 2936)
      • vbc.exe (PID: 664)
      • vbc.exe (PID: 2696)
      • vbc.exe (PID: 3428)
      • vbc.exe (PID: 3128)
      • vbc.exe (PID: 2660)
      • vbc.exe (PID: 3580)
      • vbc.exe (PID: 3864)
      • vbc.exe (PID: 3144)
      • vbc.exe (PID: 3344)
      • vbc.exe (PID: 3132)
      • vbc.exe (PID: 3252)
      • vbc.exe (PID: 3456)
      • vbc.exe (PID: 3716)
      • vbc.exe (PID: 1704)
      • vbc.exe (PID: 2580)
      • vbc.exe (PID: 2604)
      • vbc.exe (PID: 3756)
      • vbc.exe (PID: 3460)
      • vbc.exe (PID: 3644)
      • vbc.exe (PID: 3316)
      • vbc.exe (PID: 2828)
      • vbc.exe (PID: 956)
      • vbc.exe (PID: 2540)
      • vbc.exe (PID: 3040)
      • vbc.exe (PID: 2708)
      • vbc.exe (PID: 3640)
      • vbc.exe (PID: 3528)
      • vbc.exe (PID: 2128)
      • vbc.exe (PID: 3400)
      • vbc.exe (PID: 3212)
      • vbc.exe (PID: 3328)
      • vbc.exe (PID: 3264)
      • vbc.exe (PID: 1440)
      • vbc.exe (PID: 2388)
      • vbc.exe (PID: 256)
      • vbc.exe (PID: 2904)
      • vbc.exe (PID: 3820)
      • vbc.exe (PID: 2052)
      • vbc.exe (PID: 3248)
      • vbc.exe (PID: 252)
      • vbc.exe (PID: 3072)
      • vbc.exe (PID: 2652)
      • vbc.exe (PID: 2076)
      • vbc.exe (PID: 2288)
      • vbc.exe (PID: 1712)
      • vbc.exe (PID: 308)
      • vbc.exe (PID: 1844)
      • vbc.exe (PID: 3028)
      • vbc.exe (PID: 2460)
      • vbc.exe (PID: 2632)
      • vbc.exe (PID: 1916)
      • vbc.exe (PID: 3584)
      • vbc.exe (PID: 3876)
      • vbc.exe (PID: 2952)
      • vbc.exe (PID: 2248)
      • vbc.exe (PID: 1832)
      • vbc.exe (PID: 3572)
      • vbc.exe (PID: 2888)
      • vbc.exe (PID: 2272)
      • vbc.exe (PID: 3188)
      • vbc.exe (PID: 3424)
      • vbc.exe (PID: 2220)
      • vbc.exe (PID: 1932)
      • vbc.exe (PID: 3408)
      • vbc.exe (PID: 2424)
      • vbc.exe (PID: 1168)
      • vbc.exe (PID: 3972)
      • vbc.exe (PID: 3276)
      • vbc.exe (PID: 2496)
      • vbc.exe (PID: 1780)
      • vbc.exe (PID: 924)
      • vbc.exe (PID: 2992)
      • vbc.exe (PID: 2700)
      • vbc.exe (PID: 3776)
      • vbc.exe (PID: 2908)
      • vbc.exe (PID: 2940)
      • vbc.exe (PID: 3616)
      • vbc.exe (PID: 2500)
      • vbc.exe (PID: 2412)
      • vbc.exe (PID: 3204)
      • vbc.exe (PID: 3376)
      • vbc.exe (PID: 1720)
      • vbc.exe (PID: 548)
      • vbc.exe (PID: 3676)
      • vbc.exe (PID: 2480)
      • vbc.exe (PID: 2376)
      • vbc.exe (PID: 3228)
      • vbc.exe (PID: 952)
      • vbc.exe (PID: 2340)
      • vbc.exe (PID: 1872)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 1156)

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 1156)

  • SUSPICIOUS

    • Executed via COM

      • WINWORD.EXE (PID: 3956)
      • EQNEDT32.EXE (PID: 1156)

    • Starts Microsoft Office Application

      • WINWORD.EXE (PID: 3956)

    • Application launched itself

      • WINWORD.EXE (PID: 3956)
      • vbc.exe (PID: 2776)

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 3956)
      • EQNEDT32.EXE (PID: 1156)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 1156)

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 1156)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 628)
      • iexplore.exe (PID: 3436)

    • Changes internet zones settings

      • iexplore.exe (PID: 628)

    • Application launched itself

      • iexplore.exe (PID: 628)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3956)
      • iexplore.exe (PID: 628)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3956)
      • WINWORD.EXE (PID: 3836)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3436)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 628)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 628)

    • Changes settings of System certificates

      • iexplore.exe (PID: 628)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
106
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe winword.exe winword.exe no specs eqnedt32.exe vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
628"C:\Program Files\Internet Explorer\iexplore.exe" "http://sub2chnfmanglobalbusinessexytwowsdy2.duckdns.org/office/invoice_22113.doc"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3436"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:628 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3956"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3836"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
1156"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2776"C:\Users\admin\AppData\Roaming\vbc.exe" C:\Users\admin\AppData\Roaming\vbc.exeEQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1748"C:\Users\admin\AppData\Roaming\vbc.exe"C:\Users\admin\AppData\Roaming\vbc.exevbc.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3768"C:\Users\admin\AppData\Roaming\vbc.exe"C:\Users\admin\AppData\Roaming\vbc.exevbc.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3324"C:\Users\admin\AppData\Roaming\vbc.exe"C:\Users\admin\AppData\Roaming\vbc.exevbc.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1352"C:\Users\admin\AppData\Roaming\vbc.exe"C:\Users\admin\AppData\Roaming\vbc.exevbc.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
8 095
Read events
2 461
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
41
Text files
14
Unknown types
6

Dropped files

PID
Process
Filename
Type
628iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3956WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8B8F.tmp.cvr
MD5:
SHA256:
3956WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{F02AB8C0-4AF9-492E-A65A-9678A1D8FECE}
MD5:
SHA256:
3956WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{70FEDFE8-695E-4514-A0DF-1D8F8DD43959}
MD5:
SHA256:
628iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF977D45CA2A8370D7.TMP
MD5:
SHA256:
3956WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:C7B1B85FE0B46CCAA59746206A45B148
SHA256:DAA3F8F6C3D64D974E38580CA653D65D84AAC9518D7355F57B9B2E0AE804303E
3436iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\invoice_22113[1].doctext
MD5:EE37F0A5BD88DA71A78369A1217CAD37
SHA256:BF739A17BDA0F72FBFAE2A8AE584294D78BB5BE1FC43CCD11110D9A6D168376F
628iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF5D2F36D049A89332.TMP
MD5:
SHA256:
3956WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:E35D7C9D84B4E1357488F5717DE29492
SHA256:B5683D09240604F3D00F38807B8B6E9661327A38A6E15135A71D8F8FD8DDBD10
628iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IPR8CHWNXX0P63H60R7Q.temp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
22
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
824
svchost.exe
OPTIONS
302
192.3.152.160:80
http://sub2chnfmanglobalbusinessexytwowsdy2.duckdns.org/
US
malicious
3956
WINWORD.EXE
OPTIONS
200
192.3.152.160:80
http://sub2chnfmanglobalbusinessexytwowsdy2.duckdns.org/office/
US
malicious
824
svchost.exe
OPTIONS
200
192.3.152.160:80
http://sub2chnfmanglobalbusinessexytwowsdy2.duckdns.org/dashboard/
US
malicious
824
svchost.exe
PROPFIND
302
192.3.152.160:80
http://sub2chnfmanglobalbusinessexytwowsdy2.duckdns.org/
US
malicious
824
svchost.exe
PROPFIND
302
192.3.152.160:80
http://sub2chnfmanglobalbusinessexytwowsdy2.duckdns.org/
US
malicious
824
svchost.exe
PROPFIND
302
192.3.152.160:80
http://sub2chnfmanglobalbusinessexytwowsdy2.duckdns.org/
US
malicious
824
svchost.exe
PROPFIND
302
192.3.152.160:80
http://sub2chnfmanglobalbusinessexytwowsdy2.duckdns.org/
US
malicious
3436
iexplore.exe
GET
200
192.3.152.160:80
http://sub2chnfmanglobalbusinessexytwowsdy2.duckdns.org/office/invoice_22113.doc
US
text
231 Kb
malicious
3956
WINWORD.EXE
GET
200
192.3.152.160:80
http://sub2chnfmanglobalbusinessexytwowsdy2.duckdns.org/office/invoice_22113.doc
US
text
231 Kb
malicious
628
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3956
WINWORD.EXE
192.3.152.160:80
sub2chnfmanglobalbusinessexytwowsdy2.duckdns.org
ColoCrossing
US
malicious
628
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
628
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3436
iexplore.exe
192.3.152.160:80
sub2chnfmanglobalbusinessexytwowsdy2.duckdns.org
ColoCrossing
US
malicious
824
svchost.exe
192.3.152.160:80
sub2chnfmanglobalbusinessexytwowsdy2.duckdns.org
ColoCrossing
US
malicious
1156
EQNEDT32.EXE
192.3.152.160:80
sub2chnfmanglobalbusinessexytwowsdy2.duckdns.org
ColoCrossing
US
malicious
628
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
628
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
sub2chnfmanglobalbusinessexytwowsdy2.duckdns.org
  • 192.3.152.160
malicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1156
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://sub2chnfmanglobalbusinessexytwowsdy2.duckdns.org/office/invoice_22113.doc