analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1.xlsx

Full analysis: https://app.any.run/tasks/c0adc222-7116-482b-9360-a61528936ff7
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: October 20, 2020, 13:41:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
exploit
CVE-2017-11882
opendir
loader
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

0230DEF12121F8727A4528ECCBF680DF

SHA1:

66021B8A01C4363B92913D08FE7C2D1915CEBBDE

SHA256:

014ECCC3781D5081FBF6E3336F9A21F854924F38F77D82C2D56840ECCA7F28B7

SSDEEP:

6144:q1ckk7BeV7dwLnGRFHVWUNWPrXzxijzd/M2kLRgH2U:mtko7dxVD+X1ijzbOgHj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2336)
    • Application was dropped or rewritten from another process

      • name.exe (PID: 2328)
      • name.exe (PID: 604)
  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 2336)
    • Reads Internet Cache Settings

      • EQNEDT32.EXE (PID: 2336)
    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 2336)
      • msiexec.exe (PID: 3972)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 2336)
    • Application launched itself

      • name.exe (PID: 2328)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2108)
    • Manual execution by user

      • msiexec.exe (PID: 3972)
    • Reads the hosts file

      • msiexec.exe (PID: 3972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2020:09:24 00:42:00
ZipCRC: 0xd5d69ee5
ZipCompressedSize: 372
ZipUncompressedSize: 1369
ZipFileName: [Content_Types].xml

XMP

Creator: User PC

XML

LastModifiedBy: User PC
CreateDate: 2020:09:22 10:12:01Z
ModifyDate: 2020:09:22 10:12:19Z
Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Worksheets
  • 1
TitlesOfParts: Sheet1
Company: -
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 15.03
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe no specs eqnedt32.exe cmd.exe no specs name.exe no specs name.exe no specs msiexec.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2108"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2336"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2676C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exeC:\Windows\system32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2328C:\Users\Public\name.exeC:\Users\Public\name.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
604C:\Users\Public\name.exeC:\Users\Public\name.exename.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3972"C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1000/c del "C:\Users\Public\name.exe"C:\Windows\System32\cmd.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
597
Read events
540
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2108EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR45C8.tmp.cvr
MD5:
SHA256:
2336EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\1[1].exeexecutable
MD5:23713E079AB57E334B8CB4116E7A1318
SHA256:C89757583D8DF1FF56A4A8A4EFA66666D02AF3807B60CD058031AFE1AEBAEDA8
2336EQNEDT32.EXEC:\Users\Public\name.exeexecutable
MD5:23713E079AB57E334B8CB4116E7A1318
SHA256:C89757583D8DF1FF56A4A8A4EFA66666D02AF3807B60CD058031AFE1AEBAEDA8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2336
EQNEDT32.EXE
GET
200
66.45.232.202:80
http://serv.webpaybox.com/~pahkeysc/1.exe
US
executable
743 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2336
EQNEDT32.EXE
66.45.232.202:80
serv.webpaybox.com
NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC
US
malicious

DNS requests

Domain
IP
Reputation
serv.webpaybox.com
  • 66.45.232.202
malicious
www.proyogis.com
unknown
www.dyexim.com
unknown

Threats

PID
Process
Class
Message
2336
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN Single char EXE direct download likely trojan (multiple families)
2336
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN Possible Malicious Macro DL EXE Feb 2016
2336
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info