analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Kafan_Sample_3cb10f638f9da25bfdeddbeb61965bf3d7c2f0977857843cb673e402b202b6f9.xlsx

Full analysis: https://app.any.run/tasks/4d3bfc8e-f01d-434e-b916-8e93720d5a14
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 30, 2020, 07:02:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
encrypted
loader
exploit
CVE-2017-11882
Indicators:
MIME: application/encrypted
File info: CDFV2 Encrypted
MD5:

D43B7A3C4D0BE32816420A751CA5E9F0

SHA1:

B1A59484D82AF404EC72137F0AB0D56D5A90B127

SHA256:

3CB10F638F9DA25BFDEDDBEB61965BF3D7C2F0977857843CB673E402B202B6F9

SSDEEP:

3072:bNYfuJcXsDRwY4SsZXgmjhSI8al1z7I3mbfQ1wA2LRliw+gxfzIj5+CdUJwvnC:Z4uOXsDKIKXnT8kB7nATHBgxK5+Cda

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • vbc.exe (PID: 2192)
      • vbc.exe (PID: 2324)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2148)

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 2148)

    • Actions looks like stealing of personal data

      • vbc.exe (PID: 2192)

  • SUSPICIOUS

    • Creates files in the user directory

      • vbc.exe (PID: 2192)
      • EQNEDT32.EXE (PID: 2148)

    • Executed via COM

      • EQNEDT32.EXE (PID: 2148)
      • WINWORD.EXE (PID: 3728)

    • Reads the cookies of Mozilla Firefox

      • vbc.exe (PID: 2192)

    • Reads Internet Cache Settings

      • EQNEDT32.EXE (PID: 2148)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 2148)

    • Reads the cookies of Google Chrome

      • vbc.exe (PID: 2192)

    • Application launched itself

      • vbc.exe (PID: 2324)

  • INFO

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 3728)
      • EXCEL.EXE (PID: 2444)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3728)
      • EXCEL.EXE (PID: 2444)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2444)
      • WINWORD.EXE (PID: 3728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start excel.exe winword.exe eqnedt32.exe vbc.exe no specs vbc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2444"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3728"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2148"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2324"C:\Users\admin\AppData\Roaming\vbc.exe" C:\Users\admin\AppData\Roaming\vbc.exeEQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
MY_APPLICATION
Exit code:
0
Version:
1.0.0.0
2192"{path}"C:\Users\admin\AppData\Roaming\vbc.exe
vbc.exe
User:
admin
Integrity Level:
MEDIUM
Description:
MY_APPLICATION
Version:
1.0.0.0
Total events
1 668
Read events
1 086
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
25
Text files
9
Unknown types
4

Dropped files

PID
Process
Filename
Type
2444EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR9934.tmp.cvr
MD5:
SHA256:
3728WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRB17F.tmp.cvr
MD5:
SHA256:
3728WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{9E7AA9CD-85BD-4D22-B00B-A6FD554549AB}
MD5:
SHA256:
3728WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{E564CC90-C456-42BA-B9AE-D75A4B8F204E}
MD5:
SHA256:
2192vbc.exeC:\Users\admin\AppData\Roaming\p1hss1l5.fe5\Chrome\Default\Cookies
MD5:
SHA256:
2192vbc.exeC:\Users\admin\AppData\Roaming\p1hss1l5.fe5\Firefox\Profiles\qldyz51w.default\cookies.sqlite
MD5:
SHA256:
3728WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:5C03490CF745098244333D98A3CAC789
SHA256:3AA12AC0D213CBF4B1A9FF4D59CB10C380C66A8C7BD191FF1E621F6F843E6B65
3728WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:61E8817C801AB29F99C58E7104F2E409
SHA256:A9C3CAF29C5822813AE3B7818B08302ACE8F6BB093080DFA4B080FAE6DCF3D9C
2444EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\invoice[1].doctext
MD5:BF2B5D45EE82233CD76592DC43C28510
SHA256:44638C67BC72D367343990AD62274915E36EA94CD1AC0CDD66385DDC751565D2
3728WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{DBFB8E2A-7A97-4AD7-83F7-19267943786C}.FSDbinary
MD5:85F03F44EC733B59627E003EC07A3CC7
SHA256:4247BBE3EFC230C1D80C1BF5B229B8E0A5F5B3F8E4CA42942A737676F2179C09
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
11
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
848
svchost.exe
OPTIONS
200
216.170.126.22:80
http://irequestyoutopleaseadviseonthepayment.duckdns.org/dashboard/
US
malicious
3728
WINWORD.EXE
HEAD
200
216.170.126.22:80
http://irequestyoutopleaseadviseonthepayment.duckdns.org/invoice.doc
US
malicious
848
svchost.exe
OPTIONS
302
216.170.126.22:80
http://irequestyoutopleaseadviseonthepayment.duckdns.org/
US
malicious
3728
WINWORD.EXE
OPTIONS
302
216.170.126.22:80
http://irequestyoutopleaseadviseonthepayment.duckdns.org/
US
malicious
848
svchost.exe
PROPFIND
302
216.170.126.22:80
http://irequestyoutopleaseadviseonthepayment.duckdns.org/
US
malicious
848
svchost.exe
PROPFIND
302
216.170.126.22:80
http://irequestyoutopleaseadviseonthepayment.duckdns.org/
US
malicious
848
svchost.exe
PROPFIND
302
216.170.126.22:80
http://irequestyoutopleaseadviseonthepayment.duckdns.org/
US
malicious
3728
WINWORD.EXE
HEAD
200
216.170.126.22:80
http://irequestyoutopleaseadviseonthepayment.duckdns.org/invoice.doc
US
malicious
848
svchost.exe
PROPFIND
302
216.170.126.22:80
http://irequestyoutopleaseadviseonthepayment.duckdns.org/
US
malicious
3728
WINWORD.EXE
OPTIONS
302
216.170.126.22:80
http://irequestyoutopleaseadviseonthepayment.duckdns.org/
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2444
EXCEL.EXE
216.170.126.22:80
irequestyoutopleaseadviseonthepayment.duckdns.org
ColoCrossing
US
malicious
2148
EQNEDT32.EXE
216.170.126.22:80
irequestyoutopleaseadviseonthepayment.duckdns.org
ColoCrossing
US
malicious
848
svchost.exe
216.170.126.22:80
irequestyoutopleaseadviseonthepayment.duckdns.org
ColoCrossing
US
malicious
216.170.126.22:80
irequestyoutopleaseadviseonthepayment.duckdns.org
ColoCrossing
US
malicious
3728
WINWORD.EXE
216.170.126.22:80
irequestyoutopleaseadviseonthepayment.duckdns.org
ColoCrossing
US
malicious
2192
vbc.exe
77.88.21.158:587
smtp.yandex.com
YANDEX LLC
RU
whitelisted

DNS requests

Domain
IP
Reputation
irequestyoutopleaseadviseonthepayment.duckdns.org
  • 216.170.126.22
malicious
smtp.yandex.com
  • 77.88.21.158
shared

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2148
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2192
vbc.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
2192
vbc.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Kafan_Sample_3cb10f638f9da25bfdeddbeb61965bf3d7c2f0977857843cb673e402b202b6f9.xlsx