analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

b45fa9d6dfc015a39fb845755f4220476c446a0d

Full analysis: https://app.any.run/tasks/60af19a8-49aa-4bf3-a876-fce29dd9c9db
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: March 31, 2020, 08:27:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
ole-embedded
macros-on-open
exploit
CVE-2017-11882
loader
Indicators:
MIME: application/octet-stream
File info: Microsoft OOXML
MD5:

04F2D8D2F52E320AED03BC223CE30C53

SHA1:

B45FA9D6DFC015A39FB845755F4220476C446A0D

SHA256:

3EE2D06F433CE1B3DA4166D418A99EFFB1A86AC493F90F1BA435424BA703BDDC

SSDEEP:

768:Vuk2uyYPIor4xquPQ0AFoAGzhV2ZA8AQ0nItejELLHKvrxTkJ:VGYJ7DFkV2ZL0nIcjELcrx6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3332)
    • Executes scripts

      • EXCEL.EXE (PID: 3832)
    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3832)
    • Downloads executable files from the Internet

      • cscript.exe (PID: 3148)
      • wscript.exe (PID: 2576)
    • Downloads executable files from IP

      • cscript.exe (PID: 3148)
      • wscript.exe (PID: 2576)
    • Application was dropped or rewritten from another process

      • floe.exe (PID: 780)
      • floe.exe (PID: 820)
    • Writes to a start menu file

      • floe.exe (PID: 780)
    • Actions looks like stealing of personal data

      • floe.exe (PID: 820)
  • SUSPICIOUS

    • Executes scripts

      • cmd.exe (PID: 2808)
      • cmd.exe (PID: 3808)
    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 3332)
      • cscript.exe (PID: 2908)
    • Executed via COM

      • EQNEDT32.EXE (PID: 3332)
    • Creates files in the program directory

      • EXCEL.EXE (PID: 3832)
      • cscript.exe (PID: 3148)
    • Executable content was dropped or overwritten

      • cscript.exe (PID: 3148)
    • Creates files in the user directory

      • floe.exe (PID: 780)
    • Application launched itself

      • floe.exe (PID: 780)
    • Reads Environment values

      • floe.exe (PID: 820)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3832)
    • Creates files in the user directory

      • EXCEL.EXE (PID: 3832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsm | Excel Microsoft Office Open XML Format document (with Macro) (45.9)
.xlsx | Excel Microsoft Office Open XML Format document (27.1)
.zip | Open Packaging Conventions container (13.9)
.ubox | Universe Sandbox simulation (9.6)
.zip | ZIP compressed archive (3.1)

EXIF

XMP

Creator: Windows

XML

ModifyDate: 2020:02:01 18:32:27Z
CreateDate: 2020:02:01 18:28:07Z
LastModifiedBy: Windows
AppVersion: 12
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
TitlesOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
HeadingPairs:
  • Worksheets
  • 3
ScaleCrop: No
DocSecurity: None
Application: Microsoft Excel

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1789
ZipCompressedSize: 427
ZipCRC: 0xcdc0e5bf
ZipModifyDate: 2020:03:31 07:38:26
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
9
Malicious processes
5
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start excel.exe no specs eqnedt32.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe wscript.exe floe.exe floe.exe

Process information

PID
CMD
Path
Indicators
Parent process
3832"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3332"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2808cmd /c ren %tmp%\yy y.js&CSCRIpt %tmp%\y.js  CC:\Windows\system32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2908CSCRIpt C:\Users\admin\AppData\Local\Temp\y.js  CC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3808"C:\Windows\System32\cmd.exe" /c cscript C:\Users\admin\AppData\Local\Temp\xx.vbsC:\Windows\System32\cmd.execscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3148cscript C:\Users\admin\AppData\Local\Temp\xx.vbsC:\Windows\system32\cscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2576C:\Windows\System32\wscript.exe C:\programdata\asc.txt:script1.vbsC:\Windows\System32\wscript.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
780C:\ProgramData\floe.exeC:\ProgramData\floe.exe
cscript.exe
User:
admin
Integrity Level:
MEDIUM
Description:
FcelI
Exit code:
0
Version:
2.1.1.1
820"C:\ProgramData\floe.exe"C:\ProgramData\floe.exe
floe.exe
User:
admin
Integrity Level:
MEDIUM
Description:
FcelI
Version:
2.1.1.1
Total events
903
Read events
793
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
7
Unknown types
4

Dropped files

PID
Process
Filename
Type
3832EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR6C2F.tmp.cvr
MD5:
SHA256:
3832EXCEL.EXEC:\Users\admin\AppData\Local\Temp\yy
MD5:
SHA256:
3148cscript.exeC:\ProgramData\floe.exeexecutable
MD5:7B6A62D0B81D307A71A025500754ED28
SHA256:A1F8429D0E0750461E796507148F39535FBF28710D45DD5FC90691235B078271
2908cscript.exeC:\Users\admin\AppData\Local\Temp\xx.vbstext
MD5:7E177A15B5EFCD5BE202BC818C7B42F5
SHA256:C5F89ECDC8E4E751D97370330E77CDF605E58D4F3704AE4B21EF0FCDB96C5A29
3832EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\b45fa9d6dfc015a39fb845755f4220476c446a0d.xlsm.LNKlnk
MD5:3CDC53AFDE97F734BF5D7692F9B20E28
SHA256:19A5C014A04C8B940D8FDD22AAB552690E4F958F90C2D65EE82E9EF1DB6AFE3E
3832EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:DB5120FDD870DF18319873866BF86D1A
SHA256:A77B7597234A9BCE597774AAE437817E4F4B26A041FACE5FF4FD28A78B9C446C
3832EXCEL.EXEC:\programdata\asc.txt:script1.vbstext
MD5:57A640980973E0BE3D81661FEA9A7A65
SHA256:E65603DFF82491431215C406ABCCBBDF2F959DB2CE8E3EC70B0C758A580FA8D6
3832EXCEL.EXEC:\Users\admin\AppData\Local\Temp\xxtext
MD5:7E177A15B5EFCD5BE202BC818C7B42F5
SHA256:C5F89ECDC8E4E751D97370330E77CDF605E58D4F3704AE4B21EF0FCDB96C5A29
2808cmd.exeC:\Users\admin\AppData\Local\Temp\y.jstext
MD5:88E35A0C2E1489E43867990CC0FB5B1D
SHA256:3CB3928A0135B0D56148E86CF42CBD5ECE60ECC4CA21E1054AEA68CB50606A34
780floe.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\floqqq.lnklnk
MD5:9C957FFA3CF9A8F186F3D731CDCEBD11
SHA256:4709D78DE38D269C6D4857E5F8F75F57FE0001ED4F611C91B6E6187EC91F3E02
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3148
cscript.exe
GET
200
5.189.132.254:80
http://5.189.132.254/yUtro.exe
DE
executable
426 Kb
suspicious
2576
wscript.exe
GET
200
5.189.132.254:80
http://5.189.132.254/yUtro.exe
DE
executable
426 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3148
cscript.exe
5.189.132.254:80
Contabo GmbH
DE
suspicious
820
floe.exe
162.241.27.33:587
mail.novaa-ship.com
CyrusOne LLC
US
malicious
2576
wscript.exe
5.189.132.254:80
Contabo GmbH
DE
suspicious

DNS requests

Domain
IP
Reputation
mail.novaa-ship.com
  • 162.241.27.33
malicious

Threats

PID
Process
Class
Message
3148
cscript.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
2576
wscript.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
No debug info