analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

NX-LI-15-0001.xlsx

Full analysis: https://app.any.run/tasks/59bb958e-817f-4c58-bcfe-03bd29f6f98e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: January 25, 2022, 02:28:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
encrypted
opendir
exploit
CVE-2017-11882
loader
Indicators:
MIME: application/encrypted
File info: CDFV2 Encrypted
MD5:

AEF4810294A26BA5088517084C368B44

SHA1:

B9D3D72F493556548A8CF02BD3DD776B595E6EFC

SHA256:

408B2AB4AA40503B1909683857A8DC060408FFDE56A80EC6B0BF08C15881EFE6

SSDEEP:

3072:RnzrmsxmI0qbuKMN43p2ZW01NeET/rKtcMye2UIktpcqlOp7jpfueNSYb0SJN6/F:RmsxN0nKM+MW0zVTKtcMBIjSOp7jpfdw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • vbc.exe (PID: 1608)
      • vbc.exe (PID: 2156)
      • vbc.exe (PID: 2316)
      • vbc.exe (PID: 1592)
      • vbc.exe (PID: 2704)
      • vbc.exe (PID: 3752)
      • vbc.exe (PID: 2040)
      • vbc.exe (PID: 3204)
      • vbc.exe (PID: 1404)
      • vbc.exe (PID: 3996)
      • vbc.exe (PID: 612)
      • vbc.exe (PID: 1472)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 712)
  • SUSPICIOUS

    • Reads the computer name

      • EQNEDT32.EXE (PID: 3464)
      • EQNEDT32.EXE (PID: 712)
      • vbc.exe (PID: 2156)
      • vbc.exe (PID: 1608)
    • Checks supported languages

      • EQNEDT32.EXE (PID: 3464)
      • EQNEDT32.EXE (PID: 712)
      • vbc.exe (PID: 2156)
      • vbc.exe (PID: 1608)
    • Executed via COM

      • EQNEDT32.EXE (PID: 712)
      • EQNEDT32.EXE (PID: 3464)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 712)
    • Drops a file with a compile date too recent

      • EQNEDT32.EXE (PID: 712)
    • Application launched itself

      • vbc.exe (PID: 2156)
      • vbc.exe (PID: 1608)
      • taskmgr.exe (PID: 2340)
  • INFO

    • Checks supported languages

      • EXCEL.EXE (PID: 3148)
      • taskmgr.exe (PID: 2340)
      • taskmgr.exe (PID: 2220)
    • Reads the computer name

      • EXCEL.EXE (PID: 3148)
      • taskmgr.exe (PID: 2340)
      • taskmgr.exe (PID: 2220)
    • Creates files in the user directory

      • EXCEL.EXE (PID: 3148)
    • Manual execution by user

      • vbc.exe (PID: 1608)
      • taskmgr.exe (PID: 2340)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
64
Monitored processes
17
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start excel.exe no specs eqnedt32.exe eqnedt32.exe vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs taskmgr.exe no specs taskmgr.exe vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs vbc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3148"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
3464"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
712"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2156"C:\Users\Public\vbc.exe" C:\Users\Public\vbc.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
CSMDown
Exit code:
0
Version:
1.0.0.0
1608"C:\Users\Public\vbc.exe" C:\Users\Public\vbc.exeExplorer.EXE
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
CSMDown
Exit code:
0
Version:
1.0.0.0
2316"C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exevbc.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
CSMDown
Exit code:
4294967295
Version:
1.0.0.0
2040"C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exevbc.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
CSMDown
Exit code:
4294967295
Version:
1.0.0.0
3752"C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exevbc.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
CSMDown
Exit code:
4294967295
Version:
1.0.0.0
1592"C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exevbc.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
CSMDown
Exit code:
4294967295
Version:
1.0.0.0
2704"C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exevbc.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
CSMDown
Exit code:
4294967295
Version:
1.0.0.0
Total events
2 879
Read events
2 724
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
1
Text files
7
Unknown types
6

Dropped files

PID
Process
Filename
Type
3148EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRE66B.tmp.cvr
MD5:
SHA256:
712EQNEDT32.EXEC:\Users\Public\vbc.exeexecutable
MD5:A0B1B75D665C0173F7A6F258044BD6BF
SHA256:BC0397A29C3CC7A003C1DACC190062D867540A550A2EE43332ABB47323E03CB3
3148EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4FE389A6.emfemf
MD5:37417F6B6033076729FDDFDBF83DD43F
SHA256:17601FD73DAA99167B86B760D2982FDDAEFE1D0692885634484CE5F4F0D8ED93
712EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\.csrss[1].exeexecutable
MD5:A0B1B75D665C0173F7A6F258044BD6BF
SHA256:BC0397A29C3CC7A003C1DACC190062D867540A550A2EE43332ABB47323E03CB3
3148EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\NX-LI-15-0001.xlsx.LNKlnk
MD5:5872CC460EBCBB472BEF1D06D0008820
SHA256:F131EDF198218B231FF57F56A045F8AFB06D64DAFB72EE51A5187519B47CD87E
3148EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF0379A26B4B3E5C79.TMPbinary
MD5:AEF4810294A26BA5088517084C368B44
SHA256:408B2AB4AA40503B1909683857A8DC060408FFDE56A80EC6B0BF08C15881EFE6
3148EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:AC852A1F4D6755A602FC0C3CDB65DE2A
SHA256:EF2EAE299E2D0A2793C6937B6B4D4A6E38DE2FECE10771C18CECA5548B7A7C1B
3148EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFD28901D81373DF9A.TMPgmc
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
3148EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFAF7D0688E7AA520C.TMPgmc
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
3148EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9A2D230.pngimage
MD5:5EB99F38CB355D8DAD5E791E2A0C9922
SHA256:5DAC97FDBD2C2D5DFDD60BF45F498BB6B218D8BFB97D0609738D5E250EBBB7E0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
712
EQNEDT32.EXE
GET
200
103.156.91.24:80
http://103.156.91.24/gcould/.csrss.exe
unknown
executable
664 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
712
EQNEDT32.EXE
103.156.91.24:80
suspicious
3464
EQNEDT32.EXE
103.156.91.24:80
suspicious
103.156.91.24:80
suspicious

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
712
EQNEDT32.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
712
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
712
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
712
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
712
EQNEDT32.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
No debug info