analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

26_New Order 252465.xlsx

Full analysis: https://app.any.run/tasks/b853927b-ff78-4744-81db-789e8592bda2
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 22, 2019, 10:51:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
trojan
exploit
CVE-2017-11882
loader
nanocore
rat
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

6A4EF455EF4952DA6C9B24BE8B306523

SHA1:

01C71BA25EEFA84D2DD78B5E3FBDDFBBAE1F2D7F

SHA256:

4FC8D6723A3EC861FBDE51BD6CED05271BD81DDFDE643F91A9943D3436602E67

SSDEEP:

3072:0hqHFEi2cAXoAAGGuy+GNGNNDNustuOV+O1iHBpw54X+GuYXn6fn/u/:0hqHCiwXLnGuqyUstTOHBy5HY3gI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 1924)

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 1924)

    • Application was dropped or rewritten from another process

      • LDK.exe (PID: 2816)
      • LDK.exe (PID: 2524)

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 1924)

    • NanoCore was detected

      • LDK.exe (PID: 2524)

    • Changes the autorun value in the registry

      • LDK.exe (PID: 2524)

    • Connects to CnC server

      • LDK.exe (PID: 2524)

  • SUSPICIOUS

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 1924)
      • LDK.exe (PID: 2524)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 1924)
      • LDK.exe (PID: 2524)

    • Application launched itself

      • LDK.exe (PID: 2816)

    • Reads the machine GUID from the registry

      • taskmgr.exe (PID: 2900)

    • Connects to unusual port

      • LDK.exe (PID: 2524)

  • INFO

    • Reads the machine GUID from the registry

      • EXCEL.EXE (PID: 2804)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2804)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 2804)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2019:02:09 09:30:02
ZipCRC: 0xcece5190
ZipCompressedSize: 466
ZipUncompressedSize: 3388
ZipFileName: [Content_Types].xml

XML

Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Worksheets
  • 12
  • Named Ranges
  • 1
TitlesOfParts:
  • Sheet1
  • تقرير المبيعات
  • مبيعات
  • العقود
  • السندات المفقودة
  • Customer List
  • المصروفات
  • شيكات المسحوبة
  • كشف الحساب
  • المصروفات (2)
  • مبيعات (2)
  • Sales Invoice List
  • 'كشف الحساب'!Print_Titles
Company: -
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16.03
LastModifiedBy: -
CreateDate: 2006:09:16 00:00:00Z
ModifyDate: 2018:07:08 10:49:35Z

XMP

Creator: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start excel.exe no specs eqnedt32.exe ldk.exe no specs #NANOCORE ldk.exe taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2804"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.4756.1000
1924"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2816C:\Users\admin\AppData\Roaming\LDK.exeC:\Users\admin\AppData\Roaming\LDK.exeEQNEDT32.EXE
User:
admin
Company:
gorrel10
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.04.0008
2524:\Users\admin\AppData\Roaming\LDK.exeC:\Users\admin\AppData\Roaming\LDK.exe
LDK.exe
User:
admin
Company:
gorrel10
Integrity Level:
MEDIUM
Version:
1.04.0008
2900"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 352
Read events
1 304
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
2
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
2804EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRC5E6.tmp.cvr
MD5:
SHA256:
2816LDK.exeC:\Users\admin\AppData\Local\Temp\~DFF361714CDF5FECCF.TMPbinary
MD5:E9FB0A7642155F273702EC4908B9F1A3
SHA256:4C0E23C4D5F1A8B19D7EEA3EFA1178F08CC52154D219A5D5D3D190A392A357B6
2804EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\26_New Order 252465.LNKlnk
MD5:1F03BC318404CEC88AB0FE50A382E83A
SHA256:38E485B71C72D5B3F09EC94152EE6FF3805E2D6554757A0BE733CC951E8A1D65
1924EQNEDT32.EXEC:\Users\admin\AppData\Roaming\LDK.exeexecutable
MD5:A196133BB24E1EDF479FDAAC3C64EC32
SHA256:8363CEFE2E1C3ED41AE28CB393A1C0B52D2949D7695951C1A93CB6FB51F4CA7E
2804EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:1F1AB110BD644B869354A60666F7B6FD
SHA256:3D0BB8FD217740DF9346CBFD62A78D5FCCA0E18B0B8F7D55A4D0C2B337025105
2524LDK.exeC:\Users\admin\AppData\Roaming\EEEB5D54-7880-42A7-B542-739BBC26CF4B\UPNP Host\upnphost.exeexecutable
MD5:A196133BB24E1EDF479FDAAC3C64EC32
SHA256:8363CEFE2E1C3ED41AE28CB393A1C0B52D2949D7695951C1A93CB6FB51F4CA7E
1924EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\obi[1].exeexecutable
MD5:A196133BB24E1EDF479FDAAC3C64EC32
SHA256:8363CEFE2E1C3ED41AE28CB393A1C0B52D2949D7695951C1A93CB6FB51F4CA7E
2524LDK.exeC:\Users\admin\AppData\Roaming\EEEB5D54-7880-42A7-B542-739BBC26CF4B\run.datbinary
MD5:92655F1CAC5FE5B20061F4D6B83D108D
SHA256:0D38EA1E644BFBC57A230EE0FD8EEB4C948450A722ABD4D85A9D1A10B06A7647
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
44
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1924
EQNEDT32.EXE
GET
200
92.62.131.38:80
http://realdealhouse.eu/OBO/obi.exe
LT
executable
562 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2524
LDK.exe
8.8.8.8:53
Google Inc.
US
whitelisted
1924
EQNEDT32.EXE
92.62.131.38:80
realdealhouse.eu
UAB Baltnetos komunikacijos
LT
suspicious
2524
LDK.exe
194.5.99.2:2525
lafia.hopto.org
FR
malicious

DNS requests

Domain
IP
Reputation
realdealhouse.eu
  • 92.62.131.38
suspicious
lafia.hopto.org
  • 194.5.99.2
malicious

Threats

PID
Process
Class
Message
1924
EQNEDT32.EXE
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
2524
LDK.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 60B
2524
LDK.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
2524
LDK.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 60B
2524
LDK.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 60B
2524
LDK.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
2524
LDK.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 60B
2524
LDK.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 60B
2524
LDK.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
2524
LDK.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 60B
13 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
26_New Order 252465.xlsx