analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

RFQ_#250881.xlsx

Full analysis: https://app.any.run/tasks/f926fff4-8f84-491f-9df0-d1f9d9db1c66
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 23, 2019, 21:54:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
exploit
CVE-2017-11882
loader
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

BCC52E5EBC138405AA4A4A2FB99AC247

SHA1:

BFFE0A73A5A9913DB2497DF71F83447B9148C0C4

SHA256:

52D9D5467B80B92D015A695C6B671719CF864B54841CB2A7A208AC90C47EFC88

SSDEEP:

384:ZI1dBEHe8qmwWIBLMdwPIkmieUZ3nAhFvI+9hzcTNMg:ZID2HxqmQLM+QSeUZ3A3vImNg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • name.exe (PID: 2348)
      • name.exe (PID: 2332)

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3304)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3304)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3304)

    • Application launched itself

      • name.exe (PID: 2348)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3152)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

XML

AppVersion: 12
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
Company: -
TitlesOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
HeadingPairs:
  • Worksheets
  • 3
ScaleCrop: No
DocSecurity: None
Application: Microsoft Excel
ModifyDate: 2019:03:27 06:49:03Z
CreateDate: 2006:09:16 00:00:00Z
LastModifiedBy: -

XMP

Creator: -

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1947
ZipCompressedSize: 426
ZipCRC: 0x6ce440af
ZipModifyDate: 2019:04:22 21:12:08
ZipCompression: Deflated
ZipBitFlag: 0x0002
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start excel.exe no specs eqnedt32.exe name.exe no specs name.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3152"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3304"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2348C:\Users\admin\AppData\Local\Temp\name.exeC:\Users\admin\AppData\Local\Temp\name.exeEQNEDT32.EXE
User:
admin
Company:
overdosed6
Integrity Level:
MEDIUM
Description:
Sharpeners3
Exit code:
0
Version:
1.02.0006
2332:\Users\admin\AppData\Local\Temp\name.exeC:\Users\admin\AppData\Local\Temp\name.exename.exe
User:
admin
Company:
overdosed6
Integrity Level:
MEDIUM
Description:
Sharpeners3
Version:
1.02.0006
Total events
565
Read events
522
Write events
36
Delete events
7

Modification events

(PID) Process:(3152) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:>'<
Value:
3E273C00500C0000010000000000000000000000
(PID) Process:(3152) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3152) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3152) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
Operation:writeName:MTTT
Value:
500C00001435111A1FFAD40100000000
(PID) Process:(3152) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:delete valueName:>'<
Value:
3E273C00500C0000010000000000000000000000
(PID) Process:(3152) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:delete keyName:
Value:
(PID) Process:(3152) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
Operation:delete keyName:
Value:
(PID) Process:(3152) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3152) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3152) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\105FF5
Operation:writeName:105FF5
Value:
04000000500C00003200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C005200460051005F0023003200350030003800380031002E0078006C0073007800000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000C095121B1FFAD401F55F1000F55F100000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3152EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR5BBE.tmp.cvr
MD5:
SHA256:
2348name.exeC:\Users\admin\AppData\Local\Temp\~DF465A97BA616C7CA9.TMPbinary
MD5:A41091852EFD6C55B113EE4AEFBBDAA1
SHA256:50A92165B6BC37C0A8543BD54378E41AB1A27A1260D962CD6F3F17DAF30C9448
3304EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\RAFF[1].jpgexecutable
MD5:A4071062657F4CC615BB8AE1577A4E29
SHA256:D8CE522FB356BC5DC977D463A91EB322FD527DDB404D84C074133F742AA3678F
3304EQNEDT32.EXEC:\Users\admin\AppData\Local\Temp\name.exeexecutable
MD5:A4071062657F4CC615BB8AE1577A4E29
SHA256:D8CE522FB356BC5DC977D463A91EB322FD527DDB404D84C074133F742AA3678F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3304
EQNEDT32.EXE
GET
200
204.152.118.133:80
http://daco-precision.thomaswebs.net/assw/RAFF.jpg
US
executable
967 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3304
EQNEDT32.EXE
204.152.118.133:80
daco-precision.thomaswebs.net
ReadyTechs, LLC
US
malicious

DNS requests

Domain
IP
Reputation
daco-precision.thomaswebs.net
  • 204.152.118.133
malicious

Threats

PID
Process
Class
Message
3304
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
3304
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
3304
EQNEDT32.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
RFQ_#250881.xlsx