analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | DHL Clearance Document.xlsx |
| Full analysis: | https://app.any.run/tasks/9e9040f0-123c-4d86-ae00-8ed7c1155596 |
| Verdict: | Malicious activity |
| Analysis date: | December 06, 2019, 12:25:43 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/encrypted |
| File info: | CDFV2 Encrypted |
| MD5: | 98F5B739247E5051A4964B469BC1ED4B |
| SHA1: | 5A3A0B0ADF48173748E3B9AD31FAD56A0B57B12A |
| SHA256: | 69FED657536E7E792031CF9D9CA05D38E8599317EA27F6E733AA309749D7BFB5 |
| SSDEEP: | 24576:BEk1rkfwKSsrrB01BcR/rRSYG2JGEuUkobQqXWcAU7d8inmTYJ:BEKkYHqrlx8VGZ0qGlUhLBJ |
MALICIOUS
Application was dropped or rewritten from another process
- vbc.exe (PID: 2120)
Suspicious connection from the Equation Editor
- EQNEDT32.EXE (PID: 964)
Equation Editor starts application (CVE-2017-11882)
- EQNEDT32.EXE (PID: 964)
SUSPICIOUS
Executed via COM
- EQNEDT32.EXE (PID: 964)
Executable content was dropped or overwritten
- EQNEDT32.EXE (PID: 964)
INFO
Reads Microsoft Office registry keys
- EXCEL.EXE (PID: 1292)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 1292 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
| 964 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
| 2120 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | — | EQNEDT32.EXE |
User: admin Company: Rickard Johansson Integrity Level: MEDIUM Description: Supply Place Paid Apogee Version: 7.6.1.5 | ||||
Total events
664
Read events
591
Write events
0
Delete events
0
Modification events
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1292 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRAAB2.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 964 | EQNEDT32.EXE | C:\Users\Public\vbc.exe | executable | |
MD5:48F59373EF63E36CE4796FDB3C912D64 | SHA256:3D6A994684F9E949592558C2B4539C9BD05E3EB2A454ADC73ED73743A4E8D59E | |||
| 964 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\vbc[1].exe | executable | |
MD5:48F59373EF63E36CE4796FDB3C912D64 | SHA256:3D6A994684F9E949592558C2B4539C9BD05E3EB2A454ADC73ED73743A4E8D59E | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
964 | EQNEDT32.EXE | 216.170.118.183:80 | globalsharesecurefilesgood.duckdns.org | ColoCrossing | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
globalsharesecurefilesgood.duckdns.org |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
964 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
964 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |