analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Order_Material_Spec.xlsx

Full analysis: https://app.any.run/tasks/1dce8daf-e28c-4dc6-8cbd-602e8aeab5a8
Verdict: Malicious activity
Analysis date: December 14, 2018, 07:38:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

55BB46E2F367D7F096F9A8AA458FADAD

SHA1:

DD6D3B4DB0C3F69F85AC98AA9731525918BA32B2

SHA256:

75EA0C974501938BFC01F42C9E2638D762F85D47B190365F75746043556E9AFA

SSDEEP:

192:NXIkkCGp1tV0zO6+Td8lVMiYNoAMfjmySbFlm3SkZrY/V72T1VND:9IkkC+fSh+R8zACAMfiBPzer0iT1VND

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • taken.exe (PID: 2936)
      • taken.exe (PID: 2952)
    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 2624)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2624)
    • Changes the autorun value in the registry

      • taken.exe (PID: 2936)
  • SUSPICIOUS

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 2624)
      • taken.exe (PID: 2952)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 2624)
      • taken.exe (PID: 2936)
    • Reads the machine GUID from the registry

      • taken.exe (PID: 2952)
    • Application launched itself

      • taken.exe (PID: 2936)
    • Connects to unusual port

      • taken.exe (PID: 2952)
    • Loads DLL from Mozilla Firefox

      • taken.exe (PID: 2952)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

XML

AppVersion: 14.03
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
Company: -
TitlesOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
HeadingPairs:
  • Worksheets
  • 3
ScaleCrop: No
DocSecurity: None
Application: Microsoft Excel
ModifyDate: 2018:11:02 02:25:33Z
CreateDate: 2006:09:16 00:00:00Z
LastModifiedBy: -

XMP

Creator: -

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1812
ZipCompressedSize: 411
ZipCRC: 0xd2ed3c21
ZipModifyDate: 2018:12:13 05:23:24
ZipCompression: Deflated
ZipBitFlag: 0x0002
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start excel.exe no specs eqnedt32.exe taken.exe explorer.exe no specs taken.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2840"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2624"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2936"C:\Users\admin\AppData\Roaming\taken.exe" C:\Users\admin\AppData\Roaming\taken.exe
EQNEDT32.EXE
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.1810.13
3164"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2952"C:\Users\admin\AppData\Roaming\taken.exe" C:\Users\admin\AppData\Roaming\taken.exe
taken.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.1810.13
3048"C:\Windows\explorer.exe"C:\Windows\explorer.exetaken.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
992
Read events
935
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
0
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
2840EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR982F.tmp.cvr
MD5:
SHA256:
2952taken.exeC:\Users\admin\AppData\Roaming\JdqAGf..tmp
MD5:
SHA256:
2624EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\vlv[1].exeexecutable
MD5:A17AB8735E4B722C25AD7F732876138B
SHA256:871C861270CA65F9B1A49E7DCD0CC7B87B804406F6A857D9DD43D8869E1927B8
2936taken.exeC:\Users\admin\AppData\Local\Chrome\StikyNot.exeexecutable
MD5:A17AB8735E4B722C25AD7F732876138B
SHA256:871C861270CA65F9B1A49E7DCD0CC7B87B804406F6A857D9DD43D8869E1927B8
2624EQNEDT32.EXEC:\Users\admin\AppData\Roaming\taken.exeexecutable
MD5:A17AB8735E4B722C25AD7F732876138B
SHA256:871C861270CA65F9B1A49E7DCD0CC7B87B804406F6A857D9DD43D8869E1927B8
2936taken.exeC:\Users\admin\AppData\Local\Temp\Disk.sysexecutable
MD5:A17AB8735E4B722C25AD7F732876138B
SHA256:871C861270CA65F9B1A49E7DCD0CC7B87B804406F6A857D9DD43D8869E1927B8
2624EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
2952taken.exeC:\Users\admin\AppData\Roaming\EhcbiBt.tmptext
MD5:E7CE898AADD69F4E4280010B7808116E
SHA256:C9214BB54F10242AA254F0758372A440C8D8F49934021F8F08B6DF9FB377EB02
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2952
taken.exe
104.168.64.166:5282
jwire.warzonedns.com
ColoCrossing
US
malicious
2624
EQNEDT32.EXE
94.102.60.3:443
cirock.ml
Quasi Networks LTD.
SC
suspicious

DNS requests

Domain
IP
Reputation
cirock.ml
  • 94.102.60.3
malicious
jwire.warzonedns.com
  • 104.168.64.166
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ml Domain
No debug info