| File name: | Solicitud de cotizaciòn..xlsx |
| Full analysis: | https://app.any.run/tasks/440d4e74-553a-4531-8451-f7f6bda138f4 |
| Verdict: | Malicious activity |
| Threats: | A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. |
| Analysis date: | December 05, 2022, 19:04:52 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
| File info: | Microsoft Excel 2007+ |
| MD5: | CD9567E232B722B34985981E32633321 |
| SHA1: | 3B1FDB9DACD8A1F20FDC0F03D2088855924452A7 |
| SHA256: | 7AE8B3795F2EFFF6E153B1290633C327A5D3ADE19F40ECC0A891579ED5587C61 |
| SSDEEP: | 24576:Cmv7PSn7ViMIY4oSX6fM1lPH/VE+njnkLQp:CmMVHfSlPHJngEp |
MALICIOUS
Suspicious connection from the Equation Editor
- EQNEDT32.EXE (PID: 2748)
Application was injected by another process
- svchost.exe (PID: 872)
- svchost.exe (PID: 896)
- svchost.exe (PID: 496)
- SearchIndexer.exe (PID: 2044)
Runs injected code in another process
- powercfg.exe (PID: 3044)
- rundll32.exe (PID: 2332)
Equation Editor starts application (CVE-2017-11882)
- EQNEDT32.EXE (PID: 2748)
SNAKE detected by memory dumps
- RegAsm.exe (PID: 2316)
SNAKEKEYLOGGER was detected
- RegAsm.exe (PID: 2316)
Creates a writable file the system directory
- powercfg.exe (PID: 3044)
Loads the Task Scheduler COM API
- rundll32.exe (PID: 2332)
Steals credentials from Web Browsers
- RegAsm.exe (PID: 2316)
Unusual connection from system programs
- RegAsm.exe (PID: 2316)
SUSPICIOUS
Reads the Internet Settings
- EQNEDT32.EXE (PID: 2748)
- RegAsm.exe (PID: 2316)
Reads settings of System Certificates
- EQNEDT32.EXE (PID: 2748)
Reads security settings of Internet Explorer
- EQNEDT32.EXE (PID: 2748)
Checks Windows Trust Settings
- EQNEDT32.EXE (PID: 2748)
Executes scripts
- EQNEDT32.EXE (PID: 2748)
Executes as Windows Service
- powercfg.exe (PID: 3044)
- rundll32.exe (PID: 2332)
- lpremove.exe (PID: 2812)
- vssvc.exe (PID: 1292)
Connects to the server without a host name
- powershell.exe (PID: 2908)
Removes files from Windows the directory
- powercfg.exe (PID: 3044)
- mcbuilder.exe (PID: 2976)
- rundll32.exe (PID: 2332)
Reads Microsoft Outlook installation path
- powercfg.exe (PID: 3044)
Searches for installed software
- rundll32.exe (PID: 2332)
Executes PowerShell scripts
- WScript.exe (PID: 1736)
INFO
Reads the computer name
- EQNEDT32.EXE (PID: 2748)
- RegAsm.exe (PID: 2316)
Checks supported languages
- EQNEDT32.EXE (PID: 2748)
- RegAsm.exe (PID: 2316)
Checks proxy server information
- EQNEDT32.EXE (PID: 2748)
Reads security settings of Internet Explorer
- powershell.exe (PID: 2908)
Reads Environment values
- RegAsm.exe (PID: 2316)
Creates files in the Windows directory
- powercfg.exe (PID: 3044)
- rundll32.exe (PID: 2332)
- mcbuilder.exe (PID: 2976)
Creates a file in a temporary directory
- powershell.exe (PID: 2908)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
SnakeKeylogger
(PID) Process(2316) RegAsm.exe
ProtocolSMTP
Hostkeefort.com.ec
Port587
Credentials
Usernamecousinsnake@keefort.com.ec
Passwordcousinsnake@@
TRiD
| .xlsx | | | Excel Microsoft Office Open XML Format document (61.2) |
|---|---|---|
| .zip | | | Open Packaging Conventions container (31.5) |
| .zip | | | ZIP compressed archive (7.2) |
Total processes
58
Monitored processes
16
Malicious processes
8
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 496 | C:\Windows\system32\svchost.exe -k netsvcs | C:\Windows\system32\svchost.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 764 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 4294967295 Version: 4.7.2558.0 built by: NET471REL1 Modules
| |||||||||||||||
| 872 | C:\Windows\system32\svchost.exe -k DcomLaunch | C:\Windows\system32\svchost.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 896 | C:\Windows\system32\svchost.exe -k NetworkService | C:\Windows\system32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1292 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1736 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\greeee.vbs" | C:\Windows\SysWOW64\WScript.exe | — | EQNEDT32.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 2044 | C:\Windows\system32\SearchIndexer.exe /Embedding | C:\Windows\system32\SearchIndexer.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Indexer Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2316 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.7.2558.0 built by: NET471REL1 Modules
SnakeKeylogger(PID) Process(2316) RegAsm.exe ProtocolSMTP Hostkeefort.com.ec Port587 Credentials Usernamecousinsnake@keefort.com.ec Passwordcousinsnake@@ | |||||||||||||||
| 2324 | C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} | C:\Windows\system32\DllHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2332 | C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation | C:\Windows\system32\rundll32.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
19 028
Read events
18 674
Write events
350
Delete events
4
Modification events
| (PID) Process: | (2424) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
| Operation: | write | Name: | |k: |
Value: 7C6B3A0078090000010000000000000000000000 | |||
| (PID) Process: | (2424) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (2424) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1041 |
Value: Off | |||
| (PID) Process: | (2424) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1042 |
Value: Off | |||
| (PID) Process: | (2424) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1046 |
Value: Off | |||
| (PID) Process: | (2424) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1036 |
Value: Off | |||
| (PID) Process: | (2424) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1031 |
Value: Off | |||
| (PID) Process: | (2424) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1040 |
Value: Off | |||
| (PID) Process: | (2424) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1049 |
Value: Off | |||
| (PID) Process: | (2424) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 3082 |
Value: Off | |||
Executable files
0
Suspicious files
145
Text files
6
Unknown types
96
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2424 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRE37C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2324 | DllHost.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat | — | |
MD5:— | SHA256:— | |||
| 3044 | powercfg.exe | C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-ntkl.etl | — | |
MD5:— | SHA256:— | |||
| 2324 | DllHost.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk | binary | |
MD5:— | SHA256:— | |||
| 2976 | mcbuilder.exe | C:\Windows\rescache\wip\Segment1.cmf | binary | |
MD5:— | SHA256:— | |||
| 3044 | powercfg.exe | C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report-2022-12-05.xml | xml | |
MD5:— | SHA256:— | |||
| 2332 | rundll32.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 3044 | powercfg.exe | C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-trace.etl | etl | |
MD5:— | SHA256:— | |||
| 896 | svchost.exe | C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb | — | |
MD5:— | SHA256:— | |||
| 2748 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\cousinsnkfridayPayload[1].vbs | text | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
5
DNS requests
3
Threats
13
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2908 | powershell.exe | GET | 200 | 4.204.233.44:80 | http://4.204.233.44/DLL/NoStartUp.ppam | US | text | 12.0 Kb | whitelisted |
2908 | powershell.exe | GET | 200 | 195.178.120.24:80 | http://195.178.120.24/nvdsfvddfsjgkkjsasjagkds.txt | unknown | text | 168 Kb | malicious |
2316 | RegAsm.exe | GET | 200 | 158.101.44.242:80 | http://checkip.dyndns.org/ | US | html | 104 b | shared |
2908 | powershell.exe | GET | 200 | 4.204.233.44:80 | http://4.204.233.44/Rump/Rump.xls | US | text | 53.1 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2748 | EQNEDT32.EXE | 142.250.185.202:443 | firebasestorage.googleapis.com | GOOGLE | US | whitelisted |
2908 | powershell.exe | 4.204.233.44:80 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2316 | RegAsm.exe | 158.101.44.242:80 | checkip.dyndns.org | ORACLE-BMC-31898 | US | malicious |
2908 | powershell.exe | 195.178.120.24:80 | — | Delis LLC | US | malicious |
2316 | RegAsm.exe | 88.99.90.21:587 | keefort.com.ec | Hetzner Online GmbH | DE | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
firebasestorage.googleapis.com |
| whitelisted |
checkip.dyndns.org |
| shared |
keefort.com.ec |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2908 | powershell.exe | A Network Trojan was detected | ET TROJAN Powershell commands sent B64 2 |
2908 | powershell.exe | Misc activity | ET POLICY EXE Base64 Encoded potential malware |
2908 | powershell.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host XLS Request |
2908 | powershell.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
2908 | powershell.exe | A Network Trojan was detected | ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 1 M1 |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.dyndns. Domain |
— | — | Misc activity | AV INFO Query to checkip.dyndns. Domain |
2316 | RegAsm.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup - checkip.dyndns.org |
2316 | RegAsm.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
4 ETPRO signatures available at the full report