analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

CVE-2018-15982_#PoC#.zip

Full analysis: https://app.any.run/tasks/8a7ffb2b-313b-4009-81e5-267586913722
Verdict: Malicious activity
Analysis date: December 06, 2018, 17:01:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

E532A2D11E6FDFFFB125784954A85897

SHA1:

E21C019F67A9AF1AFF42253479C01AA878DFA591

SHA256:

7D3D771A1B97DB22A683EFE0635EB7DC30607F6F9A4C4617F0B8893F71135A14

SSDEEP:

384:tD6xONrPneM4Y2OHYLGY+QdUdYtZSqqrQnk70NHLa:+IW5YZ43+7k4t70NHe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 2944)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2944)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 2944)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: CVE-2018-15982_PoC.xls
ZipUncompressedSize: 38400
ZipCompressedSize: 12774
ZipCRC: 0x0a2334cd
ZipModifyDate: 2018:12:05 23:49:01
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs excel.exe no specs cmd.exe no specs calc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2964"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\CVE-2018-15982_#PoC#.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2944"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
3608C:\WINDOWS\system32\cmd.exe /c calc.exe C:\WINDOWS\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2412calc.exe C:\Windows\system32\calc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Calculator
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 151
Read events
1 083
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
2
Unknown types
26

Dropped files

PID
Process
Filename
Type
2964WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2964.19942\CVE-2018-15982_PoC.xls
MD5:
SHA256:
2944EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRB0C2.tmp.cvr
MD5:
SHA256:
2944EXCEL.EXEC:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx
MD5:
SHA256:
2944EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\CVE-2018-15982_PoC.xls.LNKlnk
MD5:E972659A4E83DFD0C6DA7EF495CE504C
SHA256:9CC59DCCD0232771C044B8D6B2737016504A1CF28C4F5980B0E20CA5425B6265
2944EXCEL.EXEC:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.solsol
MD5:010F7FB83A539F59302C2F440D31EB5B
SHA256:88224DAAA680E27DF8D4AD62978DFFACFA7F54A34E63BDA619871B2D0E753472
2944EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF435ACCB115545C26.TMP
MD5:
SHA256:
2944EXCEL.EXEC:\Users\admin\AppData\Local\Temp\Excel8.0\ShockwaveFlashObjects.exdtlb
MD5:1AA16F51E6F54BCAA7820615C0676C53
SHA256:34A305FDE618432FEC2380E8E4B344C0014626444FB1C04BF9E73105D8F2E346
2944EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:FC044BFE68F1A328B8C59F00382C7999
SHA256:FF532E72AF0013E66D1A84F6DD32CEC29874330F913837B1AECB781464C9C795
2944EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5CC718E6.emfemf
MD5:F9AFBE8A89F041F1D1B91A12D8FB717C
SHA256:BAB87068BC5847C2B2483FA1CDF0A2D0D5C1C562E8289DEAA64510D7AC8D77B7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
CVE-2018-15982_#PoC#.zip