analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Order-List.xlsx

Full analysis: https://app.any.run/tasks/d6769acb-f426-4c32-acf2-ca0f44c32865
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: July 18, 2019, 11:15:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
encrypted
exploit
CVE-2017-11882
loader
rat
nanocore
trojan
Indicators:
MIME: application/encrypted
File info: CDFV2 Encrypted
MD5:

E66839016E65B5FE86A225BD07546480

SHA1:

DE25AABA134B837F7554C96FFD1E3502A0F77628

SHA256:

929F33B39D6A03F80C3FA78AF70BCAF8401F8AC4D268096DFFE987938048E12A

SSDEEP:

1536:EpatrBXt7TJYCZqXxIYYKjRY3fMKt70DUSUSmPtcPPPUuDM:SwDiCMnJOkMQtDmPKPPP7DM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • vbc.exe (PID: 3908)
      • RegAsm.exe (PID: 1516)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3404)
    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3404)
    • NanoCore was detected

      • RegAsm.exe (PID: 1516)
    • Connects to CnC server

      • RegAsm.exe (PID: 1516)
    • Changes the autorun value in the registry

      • RegAsm.exe (PID: 1516)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3404)
      • RegAsm.exe (PID: 1516)
    • Creates files in the user directory

      • RegAsm.exe (PID: 1516)
    • Executed via COM

      • EQNEDT32.EXE (PID: 3404)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3308)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start excel.exe no specs eqnedt32.exe vbc.exe #NANOCORE regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
3308"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3404"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3908"C:\Users\Public\vbc.exe" C:\Users\Public\vbc.exe
EQNEDT32.EXE
User:
admin
Company:
Chabrier
Integrity Level:
MEDIUM
Description:
templarlike
Exit code:
0
Version:
0.7.2.5
1516"C:\Users\Public\vbc.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
vbc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
Total events
643
Read events
598
Write events
38
Delete events
7

Modification events

(PID) Process:(3308) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:-`;
Value:
2D603B00EC0C0000010000000000000000000000
(PID) Process:(3308) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3308) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3308) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
Operation:writeName:MTTT
Value:
EC0C0000C63C9D195A3DD50100000000
(PID) Process:(3308) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:delete valueName:-`;
Value:
2D603B00EC0C0000010000000000000000000000
(PID) Process:(3308) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:delete keyName:
Value:
(PID) Process:(3308) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
Operation:delete keyName:
Value:
(PID) Process:(3308) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3308) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3308) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\DF54E
Operation:writeName:DF54E
Value:
04000000EC0C00003100000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C004F0072006400650072002D004C006900730074002E0078006C0073007800000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0001000000000000004074C21A5A3DD5014EF50D004EF50D0000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
3
Suspicious files
1
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
3308EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRF00D.tmp.cvr
MD5:
SHA256:
1516RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dattext
MD5:0D402430DB5324BC4F66DEC78DD0F604
SHA256:7E72186215D93C7DB67F55EA9AC66898961204CDA1EEA9A0BDE998DE63187083
3404EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\tiyo[1].exeexecutable
MD5:BF3D3DF449F23AF7DE28840CC46CDDCE
SHA256:2B31756BEACCED3C1EA19E940BF408367EC0952CF0CE7D461C1A54BB7DCB3FEB
3404EQNEDT32.EXEC:\Users\Public\vbc.exeexecutable
MD5:BF3D3DF449F23AF7DE28840CC46CDDCE
SHA256:2B31756BEACCED3C1EA19E940BF408367EC0952CF0CE7D461C1A54BB7DCB3FEB
1516RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\storage.datbinary
MD5:7B0461CA945EE59FD8AE9D442E65FE66
SHA256:32CC4AE0F9DF667431C8557B41FAFA39811038DD8BC96E460B3E53BF012DFD68
1516RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\catalog.datbs
MD5:9E7D0351E4DF94A9B0BADCEB6A9DB963
SHA256:AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
1516RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exeexecutable
MD5:278EDBD499374BF73621F8C1F969D894
SHA256:C6999B9F79932C3B4F1C461A69D9DC8DC301D6A155ABC33EFE1B6E9E4A038391
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3404
EQNEDT32.EXE
GET
200
103.21.59.25:80
http://amarcoldstorage.com/tiyo.exe
IN
executable
779 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
8.8.8.8:53
Google Inc.
US
whitelisted
3404
EQNEDT32.EXE
103.21.59.25:80
amarcoldstorage.com
PDR
IN
malicious
1516
RegAsm.exe
160.116.15.155:1122
nanoman.ddns.net
ZA
malicious

DNS requests

Domain
IP
Reputation
amarcoldstorage.com
  • 103.21.59.25
suspicious
nanoman.ddns.net
  • 160.116.15.155
malicious

Threats

PID
Process
Class
Message
3404
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1516
RegAsm.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 60B
1516
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
1516
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
1516
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
1516
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
1516
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
1516
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
1516
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
1516
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
14 ETPRO signatures available at the full report
Process
Message
vbc.exe
User32.dll
vbc.exe
User32.dll
vbc.exe
User32.dll
vbc.exe
User32.dll
vbc.exe
User32.dll
vbc.exe
User32.dll
vbc.exe
User32.dll
vbc.exe
User32.dll
vbc.exe
User32.dll
vbc.exe
User32.dll