analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Api.xlsx

Full analysis: https://app.any.run/tasks/0b3f5d30-488d-4643-9a10-defcb3967049
Verdict: Malicious activity
Analysis date: September 18, 2019, 17:46:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
autoit
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

D663BADCAA2ED66E46FE2C40070DFB6A

SHA1:

34066DC32E1BD8EC5685FBDD53C675E25AB61B33

SHA256:

9BD3DB55472AA810ED1D87DC72ED5BCBDA9267FE52C61C63D624041D10E62305

SSDEEP:

1536:d8t/oP5QYMMscvJSvn3hhb2mnGh7zMC56Px3DeKpzOamN:d8G1MMVvJSf3hhbA5ACWx3DhpS1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3500)

    • Application was dropped or rewritten from another process

      • gfj.exe (PID: 3360)
      • intel.exe (PID: 2556)

    • Changes the autorun value in the registry

      • gfj.exe (PID: 3360)

    • Writes to a start menu file

      • gfj.exe (PID: 3360)

  • SUSPICIOUS

    • Creates files in the program directory

      • EQNEDT32.EXE (PID: 3500)

    • Executed via COM

      • EQNEDT32.EXE (PID: 3500)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3500)
      • intel.exe (PID: 2556)

    • Creates files in the user directory

      • gfj.exe (PID: 3360)

    • Drop AutoIt3 executable file

      • intel.exe (PID: 2556)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3408)

    • Dropped object may contain Bitcoin addresses

      • intel.exe (PID: 2556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2019:09:17 11:20:14
ZipCRC: 0xa97f1e42
ZipCompressedSize: 386
ZipUncompressedSize: 1505
ZipFileName: [Content_Types].xml

XMP

Creator: Windows User

XML

LastModifiedBy: Windows User
CreateDate: 2019:09:11 23:33:40Z
ModifyDate: 2019:09:14 05:13:44Z
Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Worksheets
  • 1
TitlesOfParts: Sheet1
Company: -
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 15.03
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start excel.exe no specs eqnedt32.exe intel.exe gfj.exe regsvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
3408"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3500"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2556"C:\ProgramData\intel.exe" C:\ProgramData\intel.exe
EQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3360"C:\Users\admin\AppData\Local\Temp\09141351\gfj.exe" mkkkqeC:\Users\admin\AppData\Local\Temp\09141351\gfj.exe
intel.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Version:
3, 3, 8, 1
3908"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
gfj.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.7.3062.0 built by: NET472REL1
Total events
1 710
Read events
1 330
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1
Text files
56
Unknown types
2

Dropped files

PID
Process
Filename
Type
3408EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR9C44.tmp.cvr
MD5:
SHA256:
2556intel.exeC:\Users\admin\AppData\Local\Temp\09141351\mkkkqe
MD5:
SHA256:
2556intel.exeC:\Users\admin\AppData\Local\Temp\09141351\hjx.docxtext
MD5:2410475D04D860CB08227642B79D1D09
SHA256:5DB35856D0ECF832913634F53B5F4DE44FCDA90E0A4423938B56EE4D68FE1743
2556intel.exeC:\Users\admin\AppData\Local\Temp\09141351\sji.icmtext
MD5:25BD06C3E038B2004DACE144DFE51ED5
SHA256:3D27090A7BC9E1B64DBC4E2EE4354F77E1C1AD9DBAFD1F9DE484CF346E6685C5
2556intel.exeC:\Users\admin\AppData\Local\Temp\09141351\nmj.dattext
MD5:55950DDAFD81C7D0B748F827378893EC
SHA256:EA06FA8939954902A3CD79377E35AD95AE37C37EA7DD28B5152B8079BDCB4543
2556intel.exeC:\Users\admin\AppData\Local\Temp\09141351\ivb.exetext
MD5:EDB1CCA2C4C759BD14D671F2D04B7D76
SHA256:A9FE6F36F6374D7370D0D41F0FC2DC5ED43040DDA4561ECCD592ACF89BC3FD78
2556intel.exeC:\Users\admin\AppData\Local\Temp\09141351\dmq.xlstext
MD5:147DB52CC89E60EF6B4C9AFEBEE07A52
SHA256:CA52A43B3921AF968F8AA3E33E2E49F37D0518FA423BB0C4D4F45BF1940F62D9
2556intel.exeC:\Users\admin\AppData\Local\Temp\09141351\gut.docxtext
MD5:C54A81C7B639F16883A8DEA52B33B67B
SHA256:CD6B63E55F55461D47BFB15AEE17263083DBC0EBA59EA8D7561659FE1ABB803F
2556intel.exeC:\Users\admin\AppData\Local\Temp\09141351\oix.cpltext
MD5:B87F7AB2DC57E74004AD280BA60915CF
SHA256:FF5726EBA400823042F355EEF5CD790102C99C3D3B4D88E2B17A41257291256F
2556intel.exeC:\Users\admin\AppData\Local\Temp\09141351\utt.jpgtext
MD5:C15A1BCC06ECB45B9056494CF5340707
SHA256:768C0D94F36947E71A1183995FBEC5F53385DF2606415BB2308E64D7D387176A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3908
RegSvcs.exe
79.134.225.61:5552
info1.nowddns.com
Andreas Fink trading as Fink Telecom Services
CH
malicious
3500
EQNEDT32.EXE
207.174.215.236:80
indulfastag.com
PDR
US
malicious

DNS requests

Domain
IP
Reputation
indulfastag.com
  • 207.174.215.236
malicious
info1.nowddns.com
  • 79.134.225.61
malicious

Threats

PID
Process
Class
Message
3500
EQNEDT32.EXE
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
3500
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Api.xlsx