File name:

7ccf88c0bbe3b29bf19d877c4596a8d4.zip

Full analysis: https://app.any.run/tasks/cf4ffe03-c59b-4659-b8b3-3ed3c9531849
Verdict: Malicious activity
Analysis date: December 02, 2023, 10:02:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
cve-2017-11882
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

ADEE407A5D9F4425707FE5BD4C25AA14

SHA1:

5A99F6B3B106DAF23BA2C29F2FF94CB118703414

SHA256:

A53DB45F1D4A2F36EBC0B0E268D2073BABA89CA6C1D05FE9A06EF395E8658A51

SSDEEP:

1536:jjaEudvK51sOagtBDPihqGGJRvbB8lmAqQap28rxmQ3wIUG7ChXtZlYGdf:jejdvK17JKhqNjv3p2oxzw67CVtZlYi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3676)

    • Gets TEMP folder path (SCRIPT)

      • wscript.exe (PID: 1036)

    • Accesses environment variables (SCRIPT)

      • wscript.exe (PID: 1036)

    • Gets a file object corresponding to the file in a specified path (SCRIPT)

      • wscript.exe (PID: 1036)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 1036)
      • cscript.exe (PID: 2548)
      • cscript.exe (PID: 2668)

    • Unusual execution from MS Office

      • EXCEL.EXE (PID: 124)

    • Uses base64 encoding (SCRIPT)

      • cscript.exe (PID: 2548)
      • cscript.exe (PID: 2668)

    • Creates internet connection object (SCRIPT)

      • cscript.exe (PID: 2548)
      • cscript.exe (PID: 2668)

    • Checks whether a specified folder exists (SCRIPT)

      • cscript.exe (PID: 2548)
      • cscript.exe (PID: 2668)

    • Opens an HTTP connection (SCRIPT)

      • cscript.exe (PID: 2668)
      • cscript.exe (PID: 2548)

    • Sends HTTP request (SCRIPT)

      • cscript.exe (PID: 2548)
      • cscript.exe (PID: 2668)

    • Unusual connection from system programs

      • cscript.exe (PID: 2668)
      • cscript.exe (PID: 2548)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 3676)
      • wscript.exe (PID: 1036)

    • Reads the Internet Settings

      • wscript.exe (PID: 1036)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 1036)
      • cscript.exe (PID: 2548)
      • cscript.exe (PID: 2668)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 1036)

    • The process executes VB scripts

      • cmd.exe (PID: 3892)
      • EXCEL.EXE (PID: 124)

    • Detected use of alternative data streams (AltDS)

      • EXCEL.EXE (PID: 124)
      • cscript.exe (PID: 2548)

    • Sets XML DOM element text (SCRIPT)

      • cscript.exe (PID: 2548)
      • cscript.exe (PID: 2668)

    • Changes charset (SCRIPT)

      • cscript.exe (PID: 2548)
      • cscript.exe (PID: 2668)

    • Creates XML DOM element (SCRIPT)

      • cscript.exe (PID: 2548)
      • cscript.exe (PID: 2668)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • cscript.exe (PID: 2548)
      • cscript.exe (PID: 2668)

    • Reads data from a binary Stream object (SCRIPT)

      • cscript.exe (PID: 2548)
      • cscript.exe (PID: 2668)

    • Writes binary data to a Stream object (SCRIPT)

      • cscript.exe (PID: 2548)
      • cscript.exe (PID: 2668)

    • Checks whether a specific file exists (SCRIPT)

      • cscript.exe (PID: 2548)
      • cscript.exe (PID: 2668)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 2668)

  • INFO

    • The process uses the downloaded file

      • EXCEL.EXE (PID: 124)

    • Checks supported languages

      • EQNEDT32.EXE (PID: 3676)
      • wmpnscfg.exe (PID: 4040)

    • Manual execution by a user

      • EXCEL.EXE (PID: 124)
      • wmpnscfg.exe (PID: 4040)

    • Reads the computer name

      • EQNEDT32.EXE (PID: 3676)
      • wmpnscfg.exe (PID: 4040)

    • Reads the machine GUID from the registry

      • EQNEDT32.EXE (PID: 3676)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 2668)
      • cscript.exe (PID: 2548)

    • Creates files in the program directory

      • EXCEL.EXE (PID: 124)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2021:03:14 21:04:16
ZipCRC: 0x2bf8580d
ZipCompressedSize: 69232
ZipUncompressedSize: 2793487
ZipFileName: ORDER SHEET & SPEC.xlsm
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
9
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs excel.exe no specs eqnedt32.exe cmd.exe no specs wscript.exe no specs cmd.exe no specs cscript.exe cscript.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\excel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
844"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\7ccf88c0bbe3b29bf19d877c4596a8d4.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1036WSCrIpT C:\Users\admin\AppData\Local\Temp\v?..wsf  CC:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1840cMD /c REN %tmp%\q v& WSCrIpT %tmp%\v?..wsf  CC:\Windows\System32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2548"C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbsC:\Windows\System32\cscript.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2668cscript C:\Users\admin\AppData\Local\Temp\xx.vbsC:\Windows\System32\cscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3676"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3892"C:\Windows\System32\cmd.exe" /c cscript C:\Users\admin\AppData\Local\Temp\xx.vbsC:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
4040"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
3 157
Read events
3 093
Write events
53
Delete events
11

Modification events

(PID) Process:(844) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(844) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(844) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(844) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(844) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(844) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(844) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(844) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(124) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(124) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
On
Executable files
1
Suspicious files
5
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
124EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRD68E.tmp.cvr
MD5:
SHA256:
124EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\605267D3.emfbinary
MD5:B59DD20DE3FDC50CD6B3C4BAF9C12DE8
SHA256:979DDE2AED02F077C16AE53546C6DF9EED40E8386D6DB6FC36AEE9F966D2CB82
124EXCEL.EXEC:\Users\admin\AppData\Local\Temp\xxtext
MD5:03D7DF9993352270E6A5497B895E79A8
SHA256:4779756453533076AEE716817D417968F4C462E1868D1A6196006EEA0C9B6E1B
124EXCEL.EXEC:\Users\admin\AppData\Local\Temp\qhtml
MD5:EF556C44786A88CDF0F705AC03D9099A
SHA256:6CE8F2114ACAC0CE2EED32D302A6A40185D3388CAA722B0724DA2AEBDEABEB3C
1840cmd.exeC:\Users\admin\AppData\Local\Temp\vhtml
MD5:EF556C44786A88CDF0F705AC03D9099A
SHA256:6CE8F2114ACAC0CE2EED32D302A6A40185D3388CAA722B0724DA2AEBDEABEB3C
124EXCEL.EXEC:\programdata\asc.txt:script1.vbstext
MD5:6196CE936B2131935E89615965438ED4
SHA256:2EAA9D08D7E29C99D616AACCC4728F120E1E9A14816FECAB17F388665A89B6E4
124EXCEL.EXEC:\Users\admin\AppData\Local\Temp\q:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
124EXCEL.EXEC:\Users\admin\AppData\Local\Temp\xx:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
124EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\ORDER SHEET & SPEC.xlsm.LNKbinary
MD5:F1266C665E0A2495F68176EF5B290BC4
SHA256:C8F7F5D57FC8A8B450F6DCEC3076E051C5DB46FAB4AEFCBC056F81DBBCF11360
124EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:153BB8139145D1DD4B9D7CDB12AF3A0B
SHA256:F11D812D79913B2FC4B702D5142E449C88BAFF49412CF47DBADD696A893CC9DE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
8
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
2668
cscript.exe
177.53.143.89:443
multiwaretecnologia.com.br
Brasil Site Informatica LTDA
BR
unknown
2548
cscript.exe
177.53.143.89:443
multiwaretecnologia.com.br
Brasil Site Informatica LTDA
BR
unknown

DNS requests

Domain
IP
Reputation
multiwaretecnologia.com.br
  • 177.53.143.89
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
7ccf88c0bbe3b29bf19d877c4596a8d4.zip