analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1f2136e35f3645f347afd140e9783a6654646d16

Full analysis: https://app.any.run/tasks/a1debede-ad2f-439a-a4b3-999f5d12a666
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 31, 2020, 07:47:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
ole-embedded
macros-on-open
exploit
CVE-2017-11882
loader
Indicators:
MIME: application/octet-stream
File info: Microsoft OOXML
MD5:

3FACDB98F37A25CA0776CCAD1582D660

SHA1:

1F2136E35F3645F347AFD140E9783A6654646D16

SHA256:

CD589F856DF07FDA6DFBAEB2CF7E921DC5726D869FAB92CC6F23295F25DCC72F

SSDEEP:

768:5uwXQ73VbHnxIneq+3AigSLgziV2ZA8GQ0nItejELLHKvDltOiC:5fQ73VLnoBKJlfV2ZR0nIcjELcDlDC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • chrme.exe (PID: 2608)
      • chrme.exe (PID: 3440)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3880)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3956)

    • Downloads executable files from the Internet

      • cscript.exe (PID: 3896)
      • wscript.exe (PID: 2612)

    • Executes scripts

      • EXCEL.EXE (PID: 3956)

    • Downloads executable files from IP

      • cscript.exe (PID: 3896)
      • wscript.exe (PID: 2612)

    • Writes to a start menu file

      • chrme.exe (PID: 2608)

    • Actions looks like stealing of personal data

      • chrme.exe (PID: 3440)

  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 3880)

    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 3880)
      • cscript.exe (PID: 2616)

    • Executes scripts

      • cmd.exe (PID: 1156)
      • cmd.exe (PID: 2464)

    • Executable content was dropped or overwritten

      • cscript.exe (PID: 3896)

    • Creates files in the program directory

      • cscript.exe (PID: 3896)
      • EXCEL.EXE (PID: 3956)

    • Creates files in the user directory

      • chrme.exe (PID: 2608)
      • chrme.exe (PID: 3440)

    • Application launched itself

      • chrme.exe (PID: 2608)

    • Reads Environment values

      • chrme.exe (PID: 3440)

    • Reads the cookies of Mozilla Firefox

      • chrme.exe (PID: 3440)

    • Reads the cookies of Google Chrome

      • chrme.exe (PID: 3440)

    • Connects to SMTP port

      • chrme.exe (PID: 3440)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3956)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 3956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsm | Excel Microsoft Office Open XML Format document (with Macro) (45.9)
.xlsx | Excel Microsoft Office Open XML Format document (27.1)
.zip | Open Packaging Conventions container (13.9)
.ubox | Universe Sandbox simulation (9.6)
.zip | ZIP compressed archive (3.1)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2020:03:31 07:01:10
ZipCRC: 0xcdc0e5bf
ZipCompressedSize: 427
ZipUncompressedSize: 1789
ZipFileName: [Content_Types].xml

XML

Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Worksheets
  • 3
TitlesOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 12
LastModifiedBy: Windows
CreateDate: 2020:02:01 18:28:07Z
ModifyDate: 2020:02:01 18:32:27Z

XMP

Creator: Windows
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
9
Malicious processes
5
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start excel.exe no specs eqnedt32.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe chrme.exe wscript.exe chrme.exe

Process information

PID
CMD
Path
Indicators
Parent process
3956"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3880"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
1156cmd /c ren %tmp%\yy y.js&CSCRIpt %tmp%\y.js  CC:\Windows\system32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2616CSCRIpt C:\Users\admin\AppData\Local\Temp\y.js  CC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2464"C:\Windows\System32\cmd.exe" /c cscript C:\Users\admin\AppData\Local\Temp\xx.vbsC:\Windows\System32\cmd.execscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3896cscript C:\Users\admin\AppData\Local\Temp\xx.vbsC:\Windows\system32\cscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2608C:\ProgramData\chrme.exeC:\ProgramData\chrme.exe
cscript.exe
User:
admin
Integrity Level:
MEDIUM
Description:
gbBJP
Exit code:
0
Version:
2.1.1.1
2612C:\Windows\System32\wscript.exe C:\programdata\asc.txt:script1.vbsC:\Windows\System32\wscript.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3440"C:\ProgramData\chrme.exe"C:\ProgramData\chrme.exe
chrme.exe
User:
admin
Integrity Level:
MEDIUM
Description:
gbBJP
Version:
2.1.1.1
Total events
903
Read events
792
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1
Text files
8
Unknown types
5

Dropped files

PID
Process
Filename
Type
3956EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR79CC.tmp.cvr
MD5:
SHA256:
3440chrme.exeC:\Users\admin\AppData\Roaming\km2yt1pa.cis\Chrome\Default\Cookies
MD5:
SHA256:
3440chrme.exeC:\Users\admin\AppData\Roaming\km2yt1pa.cis\Firefox\Profiles\qldyz51w.default\cookies.sqlite
MD5:
SHA256:
3896cscript.exeC:\ProgramData\chrme.exeexecutable
MD5:C3166A86DBF5B6A95FC723EF639DAD45
SHA256:F8180E33F1554DAA206C767B6D7FFA8C9F14E4197E382453544A3D1337E63DFC
3956EXCEL.EXEC:\Users\admin\AppData\Local\Temp\yytext
MD5:88E35A0C2E1489E43867990CC0FB5B1D
SHA256:3CB3928A0135B0D56148E86CF42CBD5ECE60ECC4CA21E1054AEA68CB50606A34
3956EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\1f2136e35f3645f347afd140e9783a6654646d16.xlsm.LNKlnk
MD5:49449CD4226A272A0A7BE228DFDE31CA
SHA256:58B3A55F114C8E4E9B8E68F09F83E9CF2F388E9BAB369598E9043DC8A28C2FBE
2616cscript.exeC:\Users\admin\AppData\Local\Temp\xx.vbstext
MD5:595AB65A19228981D6ECC0D5D96FD2D4
SHA256:DD6EF5D2D3B2BD105F318B29781AB56AB15778A378675675CB810045AA85258B
3956EXCEL.EXEC:\Users\admin\AppData\Local\Temp\xxtext
MD5:595AB65A19228981D6ECC0D5D96FD2D4
SHA256:DD6EF5D2D3B2BD105F318B29781AB56AB15778A378675675CB810045AA85258B
3956EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\32AF1D26.emfemf
MD5:B59DD20DE3FDC50CD6B3C4BAF9C12DE8
SHA256:979DDE2AED02F077C16AE53546C6DF9EED40E8386D6DB6FC36AEE9F966D2CB82
3956EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:5C3B12AC3D67F4E3F31F2253395DA7CC
SHA256:FAB7A543227183E3BF791694F54A510BAC04D149275E72EF73548E03BD371EDB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2612
wscript.exe
GET
200
5.189.132.254:80
http://5.189.132.254/StmAX.exe
DE
executable
428 Kb
suspicious
3896
cscript.exe
GET
200
5.189.132.254:80
http://5.189.132.254/StmAX.exe
DE
executable
428 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2612
wscript.exe
5.189.132.254:80
Contabo GmbH
DE
suspicious
3896
cscript.exe
5.189.132.254:80
Contabo GmbH
DE
suspicious
3440
chrme.exe
162.241.27.33:587
mail.platinships.net
CyrusOne LLC
US
malicious

DNS requests

Domain
IP
Reputation
mail.platinships.net
  • 162.241.27.33
unknown

Threats

PID
Process
Class
Message
3896
cscript.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
2612
wscript.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1f2136e35f3645f347afd140e9783a6654646d16