analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ddfc62c7072e50dea9c28025188af28ebb36b82d44229d57d99afc01b268e784

Full analysis: https://app.any.run/tasks/c87a028c-4bd2-4efb-a59d-39ff31c6e0e0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: December 14, 2018, 14:27:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
exploit
CVE-2017-11882
loader
trojan
lokibot
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B2E3760F36151E91E7A12747F076EE82

SHA1:

C1187264A8541BA74D1DD5EC8ABFDB05FCF9EED6

SHA256:

DDFC62C7072E50DEA9C28025188AF28EBB36B82D44229D57D99AFC01B268E784

SSDEEP:

49152:5j4/5+RZLg45vmF8kjgsskkPABTBeM96dRvBl2A3Yu:5MB+RILjgs2PAtkjvBuu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3564)
    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3564)
    • Application was dropped or rewritten from another process

      • wcsmrg.exe (PID: 2556)
      • wcsmrg.exe (PID: 4036)
    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3564)
    • Detected artifacts of LokiBot

      • wcsmrg.exe (PID: 4036)
    • Actions looks like stealing of personal data

      • wcsmrg.exe (PID: 4036)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3564)
      • wcsmrg.exe (PID: 4036)
    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3564)
      • wcsmrg.exe (PID: 4036)
    • Application launched itself

      • wcsmrg.exe (PID: 2556)
    • Loads DLL from Mozilla Firefox

      • wcsmrg.exe (PID: 4036)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2018:12:07 05:32:18
ZipCRC: 0xa04357e7
ZipCompressedSize: 1309
ZipUncompressedSize: 6578
ZipFileName: xl/worksheets/sheet1.xml

XML

DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Worksheets
  • 6
TitlesOfParts:
  • Title page
  • BAS+Surcharges
  • Change Log
  • General Disclaimer
  • Terms And Conditions
  • Abbreviation
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 12
LastModifiedBy: SERVER
CreateDate: 2018:12:04 15:57:29Z
ModifyDate: 2018:12:04 15:57:29Z

XMP

Creator: SERVER
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start excel.exe no specs eqnedt32.exe wcsmrg.exe no specs #LOKIBOT wcsmrg.exe

Process information

PID
CMD
Path
Indicators
Parent process
3512"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3564"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2556C:\Users\admin\AppData\Roaming\wcsmrg.exeC:\Users\admin\AppData\Roaming\wcsmrg.exeEQNEDT32.EXE
User:
admin
Company:
fieldsmen
Integrity Level:
MEDIUM
Description:
ACCUSINGLY3
Exit code:
0
Version:
7.07.0003
4036:\Users\admin\AppData\Roaming\wcsmrg.exeC:\Users\admin\AppData\Roaming\wcsmrg.exe
wcsmrg.exe
User:
admin
Company:
fieldsmen
Integrity Level:
MEDIUM
Description:
ACCUSINGLY3
Version:
7.07.0003
Total events
569
Read events
542
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
1
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
3512EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR8B9C.tmp.cvr
MD5:
SHA256:
4036wcsmrg.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck
MD5:
SHA256:
2556wcsmrg.exeC:\Users\admin\AppData\Local\Temp\~DF4C6A1106F03F400A.TMPbinary
MD5:D5FC54495CF587DFAD8DA638849C348A
SHA256:483DE8AFA3C5792005F938202E500706793CF544055496D63922D9FA6DCEA07F
4036wcsmrg.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.exeexecutable
MD5:05A939FA13FF267E987AF394BC6BC923
SHA256:E547B321070FFDA045BE6923B61D4F8B6A614CE638E5F1EC058FD46E423933DD
3564EQNEDT32.EXEC:\Users\admin\AppData\Roaming\wcsmrg.exeexecutable
MD5:05A939FA13FF267E987AF394BC6BC923
SHA256:E547B321070FFDA045BE6923B61D4F8B6A614CE638E5F1EC058FD46E423933DD
4036wcsmrg.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2fdbf
MD5:18B8CFC0185C50383AAC0A4F30A9DAC8
SHA256:913E8CED6A447FE791954D382ABA52D490513C5D2F689B391866C7E561F89A03
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3564
EQNEDT32.EXE
GET
200
84.234.96.176:80
http://web.classica-il.cf/070.exe
UA
executable
965 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3564
EQNEDT32.EXE
84.234.96.176:80
web.classica-il.cf
UA
suspicious

DNS requests

Domain
IP
Reputation
web.classica-il.cf
  • 84.234.96.176
suspicious
web.asebasia.com
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .cf Domain
3564
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3564
EQNEDT32.EXE
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
No debug info