analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

0b12837c3a4bf8c5732b90d414678c404ed07dc2512d372ab7ee4f931563ba6b_RegAlytics US Alerts 08_12_2019.xlsm

Full analysis: https://app.any.run/tasks/eb24b0b7-03f2-4578-83cd-1ddf72a37328
Verdict: Malicious activity
Analysis date: September 19, 2019, 07:39:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

AC3273094FA59EB294277377290C0EAF

SHA1:

07DCE425174213B3CAA2B6A9BDE463635DE610B6

SHA256:

0B12837C3A4BF8C5732B90D414678C404ED07DC2512D372AB7EE4F931563BA6B

SSDEEP:

12288:5JUYW3iT08A90wmRwTjpnW2oP0uCX0wmXZ0Y+TybSrb2J1tTEtFy28IOMnrAa:5JUHST0B0G02JX0PHhSryXaTy28IH/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3404)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 3404)

    • Starts Internet Explorer

      • EXCEL.EXE (PID: 3404)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3404)

    • Reads settings of System Certificates

      • EXCEL.EXE (PID: 3404)

    • Changes internet zones settings

      • iexplore.exe (PID: 2208)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2540)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlam | Excel Macro-enabled Open XML add-in (42.4)
.xlsm | Excel Microsoft Office Open XML Format document (with Macro) (29.2)
.xlsx | Excel Microsoft Office Open XML Format document (17.3)
.zip | Open Packaging Conventions container (8.9)
.zip | ZIP compressed archive (2)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x8ed66ef2
ZipCompressedSize: 773
ZipUncompressedSize: 6132
ZipFileName: [Content_Types].xml

XML

Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Worksheets
  • 5
TitlesOfParts:
  • SUMMARY
  • ANNOUNCEMENTS
  • Sheet1
  • RULES
  • REFERENCE
Company: -
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16.03
ContentTypeId: 0x01010024C6F575BF4091408DC5EB114803473D
LastModifiedBy: Mary Kopczynski
CreateDate: 2019:03:26 13:00:36Z
ModifyDate: 2019:08:10 16:39:07Z

XMP

Creator: Werner Pauliks
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3404"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2208"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2540"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2208 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
1 069
Read events
921
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
27
Unknown types
7

Dropped files

PID
Process
Filename
Type
3404EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR9B0C.tmp.cvr
MD5:
SHA256:
3404EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\2019[1].htm
MD5:
SHA256:
2208iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
2208iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2540iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XO9WE237\grunticon.loader[1].jstext
MD5:0302E863093F0758A307717ED1C4CA86
SHA256:6631161894E332FEB3B4ABF5AE42C455C3E46E1F039B37BDAE761D62D3301933
2540iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:483F5EFB217BB8CC0716BEA729CFE139
SHA256:4DBDA326DCF687F28EE200B4921682CB946111CE30CC0B3CB0BA10591736833A
2540iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XO9WE237\bootstrap[1].csstext
MD5:D6F065464A2F03557C032F3747746DCA
SHA256:4C826250CB147CE823F34BFBA4B22A0EF6A79B6137905E77B61209D3363D06AD
2208iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].pngimage
MD5:9FB559A691078558E77D6848202F6541
SHA256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
3404EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AB46DB02.emfemf
MD5:CE8AB7472DC28F488DEED3CE11881F0E
SHA256:ACFC6BF91C1C1B1C337FA36EF4EABCD0A37EC7679010CE9451A6D864DCD57CF0
2540iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O83AEERJ\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
9
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2208
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2208
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3404
EXCEL.EXE
132.200.148.151:443
www.federalreserve.gov
Federal Reserve Board
US
unknown
2540
iexplore.exe
132.200.148.151:443
www.federalreserve.gov
Federal Reserve Board
US
unknown
2540
iexplore.exe
216.58.207.78:443
www.google-analytics.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.federalreserve.gov
  • 132.200.148.151
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.google-analytics.com
  • 216.58.207.78
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
0b12837c3a4bf8c5732b90d414678c404ed07dc2512d372ab7ee4f931563ba6b_RegAlytics US Alerts 08_12_2019.xlsm