File name: | 0e038a0aaa741c48ff5872c950e66bc0c6333597d992c162fb3214e7cf8e06cd.xls |
Full analysis: | https://app.any.run/tasks/e1da5f60-86a4-49f2-a6ed-8f1e35360bc8 |
Verdict: | Malicious activity |
Analysis date: | March 22, 2019, 06:39:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 936, Create Time/Date: Wed Oct 31 08:57:54 2018, Last Saved Time/Date: Wed Nov 14 12:43:31 2018, Security: 0 |
MD5: | DFCC00BA2F012F501CCEA72AE37B733A |
SHA1: | 2763D7ACA0A4393751FCB9B75F0813D6F8AB9DB4 |
SHA256: | 0E038A0AAA741C48FF5872C950E66BC0C6333597D992C162FB3214E7CF8E06CD |
SSDEEP: | 3072:7Zl6Nc7yRzs1H75wkZUgsCq6NqTBun5orTNe2uavKh5ig4A6KctOYEK3gZF6eRjz:9l6Nc7yRzs1H75wkZUgsCq6NqTBun5oo |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
CompObjUserType: | Microsoft Office Excel 2003 ?????? |
---|---|
CompObjUserTypeLen: | 35 |
HeadingPairs: |
|
TitleOfParts: |
|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 12 |
CodePage: | Windows Simplified Chinese (PRC, Singapore) |
Security: | None |
ModifyDate: | 2018:11:14 12:43:31 |
CreateDate: | 2018:10:31 08:57:54 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2960 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2156 | wscript.exe //B "C:\Users\admin\AppData\Local\Temp\rknrl.vbs" | C:\Windows\system32\wscript.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
1172 | "C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Local\Temp\winstart.vbs" | C:\Windows\System32\wscript.exe | wscript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
2336 | "C:\Windows\System32\taskkill.exe" /f /im miner.exe | C:\Windows\System32\taskkill.exe | — | wscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2504 | "C:\Windows\System32\taskkill.exe" /f /im myminer.exe | C:\Windows\System32\taskkill.exe | — | wscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2668 | "C:\Windows\System32\taskkill.exe" /f /im myminera.exe | C:\Windows\System32\taskkill.exe | — | wscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2996 | "C:\Windows\System32\taskkill.exe" /f /im myminern.exe | C:\Windows\System32\taskkill.exe | — | wscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3280 | "C:\Windows\System32\cmd.exe" /c del winstart\miner.exe /s /q | C:\Windows\System32\cmd.exe | — | wscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3592 | "C:\Windows\System32\cmd.exe" /c del C:\Users\admin\AppData\Local\Temp\winstart\miner.exe /s /q | C:\Windows\System32\cmd.exe | — | wscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2960 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR66A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1172 | wscript.exe | C:\Users\admin\AppData\Local\Temp\rad75C46.tmp | — | |
MD5:— | SHA256:— | |||
1172 | wscript.exe | C:\Users\admin\AppData\Local\Temp\radB8E88.tmp | — | |
MD5:— | SHA256:— | |||
1172 | wscript.exe | C:\Users\admin\AppData\Local\Temp\radE20D5.tmp | — | |
MD5:— | SHA256:— | |||
1172 | wscript.exe | C:\Users\admin\AppData\Local\Temp\radB1136.tmp | — | |
MD5:— | SHA256:— | |||
1172 | wscript.exe | C:\Users\admin\AppData\Local\Temp\radF3192.tmp | — | |
MD5:— | SHA256:— | |||
2960 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF6E885999633DB483.TMP | — | |
MD5:— | SHA256:— | |||
2960 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF36B812450EAF9F1B.TMP | — | |
MD5:— | SHA256:— | |||
2156 | wscript.exe | C:\Users\admin\AppData\Local\Temp\DM6331.TMP | text | |
MD5:429016B9661B9EF7B319327806489BBC | SHA256:76131D39A6FB52B8EF8925AD014C943215F997964D599131FB7E4112D92BF6A7 | |||
1172 | wscript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\playback[1].php | text | |
MD5:34FD7DE69C0A85F357634103F5D68875 | SHA256:F55DA2CF00F106DC3792416EF6B2CEB3A4B505EF1B418AF4F3B65EC299775F41 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1172 | wscript.exe | GET | 200 | 172.96.191.100:80 | http://newtogo.airobotheworld.com/ctrl/playback.php | CA | text | 338 b | malicious |
1172 | wscript.exe | GET | 200 | 172.96.191.100:80 | http://newtogo.airobotheworld.com/ctrl/url.html | CA | text | 387 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1172 | wscript.exe | 151.101.0.133:443 | raw.githubusercontent.com | Fastly | US | malicious |
1172 | wscript.exe | 172.96.191.100:80 | newtogo.airobotheworld.com | — | CA | suspicious |
Domain | IP | Reputation |
---|---|---|
raw.githubusercontent.com |
| shared |
aigoingtokill.airobotheworld.com |
| malicious |
newtogo.airobotheworld.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1172 | wscript.exe | A Network Trojan was detected | MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan |
1172 | wscript.exe | A Network Trojan was detected | MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan |