File name: | 10f84ba880df6c24d83e7ca94d7414f05b5876a87c91fa92a9eba487c8334346.xls |
Full analysis: | https://app.any.run/tasks/359013bf-a19a-4570-a791-54014878db74 |
Verdict: | Malicious activity |
Analysis date: | April 25, 2019, 01:44:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: 1, Last Saved By: 1, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Nov 23 07:00:21 2015, Last Saved Time/Date: Mon Nov 23 07:03:37 2015, Security: 0 |
MD5: | DD6CA142058EF4E29DB9BF6FD7516B38 |
SHA1: | BFA21078FFA76306AB71D13AE0BFFC7B84DAEFFC |
SHA256: | 10F84BA880DF6C24D83E7CA94D7414F05B5876A87C91FA92A9EBA487C8334346 |
SSDEEP: | 1536:PU8iZyvcWDdaYhvQPOnxycxH0GDli4q7uDphYHceXVhca+fMHLtyeGxcl8/dgqxk:PU8iZyvcWDdaYhvAOnxycxH0GDli4q7c |
.xls | | | Microsoft Excel sheet (78.9) |
---|
Author: | 1 |
---|---|
LastModifiedBy: | 1 |
Software: | Microsoft Excel |
CreateDate: | 2015:11:23 07:00:21 |
ModifyDate: | 2015:11:23 07:03:37 |
Security: | None |
CodePage: | Windows Cyrillic |
Company: | Home |
AppVersion: | 14 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: |
|
HeadingPairs: |
|
CompObjUserTypeLen: | 26 |
CompObjUserType: | ???? Microsoft Excel 2003 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2812 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3608 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2812 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRFCA8.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3608 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs504.tmp | — | |
MD5:— | SHA256:— | |||
3608 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs515.tmp | — | |
MD5:— | SHA256:— | |||
2812 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\fracmo.exe | html | |
MD5:D99684D2C2621969A691744993D06285 | SHA256:711733389F2F433185EA04D3AF3569BE64677DD4962FF8888A1333915FBB77B5 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2812 | EXCEL.EXE | GET | 404 | 194.242.61.74:80 | http://kunie.it/u654g/76j5h4g.exe | IT | html | 1.28 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2812 | EXCEL.EXE | 194.242.61.74:80 | kunie.it | genesys informatica srl | IT | malicious |
Domain | IP | Reputation |
---|---|---|
kunie.it |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2812 | EXCEL.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016 |
2812 | EXCEL.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Possible Malicious Macro EXE DL AlphaNumL |