analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

tree-winter-xxx.xls

Full analysis: https://app.any.run/tasks/a9710565-d3fa-4900-8e1c-cf3428360b7d
Verdict: Malicious activity
Analysis date: March 22, 2019, 10:46:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
macros
macros-on-open
opendir
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

C05ACCCC95337FDF877CA201519A0805

SHA1:

0E977C709F3FC8E8127648BDA9952FD32407E0E8

SHA256:

164D1BC7FD2809052F06B21699201A1F44A2DA1A61117D101D7C782E872F15F6

SSDEEP:

384:EtJBoNQITMchvCw1Lcu8eHTwf24IibG7KiXgS:3WIgL1uT+eqS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Unusual connect from Microsoft Office

      • EXCEL.EXE (PID: 2896)
      • EXCEL.EXE (PID: 2080)
    • Application launched itself

      • rundll32.exe (PID: 3068)
    • Uses RUNDLL32.EXE to load library

      • rundll32.exe (PID: 3068)
  • INFO

    • Reads the machine GUID from the registry

      • EXCEL.EXE (PID: 2896)
      • iexplore.exe (PID: 2720)
      • EXCEL.EXE (PID: 2080)
      • iexplore.exe (PID: 2940)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2720)
      • iexplore.exe (PID: 2940)
    • Creates files in the user directory

      • EXCEL.EXE (PID: 2896)
      • IEXPLORE.EXE (PID: 648)
      • iexplore.exe (PID: 2720)
      • EXCEL.EXE (PID: 2080)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2896)
      • EXCEL.EXE (PID: 2080)
    • Changes internet zones settings

      • iexplore.exe (PID: 2720)
      • iexplore.exe (PID: 2940)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2720)
      • iexplore.exe (PID: 2940)
    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 648)
      • IEXPLORE.EXE (PID: 2064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlam | Excel Macro-enabled Open XML add-in (42.4)
.xlsm | Excel Microsoft Office Open XML Format document (with Macro) (29.2)
.xlsx | Excel Microsoft Office Open XML Format document (17.3)
.zip | Open Packaging Conventions container (8.9)
.zip | ZIP compressed archive (2)

EXIF

XML

AppVersion: 15.03
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
Company: -
TitlesOfParts: Sheet1
HeadingPairs:
  • Worksheets
  • 1
ScaleCrop: No
DocSecurity: None
Application: Microsoft Excel
ModifyDate: 2018:08:24 04:52:55Z
CreateDate: 2018:08:24 04:24:05Z
LastModifiedBy: Ganesh Sunkari

XMP

Creator: Ganesh Sunkari

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1354
ZipCompressedSize: 406
ZipCRC: 0x65c41be9
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
10
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe iexplore.exe iexplore.exe COpenControlPanel no specs rundll32.exe no specs mctadmin.exe no specs rundll32.exe no specs excel.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2896"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.4756.1000
2720"C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
648"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2720 CREDAT:267521 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1536C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\SysWOW64\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3068"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\intl.cplC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2476C:\Windows\system32\mctadmin.exeC:\Windows\system32\mctadmin.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MCTAdmin
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2816"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL input.dllC:\Windows\system32\rundll32.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2080"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.4756.1000
2940"C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2064"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2940 CREDAT:267521 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
3 777
Read events
2 737
Write events
981
Delete events
59

Modification events

(PID) Process:(2896) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:o2%
Value:
6F322500500B0000010000000000000000000000
(PID) Process:(2896) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2896) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2896) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
Operation:writeName:MTTT
Value:
500B00001E5B209A9CE0D40100000000
(PID) Process:(2896) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:delete valueName:o2%
Value:
6F322500500B0000010000000000000000000000
(PID) Process:(2896) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:delete keyName:
Value:
(PID) Process:(2896) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
Operation:delete keyName:
Value:
(PID) Process:(2896) EXCEL.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:EXCELFiles
Value:
1316356119
(PID) Process:(2896) EXCEL.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1316356222
(PID) Process:(2896) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
9
Text files
132
Unknown types
7

Dropped files

PID
Process
Filename
Type
2896EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRDE6F.tmp.cvr
MD5:
SHA256:
2720iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\favicon[1].ico
MD5:
SHA256:
2720iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
648IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\qsml[1].htm
MD5:
SHA256:
648IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\qsml[1].htm
MD5:
SHA256:
648IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\qsml[1].htm
MD5:
SHA256:
648IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\qsml[1].htm
MD5:
SHA256:
2896EXCEL.EXEC:\MyDownloads\tree-winter-xxx.JPGhtml
MD5:31A7B653B31CA5F1111CDDCEFDF98DF5
SHA256:168C36AC3B9547A37CC85978F4F5492FCCC76D560436C4F312308C4C0E1F168A
2720iexplore.exeC:\Users\admin\AppData\Local\Temp\StructuredQuery.logtext
MD5:5243E273885857DDFC86D86A6B1B3ABE
SHA256:7090BB2A2DA3FE495B2E51A05BE2AA779E95C3F3B127D57542382DFB0279E1E0
648IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\qsml[1].xmlxml
MD5:677CF9B2729929C8D9CD5C8B75397E48
SHA256:EA41D9305E6592C42DDF988A4EB0D7A96612C2D5EA4309885F47C09F3F324973
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
58
TCP/UDP connections
95
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
648
IEXPLORE.EXE
GET
200
104.18.58.110:80
http://www.bigfoto.com/
US
html
7.72 Kb
malicious
2896
EXCEL.EXE
GET
403
104.18.58.110:80
http://www.bigfoto.com/sites/main/tree-winter-xxx.JPG
US
html
8.92 Kb
malicious
648
IEXPLORE.EXE
GET
200
104.18.58.110:80
http://www.bigfoto.com/1vorlage/images/head_left.jpg
US
image
4.42 Kb
malicious
648
IEXPLORE.EXE
GET
200
104.18.58.110:80
http://www.bigfoto.com/tavern-sign_small.jpg
US
image
3.70 Kb
malicious
648
IEXPLORE.EXE
GET
200
104.18.58.110:80
http://www.bigfoto.com/1vorlage/images/spacer.gif
US
image
55 b
malicious
648
IEXPLORE.EXE
GET
200
104.18.58.110:80
http://www.bigfoto.com/1vorlage/images/head_middle.jpg
US
image
765 b
malicious
648
IEXPLORE.EXE
GET
104.18.58.110:80
http://www.bigfoto.com/1vorlage/images/head_right.jpg
US
malicious
648
IEXPLORE.EXE
GET
200
104.18.58.110:80
http://www.bigfoto.com/sites/main/aegeri-lake-switzerland_small.JPG
US
image
2.26 Kb
malicious
648
IEXPLORE.EXE
GET
200
104.18.58.110:80
http://www.bigfoto.com/sites/main/churfirsten_switzerland_small.JPG
US
image
2.58 Kb
malicious
648
IEXPLORE.EXE
GET
200
104.18.58.110:80
http://www.bigfoto.com/picture-photo-lake_small.jpg
US
image
3.70 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
648
IEXPLORE.EXE
13.107.5.80:443
api.bing.com
Microsoft Corporation
US
whitelisted
2720
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2896
EXCEL.EXE
104.18.58.110:80
www.bigfoto.com
Cloudflare Inc
US
shared
648
IEXPLORE.EXE
104.18.58.110:80
www.bigfoto.com
Cloudflare Inc
US
shared
2720
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2720
iexplore.exe
2.23.11.11:443
go.microsoft.com
Telecom Italia
unknown
2720
iexplore.exe
204.79.197.203:443
www.msn.com
Microsoft Corporation
US
whitelisted
648
IEXPLORE.EXE
216.58.205.174:443
www.youtube.com
Google Inc.
US
whitelisted
648
IEXPLORE.EXE
216.58.205.34:443
googleads.g.doubleclick.net
Google Inc.
US
suspicious
648
IEXPLORE.EXE
172.217.23.70:443
static.doubleclick.net
Google Inc.
US
unknown

DNS requests

Domain
IP
Reputation
www.bigfoto.com
  • 104.18.58.110
malicious
www.bing.com
  • 204.79.197.200
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
go.microsoft.com
  • 2.23.11.11
whitelisted
www.msn.com
  • 204.79.197.203
whitelisted
query.prod.cms.msn.com
  • 40.83.186.94
whitelisted
www.googletagmanager.com
  • 172.217.23.72
whitelisted

Threats

No threats detected
No debug info