File name: | Quotation.xlsx |
Full analysis: | https://app.any.run/tasks/baecc5ca-65a0-43ea-93b8-d885d6f7f777 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | July 17, 2019, 09:05:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | 03507B58DC5AE0AD0FF224EA997B1E2A |
SHA1: | E55E6B608A9E82173A5F324F91720B6FBC4F3E55 |
SHA256: | 1AEEFAA9E8682241E218999DBE8BFFF1FB98F9D9CD101810E0155D4EFD0E5354 |
SSDEEP: | 3072:UDVCAo9pw4BylwYPUwNGRks5JWhlTeQqMG:UQr3wGy+Ys5cfEMG |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3432 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3396 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3120 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | — | EQNEDT32.EXE |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2184 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | vbc.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
3876 | REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f | C:\Windows\system32\REG.exe | — | RegAsm.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3432 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRD05F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2184 | RegAsm.exe | C:\Users\admin\AppData\Local\Temp\636989547985202500_61e47f7d-5b2e-4158-be8c-f207a78b35cb.db | sqlite | |
MD5:0B3C43342CE2A99318AA0FE9E531C57B | SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8 | |||
3396 | EQNEDT32.EXE | C:\Users\Public\vbc.exe | executable | |
MD5:274B7648377CF491C81D4789D201ECEE | SHA256:17AC3E76B5C9719D443B2D2923FE44740AD57DBED4CA0B837996B98915A87100 | |||
3396 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\qwertyjae[1].exe | executable | |
MD5:274B7648377CF491C81D4789D201ECEE | SHA256:17AC3E76B5C9719D443B2D2923FE44740AD57DBED4CA0B837996B98915A87100 | |||
2184 | RegAsm.exe | C:\Users\admin\AppData\Roaming\MyApp\MyApp.exe | executable | |
MD5:278EDBD499374BF73621F8C1F969D894 | SHA256:C6999B9F79932C3B4F1C461A69D9DC8DC301D6A155ABC33EFE1B6E9E4A038391 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3396 | EQNEDT32.EXE | GET | 200 | 23.249.164.162:80 | http://23.249.164.162/qwertyjae.exe | US | executable | 569 Kb | suspicious |
2184 | RegAsm.exe | GET | 200 | 18.211.215.84:80 | http://checkip.amazonaws.com/ | US | text | 16 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2184 | RegAsm.exe | 18.211.215.84:80 | checkip.amazonaws.com | — | US | shared |
3396 | EQNEDT32.EXE | 23.249.164.162:80 | — | ColoCrossing | US | suspicious |
— | — | 192.185.41.47:587 | mail.dormakeba.com | CyrusOne LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
checkip.amazonaws.com |
| shared |
mail.dormakeba.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3396 | EQNEDT32.EXE | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
3396 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
3396 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3396 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
3396 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
2184 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
— | — | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |