analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1c6496d96e1f0d0de39bdcb976a729e75c652869adb9fc3d0679895b94160280.xls

Full analysis: https://app.any.run/tasks/1058ad60-c169-4f39-8664-873c827ac7f9
Verdict: Malicious activity
Analysis date: August 08, 2020, 10:15:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: epgJklhO, Last Saved By: Administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Aug 5 10:52:25 2020, Last Saved Time/Date: Wed Aug 5 10:52:40 2020, Security: 0
MD5:

6CC6B83C88A3F7D289C4AD7785240497

SHA1:

9464B675361F72FC0F5FE71C17A981501F63C0EC

SHA256:

1C6496D96E1F0D0DE39BDCB976A729E75C652869ADB9FC3D0679895B94160280

SSDEEP:

6144:2k3hbdlylKsgqopeJBWhZFVE+W2NdAF7bPautwpBIp/lqkC1y12hU:svPalr+weIm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2892)

  • SUSPICIOUS

    • Executes scripts

      • explorer.exe (PID: 3684)

    • Executed via COM

      • explorer.exe (PID: 3684)

  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 2892)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: epgJklhO
LastModifiedBy: Administrator
Software: Microsoft Excel
CreateDate: 2020:08:05 09:52:25
ModifyDate: 2020:08:05 09:52:40
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • Sheet1
  • zLsi
HeadingPairs:
  • Worksheets
  • 1
  • Worksheets
  • 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe no specs explorer.exe no specs explorer.exe no specs wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2892"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
880explorer.exe C:\Users\admin\AppData\Local\Temp\GG9.vbsC:\Windows\explorer.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3684C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2952"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\GG9.vbs" C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Total events
574
Read events
511
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
4
Unknown types
2

Dropped files

PID
Process
Filename
Type
2892EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR360F.tmp.cvr
MD5:
SHA256:
2892EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFDB4C1ABABBC1A4D6.TMP
MD5:
SHA256:
2892EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\1c6496d96e1f0d0de39bdcb976a729e75c652869adb9fc3d0679895b94160280.xls.LNKlnk
MD5:38FEA542B96BE15F273446F782EE9ABD
SHA256:F6227772DF81F82277A9E28E4AD1C8727FE9599D5B82BD917F63919E7059D9C7
2892EXCEL.EXEC:\Users\admin\Desktop\1c6496d96e1f0d0de39bdcb976a729e75c652869adb9fc3d0679895b94160280.xlsdocument
MD5:3ED6FAEBFC3D55E9E7075BB97021D4F8
SHA256:523868641EBE7B7FE1C37DEADF69A6074E1BB8078DB5028ECD56EE9A976A62BC
2892EXCEL.EXEC:\Users\admin\AppData\Local\Temp\GG9.vbstext
MD5:1CC240C1DBBD2776223CAA725A865D12
SHA256:52F2BFB2129072154FBDB9949EB84B4E0916721FB3E6D48E97E2F347C6723D4A
2892EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:8D304869418B8D3E353C26F3031B48F7
SHA256:9C871E048402F4B8DAC892AD33101EA2D5DC4CEED824F037C29538A748290F27
2952WScript.exeC:\Users\admin\AppData\Local\Temp\tu5k7ZU.txttext
MD5:A5EA0AD9260B1550A14CC58D2C39B03D
SHA256:F1B2F662800122BED0FF255693DF89C4487FBDCF453D3524A42D4EC20C3D9C04
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1c6496d96e1f0d0de39bdcb976a729e75c652869adb9fc3d0679895b94160280.xls