analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1c6496d96e1f0d0de39bdcb976a729e75c652869adb9fc3d0679895b94160280.xls

Full analysis: https://app.any.run/tasks/15f673fc-0238-4b81-bf17-7a6412237649
Verdict: Malicious activity
Analysis date: August 08, 2020, 10:13:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: epgJklhO, Last Saved By: Administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Aug 5 10:52:25 2020, Last Saved Time/Date: Wed Aug 5 10:52:40 2020, Security: 0
MD5:

6CC6B83C88A3F7D289C4AD7785240497

SHA1:

9464B675361F72FC0F5FE71C17A981501F63C0EC

SHA256:

1C6496D96E1F0D0DE39BDCB976A729E75C652869ADB9FC3D0679895B94160280

SSDEEP:

6144:2k3hbdlylKsgqopeJBWhZFVE+W2NdAF7bPautwpBIp/lqkC1y12hU:svPalr+weIm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2704)
  • SUSPICIOUS

    • Executes scripts

      • explorer.exe (PID: 3476)
    • Executed via COM

      • explorer.exe (PID: 3476)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2704)
    • Creates files in the user directory

      • EXCEL.EXE (PID: 2704)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

HeadingPairs:
  • Worksheets
  • 1
  • Worksheets
  • 1
TitleOfParts:
  • Sheet1
  • zLsi
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
Company: -
CodePage: Windows Latin 1 (Western European)
Security: None
ModifyDate: 2020:08:05 09:52:40
CreateDate: 2020:08:05 09:52:25
Software: Microsoft Excel
LastModifiedBy: Administrator
Author: epgJklhO
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe no specs explorer.exe no specs explorer.exe no specs wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2704"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
1332explorer.exe C:\Users\admin\AppData\Local\Temp\GG9.vbsC:\Windows\explorer.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3476C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2164"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\GG9.vbs" C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Total events
569
Read events
507
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
4
Unknown types
2

Dropped files

PID
Process
Filename
Type
2704EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRBD36.tmp.cvr
MD5:
SHA256:
2704EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF7AD9F31AB8CBF6E9.TMP
MD5:
SHA256:
2704EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\1c6496d96e1f0d0de39bdcb976a729e75c652869adb9fc3d0679895b94160280.xls.LNKlnk
MD5:CA00919E80BE9CA840393EB450DD61F2
SHA256:5B68CCE4972658658285CD5539CB34E2F3CF7AF19EB80632A6342BDB926B4CA3
2704EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:8D304869418B8D3E353C26F3031B48F7
SHA256:9C871E048402F4B8DAC892AD33101EA2D5DC4CEED824F037C29538A748290F27
2704EXCEL.EXEC:\Users\admin\Desktop\1c6496d96e1f0d0de39bdcb976a729e75c652869adb9fc3d0679895b94160280.xlsdocument
MD5:9166FC266785680C5362F69381993A90
SHA256:362431C081F07612705644A86B779F1CBB4610B1F5CCA170E2BBF51D84386AEF
2704EXCEL.EXEC:\Users\admin\AppData\Local\Temp\GG9.vbstext
MD5:1CC240C1DBBD2776223CAA725A865D12
SHA256:52F2BFB2129072154FBDB9949EB84B4E0916721FB3E6D48E97E2F347C6723D4A
2164WScript.exeC:\Users\admin\AppData\Local\Temp\tu5k7ZU.txttext
MD5:A5EA0AD9260B1550A14CC58D2C39B03D
SHA256:F1B2F662800122BED0FF255693DF89C4487FBDCF453D3524A42D4EC20C3D9C04
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info