| File name: | 1df68d0e027011071f599dccca50e8a7be62aff17d2e49c7c1499fe084c9eed0.xls |
| Full analysis: | https://app.any.run/tasks/b292f085-98bf-4c24-b82d-0b54452d3bb1 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | May 24, 2019, 18:32:10 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.ms-excel |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri May 24 19:28:35 2019, Security: 0 |
| MD5: | 800088D19ACBD72BA7A6753F4033FD43 |
| SHA1: | 2054A0E833C45C6121819BA928E1453A9B3F8E9B |
| SHA256: | 1DF68D0E027011071F599DCCCA50E8A7BE62AFF17D2E49C7C1499FE084C9EED0 |
| SSDEEP: | 3072:ZgxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAZC9Xr8njUtc7lk31YspyOzcC8gIqTGo:ixEtjPOtioVjDGUU1qfDlavx+W2QnAZ2 |
MALICIOUS
Uses BITADMIN.EXE for downloading application
- EXCEL.EXE (PID: 252)
Unusual execution from Microsoft Office
- EXCEL.EXE (PID: 252)
Application was dropped or rewritten from another process
- filename.exe (PID: 3240)
- isasseme.exe (PID: 2924)
- isasseme.exe (PID: 1016)
Changes the autorun value in the registry
- isasseme.exe (PID: 2924)
SUSPICIOUS
Reads internet explorer settings
- EXCEL.EXE (PID: 252)
Starts CMD.EXE for commands execution
- filename.exe (PID: 3240)
- isasseme.exe (PID: 2924)
- netsh.exe (PID: 1828)
Executable content was dropped or overwritten
- cmd.exe (PID: 1892)
Application launched itself
- isasseme.exe (PID: 2924)
INFO
Reads Microsoft Office registry keys
- EXCEL.EXE (PID: 252)
Dropped object may contain Bitcoin addresses
- cmd.exe (PID: 1892)
Manual execution by user
- netsh.exe (PID: 1828)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .xls | | | Microsoft Excel sheet (48) |
|---|---|---|
| .xls | | | Microsoft Excel sheet (alternate) (39.2) |
EXIF
FlashPix
| Author: | - |
|---|---|
| LastModifiedBy: | - |
| Software: | Microsoft Excel |
| CreateDate: | 2006:09:16 00:00:00 |
| ModifyDate: | 2019:05:24 18:28:35 |
| Security: | None |
| CodePage: | Windows Latin 1 (Western European) |
| Company: | - |
| AppVersion: | 15 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: | Sheet1 |
| HeadingPairs: |
|
| CompObjUserTypeLen: | 31 |
| CompObjUserType: | Microsoft Excel 2003 Worksheet |
Total processes
53
Monitored processes
13
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 252 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 1016 | "C:\Users\admin\AppData\Local\isasseme.exe" | C:\Users\admin\AppData\Local\isasseme.exe | — | isasseme.exe | |||||||||||
User: admin Company: ivupukisiqoxudajim Integrity Level: MEDIUM Description: evowihuw Exit code: 0 Version: 6.9.11.14 Modules
| |||||||||||||||
| 1828 | "C:\Windows\System32\netsh.exe" | C:\Windows\System32\netsh.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1892 | "C:\Windows\System32\cmd.exe" /c copy "C:\Users\admin\AppData\Local\Temp\\filename.exe" "C:\Users\admin\AppData\Local\isasseme.exe" | C:\Windows\System32\cmd.exe | filename.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1892 | /c del "C:\Users\admin\AppData\Local\isasseme.exe" | C:\Windows\System32\cmd.exe | — | netsh.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2128 | "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\AppData\Local\Temp\\filename.exe:Zone.Identifier" | C:\Windows\System32\cmd.exe | — | filename.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2328 | "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\AppData\Local\isasseme.exe:Zone.Identifier" | C:\Windows\System32\cmd.exe | — | isasseme.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2924 | "C:\Users\admin\AppData\Local\isasseme.exe" | C:\Users\admin\AppData\Local\isasseme.exe | cmd.exe | ||||||||||||
User: admin Company: ivupukisiqoxudajim Integrity Level: MEDIUM Description: evowihuw Exit code: 0 Version: 6.9.11.14 Modules
| |||||||||||||||
| 3076 | "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\AppData\Local\Temp\\filename.exe:Zone.Identifier" | C:\Windows\System32\cmd.exe | — | filename.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3076 | "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\AppData\Local\isasseme.exe:Zone.Identifier" | C:\Windows\System32\cmd.exe | — | isasseme.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
763
Read events
726
Write events
30
Delete events
7
Modification events
| (PID) Process: | (252) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
| Operation: | write | Name: | <{= |
Value: 3C7B3D00FC000000010000000000000000000000 | |||
| (PID) Process: | (252) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (252) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (252) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel |
| Operation: | write | Name: | MTTT |
Value: FC00000058F146095F12D50100000000 | |||
| (PID) Process: | (252) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
| Operation: | delete value | Name: | <{= |
Value: 3C7B3D00FC000000010000000000000000000000 | |||
| (PID) Process: | (252) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
| Operation: | delete key | Name: | |
Value: | |||
| (PID) Process: | (252) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency |
| Operation: | delete key | Name: | |
Value: | |||
| (PID) Process: | (252) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (252) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (252) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\134422 |
| Operation: | write | Name: | 134422 |
Value: 04000000FC0000006600000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0031006400660036003800640030006500300032003700300031003100300037003100660035003900390064006300630063006100350030006500380061003700620065003600320061006600660031003700640032006500340039006300370063003100340039003900660065003000380034006300390065006500640030002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0001000000000000002011590A5F12D501224413002244130000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 252 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR3F8D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 1892 | cmd.exe | C:\Users\admin\AppData\Local\isasseme.exe | executable | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 112.137.167.110:443 | alkautharpulaupinang.com | TM-VADS DC Hosting | MY | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
alkautharpulaupinang.com |
| unknown |