File name: | Rfq.xlsm |
Full analysis: | https://app.any.run/tasks/1507be4f-da35-4fa9-bd7d-4082b692202e |
Verdict: | Malicious activity |
Threats: | A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. |
Analysis date: | May 20, 2019, 08:59:34 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | D4A8B8C744B41948ECA6E2AF85B87B90 |
SHA1: | D9D1637DDC2870F1F77283C9A73D2FF6D8588A8B |
SHA256: | 26CBE2CACCAEADA07A66F2077B556359D94A404D643453400FC0AEED1CBA8510 |
SSDEEP: | 3072:Rogon1q3nB6f+nMbs0xnE4plYoeT91ck7R0ZlkjksJeLh+r44pP1Onr0lDxaa:RI03nBvMbJn9LYtOBjgdir4aa |
.xlsm | | | Excel Microsoft Office Open XML Format document (with Macro) (50.8) |
---|---|---|
.xlsx | | | Excel Microsoft Office Open XML Format document (30) |
.zip | | | Open Packaging Conventions container (15.4) |
.zip | | | ZIP compressed archive (3.5) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0x9cc0ec29 |
ZipCompressedSize: | 394 |
ZipUncompressedSize: | 1257 |
ZipFileName: | [Content_Types].xml |
Creator: | - |
---|
LastModifiedBy: | - |
---|---|
CreateDate: | 2015:06:05 18:17:20Z |
ModifyDate: | 2019:05:20 06:22:12Z |
Application: | Microsoft Excel |
DocSecurity: | None |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | Sheet1 |
Company: | - |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 16.03 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3332 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
1472 | C:\Users\admin\AppData\Local\Temp\KsScL.exe | C:\Users\admin\AppData\Local\Temp\KsScL.exe | — | EXCEL.EXE |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
912 | "C:\Users\admin\AppData\Local\Temp\KsScL.exe" | C:\Users\admin\AppData\Local\Temp\KsScL.exe | KsScL.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3176 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\install.vbs" | C:\Windows\System32\WScript.exe | — | KsScL.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3588 | "C:\Windows\System32\cmd.exe" /c "C:\Users\admin\AppData\Roaming\server\server.exe" | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2996 | C:\Users\admin\AppData\Roaming\server\server.exe | C:\Users\admin\AppData\Roaming\server\server.exe | — | cmd.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
4028 | "C:\Users\admin\AppData\Roaming\server\server.exe" | C:\Users\admin\AppData\Roaming\server\server.exe | server.exe | |
User: admin Integrity Level: MEDIUM | ||||
1896 | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe | server.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2244 | C:\Users\admin\AppData\Roaming\server\server.exe /stext "C:\Users\admin\AppData\Local\Temp\lkgwikinbiqdoerhu" | C:\Users\admin\AppData\Roaming\server\server.exe | — | server.exe |
User: admin Integrity Level: MEDIUM | ||||
3640 | C:\Users\admin\AppData\Roaming\server\server.exe /stext "C:\Users\admin\AppData\Local\Temp\wmlojdthoqipqknllfst" | C:\Users\admin\AppData\Roaming\server\server.exe | — | server.exe |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
3332 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVREF00.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4028 | server.exe | C:\Users\admin\AppData\Roaming\Screenshots\time_20190520_100010.png | image | |
MD5:8266ED6FF9A1073D96AA3696967EF772 | SHA256:1429EA521F5F9C7779963881FDE16F5A9A6F12613523C7F7958570C20B44BCE6 | |||
4028 | server.exe | C:\Users\admin\AppData\Roaming\remcos\logs.dat | text | |
MD5:8D31F4AC63CC2A9E9EE54BE0BA148507 | SHA256:6D6C480CBF25F752764855654FFBC6C22A9364CFC025E9C33832D68A74073A52 | |||
912 | KsScL.exe | C:\Users\admin\AppData\Local\Temp\install.vbs | binary | |
MD5:9EC6FEDFA7473C89F4BE85FA4FFC1B57 | SHA256:0C70303B09A733232019EC43FAF1BBDF724105CC26BCB4646EC5157F5A60C25C | |||
3332 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\RFFQ[1].exe | executable | |
MD5:F15E448B76331EC8D1C2CF3A7BD4289A | SHA256:197738FB685E9A5A083E17D70DD269BDCBC32956810A02220A10449E5EE83A57 | |||
912 | KsScL.exe | C:\Users\admin\AppData\Roaming\server\server.exe | executable | |
MD5:F15E448B76331EC8D1C2CF3A7BD4289A | SHA256:197738FB685E9A5A083E17D70DD269BDCBC32956810A02220A10449E5EE83A57 | |||
3332 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\KsScL.exe | executable | |
MD5:F15E448B76331EC8D1C2CF3A7BD4289A | SHA256:197738FB685E9A5A083E17D70DD269BDCBC32956810A02220A10449E5EE83A57 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4028 | server.exe | 160.116.15.144:1337 | dmurrray.warzonedns.com | — | ZA | malicious |
3332 | EXCEL.EXE | 31.31.196.162:443 | master-peredelkino.ru | Domain names registrar REG.RU, Ltd | RU | suspicious |
Domain | IP | Reputation |
---|---|---|
master-peredelkino.ru |
| suspicious |
dmurrray.warzonedns.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
4028 | server.exe | A Network Trojan was detected | MALWARE [PTsecurity] Backdoor.Win32/Remcos RAT connection |
4028 | server.exe | A Network Trojan was detected | MALWARE [PTsecurity] Backdoor.Win32/Remcos RAT connection |