File name:

Rfq.xlsm

Full analysis: https://app.any.run/tasks/1507be4f-da35-4fa9-bd7d-4082b692202e
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: May 20, 2019, 08:59:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
rat
remcos
keylogger
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

D4A8B8C744B41948ECA6E2AF85B87B90

SHA1:

D9D1637DDC2870F1F77283C9A73D2FF6D8588A8B

SHA256:

26CBE2CACCAEADA07A66F2077B556359D94A404D643453400FC0AEED1CBA8510

SSDEEP:

3072:Rogon1q3nB6f+nMbs0xnE4plYoeT91ck7R0ZlkjksJeLh+r44pP1Onr0lDxaa:RI03nBvMbJn9LYtOBjgdir4aa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3332)

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 3332)

    • Application was dropped or rewritten from another process

      • KsScL.exe (PID: 1472)
      • KsScL.exe (PID: 912)
      • server.exe (PID: 2996)
      • server.exe (PID: 4028)
      • server.exe (PID: 288)
      • server.exe (PID: 2692)
      • server.exe (PID: 3640)
      • server.exe (PID: 3808)
      • server.exe (PID: 3392)
      • server.exe (PID: 3856)
      • server.exe (PID: 1548)
      • server.exe (PID: 2244)
      • server.exe (PID: 3544)

    • Changes the autorun value in the registry

      • KsScL.exe (PID: 912)
      • server.exe (PID: 4028)

    • Uses SVCHOST.EXE for hidden code execution

      • server.exe (PID: 4028)

    • Detected logs from REMCOS RAT

      • server.exe (PID: 4028)

    • REMCOS RAT was detected

      • server.exe (PID: 4028)

  • SUSPICIOUS

    • Application launched itself

      • KsScL.exe (PID: 1472)
      • server.exe (PID: 2996)
      • server.exe (PID: 4028)

    • Creates files in the user directory

      • KsScL.exe (PID: 912)
      • server.exe (PID: 4028)

    • Executable content was dropped or overwritten

      • KsScL.exe (PID: 912)

    • Executes scripts

      • KsScL.exe (PID: 912)

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 3176)

    • Writes files like Keylogger logs

      • server.exe (PID: 4028)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3332)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 3332)

    • Application was crashed

      • svchost.exe (PID: 1896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsm | Excel Microsoft Office Open XML Format document (with Macro) (50.8)
.xlsx | Excel Microsoft Office Open XML Format document (30)
.zip | Open Packaging Conventions container (15.4)
.zip | ZIP compressed archive (3.5)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x9cc0ec29
ZipCompressedSize: 394
ZipUncompressedSize: 1257
ZipFileName: [Content_Types].xml

XMP

Creator: -

XML

LastModifiedBy: -
CreateDate: 2015:06:05 18:17:20Z
ModifyDate: 2019:05:20 06:22:12Z
Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Worksheets
  • 1
TitlesOfParts: Sheet1
Company: -
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16.03
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
17
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start excel.exe ksscl.exe no specs ksscl.exe wscript.exe no specs cmd.exe no specs server.exe no specs #REMCOS server.exe svchost.exe server.exe no specs server.exe no specs server.exe no specs server.exe no specs server.exe no specs server.exe no specs server.exe no specs server.exe no specs server.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
288C:\Users\admin\AppData\Roaming\server\server.exe /stext "C:\Users\admin\AppData\Local\Temp\dmyjoqetche"C:\Users\admin\AppData\Roaming\server\server.exeserver.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
912"C:\Users\admin\AppData\Local\Temp\KsScL.exe"C:\Users\admin\AppData\Local\Temp\KsScL.exe
KsScL.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ksscl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1472C:\Users\admin\AppData\Local\Temp\KsScL.exeC:\Users\admin\AppData\Local\Temp\KsScL.exeEXCEL.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ksscl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
1548C:\Users\admin\AppData\Roaming\server\server.exe /stext "C:\Users\admin\AppData\Local\Temp\jurhhvdpmwuohwywcafnaqarsljsd"C:\Users\admin\AppData\Roaming\server\server.exeserver.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1896C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe
server.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
2244C:\Users\admin\AppData\Roaming\server\server.exe /stext "C:\Users\admin\AppData\Local\Temp\lkgwikinbiqdoerhu"C:\Users\admin\AppData\Roaming\server\server.exeserver.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2692C:\Users\admin\AppData\Roaming\server\server.exe /stext "C:\Users\admin\AppData\Local\Temp\qxfg"C:\Users\admin\AppData\Roaming\server\server.exeserver.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2996C:\Users\admin\AppData\Roaming\server\server.exeC:\Users\admin\AppData\Roaming\server\server.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\server\server.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
3176"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\install.vbs" C:\Windows\System32\WScript.exeKsScL.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3332"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
1 032
Read events
979
Write events
46
Delete events
7

Modification events

(PID) Process:(3332) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:07>
Value:
30373E00040D0000010000000000000000000000
(PID) Process:(3332) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3332) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3332) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
Operation:writeName:MTTT
Value:
040D000068B97566EA0ED50100000000
(PID) Process:(3332) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:delete valueName:07>
Value:
30373E00040D0000010000000000000000000000
(PID) Process:(3332) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:delete keyName:
Value:
(PID) Process:(3332) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
Operation:delete keyName:
Value:
(PID) Process:(3332) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3332) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3332) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\11F6C2
Operation:writeName:11F6C2
Value:
04000000040D00002A00000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C005200660071002E0078006C0073006D00000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000B0F98668EA0ED501C2F61100C2F6110000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
3
Suspicious files
1
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3332EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVREF00.tmp.cvr
MD5:
SHA256:
912KsScL.exeC:\Users\admin\AppData\Local\Temp\install.vbsbinary
MD5:
SHA256:
3332EXCEL.EXEC:\Users\admin\AppData\Local\Temp\KsScL.exeexecutable
MD5:
SHA256:
3332EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\RFFQ[1].exeexecutable
MD5:
SHA256:
912KsScL.exeC:\Users\admin\AppData\Roaming\server\server.exeexecutable
MD5:
SHA256:
4028server.exeC:\Users\admin\AppData\Roaming\Screenshots\time_20190520_100010.pngimage
MD5:
SHA256:
4028server.exeC:\Users\admin\AppData\Roaming\remcos\logs.dattext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
3
Threats
4

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3332
EXCEL.EXE
31.31.196.162:443
master-peredelkino.ru
Domain names registrar REG.RU, Ltd
RU
suspicious
4028
server.exe
160.116.15.144:1337
dmurrray.warzonedns.com
ZA
malicious

DNS requests

Domain
IP
Reputation
master-peredelkino.ru
  • 31.31.196.162
suspicious
dmurrray.warzonedns.com
  • 160.116.15.144
malicious

Threats

PID
Process
Class
Message
4028
server.exe
A Network Trojan was detected
MALWARE [PTsecurity] Backdoor.Win32/Remcos RAT connection
4028
server.exe
A Network Trojan was detected
MALWARE [PTsecurity] Backdoor.Win32/Remcos RAT connection
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Rfq.xlsm