File name: | 555.xlsx |
Full analysis: | https://app.any.run/tasks/86b8728f-5832-45dc-901c-93ef362511cb |
Verdict: | Malicious activity |
Analysis date: | August 26, 2019, 01:52:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | FA9B4801240CB4F70F0A810452E652BA |
SHA1: | B9745E884270E4A0B15CBACCFE9AF186D4224C68 |
SHA256: | 32935F7F01BD3BDA0D9AB3AF495B02367AD5DDB1DAE559F17C38BA371046D05E |
SSDEEP: | 384:4NRyWJMpDA6jv2z603n+0YwmVWmGXaZHo0Bg13kjwxZ0zcqW4DtSXYe74vu:4N9SDhY603n+hjVWmGUHCy+0zTIY+Wu |
.xlsx | | | Excel Microsoft Office Open XML Format document (61.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (31.5) |
.zip | | | ZIP compressed archive (7.2) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0002 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:08:26 00:19:20 |
ZipCRC: | 0x96c115fe |
ZipCompressedSize: | 424 |
ZipUncompressedSize: | 1805 |
ZipFileName: | [Content_Types].xml |
Creator: | hp |
---|
LastModifiedBy: | hp |
---|---|
CreateDate: | 2019:07:22 18:46:12Z |
ModifyDate: | 2019:07:24 20:26:54Z |
Application: | Microsoft Excel |
DocSecurity: | None |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | Feuil1 |
Company: | - |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 16.03 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3380 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3368 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3332 | C:\Users\admin\AppData\Roaming\chigocryp.exe | C:\Users\admin\AppData\Roaming\chigocryp.exe | EQNEDT32.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2916 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | chigocryp.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3380 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR9B3B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3368 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\chigocryp[1].exe | executable | |
MD5:B0063581B77DA353488D5FA79F6528BC | SHA256:436A47CCD41E11F12398934609C0C4D38FA2BCBA088ED1B333E82FE291ADD401 | |||
3332 | chigocryp.exe | C:\Users\admin\AppData\Roaming\filename.exe | executable | |
MD5:B0063581B77DA353488D5FA79F6528BC | SHA256:436A47CCD41E11F12398934609C0C4D38FA2BCBA088ED1B333E82FE291ADD401 | |||
2916 | vbc.exe | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-datetime-l1-1-0.dll | executable | |
MD5:CB978304B79EF53962408C611DFB20F5 | SHA256:90FAE0E7C3644A6754833C42B0AC39B6F23859F9A7CF4B6C8624820F59B9DAD3 | |||
3368 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\chigocryp.exe | executable | |
MD5:B0063581B77DA353488D5FA79F6528BC | SHA256:436A47CCD41E11F12398934609C0C4D38FA2BCBA088ED1B333E82FE291ADD401 | |||
2916 | vbc.exe | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-0.dll | executable | |
MD5:A2D7D7711F9C0E3E065B2929FF342666 | SHA256:9DAB884071B1F7D7A167F9BEC94BA2BEE875E3365603FA29B31DE286C6A97A1D | |||
2916 | vbc.exe | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-interlocked-l1-1-0.dll | executable | |
MD5:D97A1CB141C6806F0101A5ED2673A63D | SHA256:DECCD75FC3FC2BB31338B6FE26DEFFBD7914C6CD6A907E76FD4931B7D141718C | |||
2916 | vbc.exe | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-debug-l1-1-0.dll | executable | |
MD5:88FF191FD8648099592ED28EE6C442A5 | SHA256:C310CC91464C9431AB0902A561AF947FA5C973925FF70482D3DE017ED3F73B7D | |||
2916 | vbc.exe | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-console-l1-1-0.dll | executable | |
MD5:502263C56F931DF8440D7FD2FA7B7C00 | SHA256:94A5DF1227818EDBFD0D5091C6A48F86B4117C38550343F780C604EEE1CD6231 | |||
2916 | vbc.exe | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-errorhandling-l1-1-0.dll | executable | |
MD5:6D778E83F74A4C7FE4C077DC279F6867 | SHA256:A97DCCA76CDB12E985DFF71040815F28508C655AB2B073512E386DD63F4DA325 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2916 | vbc.exe | 185.50.196.212:443 | losjardinesdejavier.com | Comvive Servidores S.L. | ES | malicious |
3368 | EQNEDT32.EXE | 69.89.31.230:443 | earadat.com | Unified Layer | US | suspicious |
Domain | IP | Reputation |
---|---|---|
earadat.com |
| suspicious |
losjardinesdejavier.com |
| malicious |