| File name: | 46643c330fc51a4dd70eec5094a19bd727e4f9064c3d9c720932be5eba58c0f4 |
| Full analysis: | https://app.any.run/tasks/79be1d55-a3ed-47cc-9ad3-77c2e0a5eaf9 |
| Verdict: | Malicious activity |
| Threats: | Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. |
| Analysis date: | March 11, 2020, 09:37:05 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.ms-excel |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1256, Author: Mohsen, Last Saved By: Windows User, Name of Creating Application: Microsoft Excel, Last Printed: Sun Nov 10 08:09:33 2019, Create Time/Date: Tue Nov 8 08:33:09 2016, Last Saved Time/Date: Tue Feb 25 07:27:29 2020, Security: 0 |
| MD5: | 995F9762F4F6B2EE13306CE1F2E6C989 |
| SHA1: | 1854BD094DD92549A3BA2BA2B73FA4374C2A81C0 |
| SHA256: | 46643C330FC51A4DD70EEC5094A19BD727E4F9064C3D9C720932BE5EBA58C0F4 |
| SSDEEP: | 3072:W5ZxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAS96fqMjluKpSS8YOwFdG2/57spjJJ1:KxEtjPOtioVjDGUU1qfDlavx+W2QnASF |
MALICIOUS
Executable content was dropped or overwritten
- EXCEL.EXE (PID: 3620)
Application was dropped or rewritten from another process
- nvidia.exe (PID: 3468)
- taskghost.exe (PID: 3052)
- ServiceHost.exe (PID: 3940)
- taskshost.exe (PID: 1904)
Unusual execution from Microsoft Office
- EXCEL.EXE (PID: 3620)
Changes the Startup folder
- nvidia.exe (PID: 3468)
- ServiceHost.exe (PID: 3940)
- taskghost.exe (PID: 3052)
- taskshost.exe (PID: 1904)
SUSPICIOUS
Executed via COM
- iexplore.exe (PID: 2580)
- iexplore.exe (PID: 3816)
- iexplore.exe (PID: 2408)
Creates files in the user directory
- nvidia.exe (PID: 3468)
- taskghost.exe (PID: 3052)
- taskshost.exe (PID: 1904)
- ServiceHost.exe (PID: 3940)
Executable content was dropped or overwritten
- nvidia.exe (PID: 3468)
- taskghost.exe (PID: 3052)
- ServiceHost.exe (PID: 3940)
Changes IE settings (feature browser emulation)
- AcroRd32.exe (PID: 3544)
Starts itself from another location
- nvidia.exe (PID: 3468)
- taskghost.exe (PID: 3052)
Uses REG.EXE to modify Windows registry
- EXCEL.EXE (PID: 3620)
Creates files in the program directory
- AdobeARM.exe (PID: 3160)
Connects to server without host name
- iexplore.exe (PID: 3444)
- iexplore.exe (PID: 3012)
INFO
Changes internet zones settings
- iexplore.exe (PID: 2580)
- iexplore.exe (PID: 3816)
- iexplore.exe (PID: 2408)
Reads Internet Cache Settings
- iexplore.exe (PID: 2840)
- iexplore.exe (PID: 2580)
- iexplore.exe (PID: 3816)
- AcroRd32.exe (PID: 1748)
- AcroRd32.exe (PID: 3544)
- iexplore.exe (PID: 2792)
- iexplore.exe (PID: 2408)
- iexplore.exe (PID: 3360)
- iexplore.exe (PID: 3012)
- iexplore.exe (PID: 1708)
- iexplore.exe (PID: 3444)
Creates files in the user directory
- iexplore.exe (PID: 2580)
- AcroRd32.exe (PID: 3544)
- iexplore.exe (PID: 2408)
Reads internet explorer settings
- iexplore.exe (PID: 2840)
- iexplore.exe (PID: 2792)
- iexplore.exe (PID: 3360)
- iexplore.exe (PID: 3012)
- iexplore.exe (PID: 3444)
- iexplore.exe (PID: 1708)
Reads Microsoft Office registry keys
- EXCEL.EXE (PID: 3620)
Dropped object may contain Bitcoin addresses
- iexplore.exe (PID: 2840)
- iexplore.exe (PID: 2580)
- iexplore.exe (PID: 1708)
- iexplore.exe (PID: 2408)
Application launched itself
- AcroRd32.exe (PID: 3544)
- RdrCEF.exe (PID: 2144)
- iexplore.exe (PID: 3816)
- iexplore.exe (PID: 2408)
Manual execution by user
- AcroRd32.exe (PID: 3544)
Reads the hosts file
- RdrCEF.exe (PID: 2144)
Reads settings of System Certificates
- AcroRd32.exe (PID: 3544)
- iexplore.exe (PID: 2580)
- iexplore.exe (PID: 3816)
- iexplore.exe (PID: 2408)
Adds / modifies Windows certificates
- iexplore.exe (PID: 3816)
- iexplore.exe (PID: 2408)
- iexplore.exe (PID: 2580)
Changes settings of System certificates
- iexplore.exe (PID: 3816)
- iexplore.exe (PID: 2408)
- iexplore.exe (PID: 2580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .xls | | | Microsoft Excel sheet (48) |
|---|---|---|
| .xls | | | Microsoft Excel sheet (alternate) (39.2) |
EXIF
FlashPix
| Author: | Mohsen |
|---|---|
| LastModifiedBy: | Windows User |
| Software: | Microsoft Excel |
| LastPrinted: | 2019:11:10 08:09:33 |
| CreateDate: | 2016:11:08 08:33:09 |
| ModifyDate: | 2020:02:25 07:27:29 |
| Security: | None |
| CodePage: | Windows Arabic |
| Company: | Mortalkombat |
| AppVersion: | 16 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: |
|
| HeadingPairs: |
|
| CompObjUserTypeLen: | 32 |
| CompObjUserType: | Microsoft Excel 2003 Worksheet |
Total processes
79
Monitored processes
28
Malicious processes
3
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1332 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2144.0.111329328\220841614" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Exit code: 0 Version: 15.23.20053.211670 Modules
| |||||||||||||||
| 1708 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2408 CREDAT:1840410 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 1748 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\Desktop\FinalOffer_20200311_0938.pdf" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | AcroRd32.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Exit code: 1 Version: 15.23.20070.215641 Modules
| |||||||||||||||
| 1848 | ping -n 1 www.google.com | C:\Windows\system32\ping.exe | — | ServiceHost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1904 | C:\Users\admin\AppData\Roaming\NvidiaGraphic\{274f2f-20k-5522-ba37-91401alac280}\taskshost.exe | C:\Users\admin\AppData\Roaming\NvidiaGraphic\{274f2f-20k-5522-ba37-91401alac280}\taskshost.exe | taskghost.exe | ||||||||||||
User: admin Company: mehdirayaneh Integrity Level: MEDIUM Description: Host process For Windows Tasks Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
| 2144 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | AcroRd32.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe RdrCEF Exit code: 0 Version: 15.23.20053.211670 Modules
| |||||||||||||||
| 2408 | "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding | C:\Program Files\Internet Explorer\iexplore.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 2580 | "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding | C:\Program Files\Internet Explorer\iexplore.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 2656 | ping -n 1 www.google.com | C:\Windows\system32\ping.exe | — | taskshost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2660 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2144.1.2135876401\524642348" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Exit code: 0 Version: 15.23.20053.211670 Modules
| |||||||||||||||
Total events
21 280
Read events
3 734
Write events
11 812
Delete events
5 734
Modification events
| (PID) Process: | (3620) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
| Operation: | write | Name: | .z4 |
Value: 2E7A3400240E0000010000000000000000000000 | |||
| (PID) Process: | (3620) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (3620) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1041 |
Value: Off | |||
| (PID) Process: | (3620) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1046 |
Value: Off | |||
| (PID) Process: | (3620) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1036 |
Value: Off | |||
| (PID) Process: | (3620) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1031 |
Value: Off | |||
| (PID) Process: | (3620) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1040 |
Value: Off | |||
| (PID) Process: | (3620) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1049 |
Value: Off | |||
| (PID) Process: | (3620) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 3082 |
Value: Off | |||
| (PID) Process: | (3620) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1042 |
Value: Off | |||
Executable files
5
Suspicious files
30
Text files
35
Unknown types
28
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3620 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR7EAE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3620 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\mso6083.tmp | — | |
MD5:— | SHA256:— | |||
| 3620 | EXCEL.EXE | C:\Users\admin\Desktop\mso6576.tmp | — | |
MD5:— | SHA256:— | |||
| 2580 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFBE485C90364C65A4.TMP | — | |
MD5:— | SHA256:— | |||
| 2580 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BFMG1KV4XTZ5LGDFONM6.temp | — | |
MD5:— | SHA256:— | |||
| 2580 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF5D9E9FC862526729.TMP | — | |
MD5:— | SHA256:— | |||
| 2580 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{03209847-637C-11EA-972D-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
| 1748 | AcroRd32.exe | C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal | — | |
MD5:— | SHA256:— | |||
| 1748 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Rb576c9_1nm5ax0_1ck.tmp | — | |
MD5:— | SHA256:— | |||
| 1748 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1y19q0j_1nm5awy_1ck.tmp | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
46
DNS requests
20
Threats
6
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2580 | iexplore.exe | GET | — | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | — | — | whitelisted |
3544 | AcroRd32.exe | GET | 304 | 2.16.186.57:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281_15_23_20070.zip | unknown | — | — | whitelisted |
2840 | iexplore.exe | GET | 200 | 80.82.67.45:80 | http://80.82.67.45/mh/p1.php | SC | html | 192 Kb | malicious |
2792 | iexplore.exe | GET | 200 | 80.82.67.45:80 | http://80.82.67.45/mh/ip.php | SC | html | 271 b | malicious |
3544 | AcroRd32.exe | GET | 304 | 2.16.186.57:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip | unknown | — | — | whitelisted |
3544 | AcroRd32.exe | GET | 304 | 2.16.186.57:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/278_15_23_20070.zip | unknown | — | — | whitelisted |
3544 | AcroRd32.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D | US | der | 471 b | whitelisted |
2840 | iexplore.exe | GET | 200 | 80.82.67.45:80 | http://80.82.67.45/mh/p2.php | SC | html | 236 Kb | malicious |
2580 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
2580 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2580 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2580 | iexplore.exe | 80.82.67.45:80 | — | Quasi Networks LTD. | SC | malicious |
2580 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3816 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3544 | AcroRd32.exe | 2.16.186.57:80 | acroipm2.adobe.com | Akamai International B.V. | — | whitelisted |
3544 | AcroRd32.exe | 23.210.248.251:443 | armmf.adobe.com | Akamai International B.V. | NL | whitelisted |
3816 | iexplore.exe | 80.82.67.45:80 | — | Quasi Networks LTD. | SC | malicious |
2840 | iexplore.exe | 80.82.67.45:80 | — | Quasi Networks LTD. | SC | malicious |
— | — | 23.210.248.251:443 | armmf.adobe.com | Akamai International B.V. | NL | whitelisted |
3816 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
www.google.com |
| malicious |
acroipm2.adobe.com |
| whitelisted |
armmf.adobe.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
ardownload2.adobe.com |
| whitelisted |
ieonline.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2840 | iexplore.exe | A Network Trojan was detected | ET TROJAN Windows executable base64 encoded |
2840 | iexplore.exe | Misc activity | SUSPICIOUS [PTsecurity] Executable base64 Payload |
2840 | iexplore.exe | A Network Trojan was detected | ET TROJAN Windows executable base64 encoded |
2840 | iexplore.exe | Misc activity | SUSPICIOUS [PTsecurity] Executable base64 Payload |
1708 | iexplore.exe | A Network Trojan was detected | ET TROJAN Windows executable base64 encoded |
1708 | iexplore.exe | Misc activity | SUSPICIOUS [PTsecurity] Executable base64 Payload |