File name: | inv_762128.xls |
Full analysis: | https://app.any.run/tasks/0663ade1-a588-45da-9fcc-5b9b2ba1e4fd |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | March 30, 2020, 17:42:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Mar 19 13:21:36 2020, Last Saved Time/Date: Mon Mar 30 15:13:48 2020, Security: 0 |
MD5: | DA30DDD7C16B984020111DABDC28BDDF |
SHA1: | 9BBF0E4C6CA350C5B7CAA231EDF1149CAD18C8E3 |
SHA256: | 49BF6A841DF59C52E540E5EEE434EBD27C97077EF320F261B53150ECFA5BF45A |
SSDEEP: | 1536:zZk3hbdlylKsgqopeJBWhZFGkE+cL2NdA4VSEGBCCwfQjpDoXb1zkaKrvgexmR:zZk3hbdlylKsgqopeJBWhZFGkE+cL2Nr |
.xls | | | Microsoft Excel sheet (78.9) |
---|
Author: | - |
---|---|
LastModifiedBy: | - |
Software: | Microsoft Excel |
CreateDate: | 2020:03:19 13:21:36 |
ModifyDate: | 2020:03:30 14:13:48 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | Sheet1 |
HeadingPairs: |
|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2892 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
1440 | "C:\FzoJzqE\PxwkWxU\guctfjK.exe" | C:\FzoJzqE\PxwkWxU\guctfjK.exe | EXCEL.EXE | |
User: admin Company: Sun Microsystems, Inc. Integrity Level: MEDIUM Description: Java(TM) 2 Platform Standard Edition binary Version: 8.5.27.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2892 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR78F1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2892 | EXCEL.EXE | C:\FzoJzqE\PxwkWxU\guctfjK.exe | executable | |
MD5:4A39499D8D6A9DE811494BB93D7C0907 | SHA256:0F94E9B2A544D51C3158DCC94892E7C29C08D9CC24601F9FA745E648AFD34A63 | |||
2892 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\apol[1].exe | executable | |
MD5:4A39499D8D6A9DE811494BB93D7C0907 | SHA256:0F94E9B2A544D51C3158DCC94892E7C29C08D9CC24601F9FA745E648AFD34A63 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2892 | EXCEL.EXE | 161.117.235.193:80 | arcoqa.com | — | SG | suspicious |
Domain | IP | Reputation |
---|---|---|
arcoqa.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2892 | EXCEL.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
Process | Message |
---|---|
guctfjK.exe | sPGtTDwhOhcMVEyYQFQQkHvdJznbxq |
guctfjK.exe | GLENILkMRRFwsIdgMcwxtTkVNTyeGNHfvrHcdNmNSaQOVrKgxXpxvneabmaepoMUGB |
guctfjK.exe | iDXrdWbRMuzMnoaBepXLJFvaSTtnXEEoKUSTLhrVQjHzVZKPENteKds |
guctfjK.exe | AThpIzUtwrRgVhACiMdocswMPtJUkDdlcfcrclWApDTN |
guctfjK.exe | zMBgujxDairqmmHGTfLIBmIGVtXBYnmQGdVWKrnDYtPqibWKLuzchQqEXBvCMiqibkip |
guctfjK.exe | VfpdwQvoOglfKIQHelNVQnhgsTkRfaemwUXsYtHpjEfojDSQikUIIvXGQCaAg |
guctfjK.exe | HohZZGJYfzPzgzstvdZQyWzhTsnpsrZEYcvVdvhfqNZRSQyOzXXhZDxcNWinulYSqQTAFONYvNj |
guctfjK.exe | SVMAXGmovOKXgvqwRXuhLIYhgGl |
guctfjK.exe | damrocqlgIEFvBNdQijohEWlTkoGAUdaHsoUegLqKbTtJygPORaHqBfp |
guctfjK.exe | SYeRRhnoGKruvWoZWkTrXwYSWEvjFYAayZISOwMpaJiyEMrHbUGKuEjflOdiELNnARRlwvjmNtR |