analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

inv_762128.xls

Full analysis: https://app.any.run/tasks/0663ade1-a588-45da-9fcc-5b9b2ba1e4fd
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: March 30, 2020, 17:42:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
emotet-doc
emotet
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Mar 19 13:21:36 2020, Last Saved Time/Date: Mon Mar 30 15:13:48 2020, Security: 0
MD5:

DA30DDD7C16B984020111DABDC28BDDF

SHA1:

9BBF0E4C6CA350C5B7CAA231EDF1149CAD18C8E3

SHA256:

49BF6A841DF59C52E540E5EEE434EBD27C97077EF320F261B53150ECFA5BF45A

SSDEEP:

1536:zZk3hbdlylKsgqopeJBWhZFGkE+cL2NdA4VSEGBCCwfQjpDoXb1zkaKrvgexmR:zZk3hbdlylKsgqopeJBWhZFGkE+cL2Nr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 2892)
    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2892)
    • Application was dropped or rewritten from another process

      • guctfjK.exe (PID: 1440)
  • SUSPICIOUS

    • Unusual connect from Microsoft Office

      • EXCEL.EXE (PID: 2892)
  • INFO

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 2892)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: -
LastModifiedBy: -
Software: Microsoft Excel
CreateDate: 2020:03:19 13:21:36
ModifyDate: 2020:03:30 14:13:48
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: Sheet1
HeadingPairs:
  • Worksheets
  • 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start excel.exe guctfjk.exe

Process information

PID
CMD
Path
Indicators
Parent process
2892"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
1440"C:\FzoJzqE\PxwkWxU\guctfjK.exe" C:\FzoJzqE\PxwkWxU\guctfjK.exe
EXCEL.EXE
User:
admin
Company:
Sun Microsystems, Inc.
Integrity Level:
MEDIUM
Description:
Java(TM) 2 Platform Standard Edition binary
Version:
8.5.27.0
Total events
591
Read events
533
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2892EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR78F1.tmp.cvr
MD5:
SHA256:
2892EXCEL.EXEC:\FzoJzqE\PxwkWxU\guctfjK.exeexecutable
MD5:4A39499D8D6A9DE811494BB93D7C0907
SHA256:0F94E9B2A544D51C3158DCC94892E7C29C08D9CC24601F9FA745E648AFD34A63
2892EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\apol[1].exeexecutable
MD5:4A39499D8D6A9DE811494BB93D7C0907
SHA256:0F94E9B2A544D51C3158DCC94892E7C29C08D9CC24601F9FA745E648AFD34A63
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2892
EXCEL.EXE
161.117.235.193:80
arcoqa.com
SG
suspicious

DNS requests

Domain
IP
Reputation
arcoqa.com
  • 161.117.235.193
suspicious

Threats

PID
Process
Class
Message
2892
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
guctfjK.exe
sPGtTDwhOhcMVEyYQFQQkHvdJznbxq
guctfjK.exe
GLENILkMRRFwsIdgMcwxtTkVNTyeGNHfvrHcdNmNSaQOVrKgxXpxvneabmaepoMUGB
guctfjK.exe
iDXrdWbRMuzMnoaBepXLJFvaSTtnXEEoKUSTLhrVQjHzVZKPENteKds
guctfjK.exe
AThpIzUtwrRgVhACiMdocswMPtJUkDdlcfcrclWApDTN
guctfjK.exe
zMBgujxDairqmmHGTfLIBmIGVtXBYnmQGdVWKrnDYtPqibWKLuzchQqEXBvCMiqibkip
guctfjK.exe
VfpdwQvoOglfKIQHelNVQnhgsTkRfaemwUXsYtHpjEfojDSQikUIIvXGQCaAg
guctfjK.exe
HohZZGJYfzPzgzstvdZQyWzhTsnpsrZEYcvVdvhfqNZRSQyOzXXhZDxcNWinulYSqQTAFONYvNj
guctfjK.exe
SVMAXGmovOKXgvqwRXuhLIYhgGl
guctfjK.exe
damrocqlgIEFvBNdQijohEWlTkoGAUdaHsoUegLqKbTtJygPORaHqBfp
guctfjK.exe
SYeRRhnoGKruvWoZWkTrXwYSWEvjFYAayZISOwMpaJiyEMrHbUGKuEjflOdiELNnARRlwvjmNtR