File name: | APT28DropperExcelDoc.xls |
Full analysis: | https://app.any.run/tasks/2ce365f7-0439-4d7c-806c-3fed3bdc6758 |
Verdict: | Malicious activity |
Analysis date: | December 06, 2018, 08:39:57 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: userr, Last Saved By: Windows, Name of Creating Application: Microsoft Excel, Last Printed: Sun Dec 4 23:48:47 2016, Create Time/Date: Wed Oct 19 23:49:03 2016, Last Saved Time/Date: Sun Jul 8 19:08:38 2018, Security: 0 |
MD5: | 5DEBB3535CBA6615526C64E44D0F5E2B |
SHA1: | ABAA744D9504C7F23A237F8220AC6A441016D518 |
SHA256: | 5BAC7A020F173D6C35F73D76CD3745A36564DBB3DD32F2D5FC5021C353E76A54 |
SSDEEP: | 12288:/bkdb1vJu/xtIIcnIE9A3HfOoV+4qF2KhaLZA6H/EHagqNC9:TkdbVJupvSmHfOoaF2KhaLZTx89 |
.doc | | | Microsoft Word document (28.1) |
---|---|---|
.xls | | | Microsoft Excel sheet (26.4) |
.xls | | | Microsoft Excel sheet (alternate) (21.5) |
.doc | | | Microsoft Word document (old ver.) (16.7) |
CompObjUserType: | Hoja de calculo de Microsoft Excel 2003 |
---|---|
CompObjUserTypeLen: | 40 |
HeadingPairs: |
|
TitleOfParts: | Sheet1 |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 15 |
Company: | - |
CodePage: | Unicode (UTF-8) |
Security: | None |
ModifyDate: | 2018:07:08 18:08:38 |
CreateDate: | 2016:10:19 22:49:03 |
LastPrinted: | 2016:12:04 23:48:47 |
Software: | Microsoft Excel |
LastModifiedBy: | Пользователь Windows |
Author: | userr |
CharCountWithSpaces: | 123 |
Paragraphs: | 1 |
Lines: | 1 |
Characters: | 106 |
Words: | 18 |
Pages: | 1 |
TotalEditTime: | - |
RevisionNumber: | 1 |
Template: | Normal |
Keywords: | - |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2904 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3276 | certutil -decode C:\Users\admin\AppData\Roaming\Microsoft\AddIns\T1U3H6N7.txt C:\Users\admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe | C:\Windows\system32\certutil.exe | EXCEL.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2604 | C:\Users\admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe | C:\Users\admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe | — | EXCEL.EXE |
User: admin Company: Simon Tatham Integrity Level: MEDIUM Description: SSH, Telnet and Rlogin client Exit code: 0 Version: Release 0.67 | ||||
2452 | certutil -decode C:\Users\admin\AppData\Roaming\Microsoft\AddIns\P1T5J9B8.txt C:\Users\admin\AppData\Roaming\Microsoft\AddIns\V8H3Q6H5.exe | C:\Windows\system32\certutil.exe | EXCEL.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3884 | C:\Users\admin\AppData\Roaming\Microsoft\AddIns\V8H3Q6H5.exe | C:\Users\admin\AppData\Roaming\Microsoft\AddIns\V8H3Q6H5.exe | — | EXCEL.EXE |
User: admin Company: Simon Tatham Integrity Level: MEDIUM Description: SSH, Telnet and Rlogin client Exit code: 0 Version: Release 0.67 |
(PID) Process: | (2904) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | write | Name: | er> |
Value: 65723E00580B0000010000000000000000000000 | |||
(PID) Process: | (2904) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2904) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2904) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel |
Operation: | write | Name: | MTTT |
Value: 580B000036A0F94B3F8DD40100000000 | |||
(PID) Process: | (2904) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | delete value | Name: | er> |
Value: 65723E00580B0000010000000000000000000000 | |||
(PID) Process: | (2904) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (2904) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (2904) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2904) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2904) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\139B2B |
Operation: | write | Name: | 139B2B |
Value: 04000000580B00003A00000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0041005000540032003800440072006F00700070006500720045007800630065006C0044006F0063002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000305AEA4C3F8DD4012B9B13002B9B130000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2904 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR96C5.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2904 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF1C55BA841A7D6C5D.TMP | — | |
MD5:— | SHA256:— | |||
2904 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF585F6F5ED3DDF0C5.TMP | — | |
MD5:— | SHA256:— | |||
2904 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\688A5B60.emf | emf | |
MD5:DEC597ECC19741FF34128A06737DDA59 | SHA256:8999BF672ABC83D9E1975B6DF0F72FE9C262E2AFD3F04C630202F355D9E32805 | |||
2904 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3700F81B.emf | emf | |
MD5:01C9488F9742C4A24868B7A7223BBF5A | SHA256:3BEA8295B1F6464EA417CFA969D24FDE876C33C665CE100F100FF760FC7F593C | |||
2904 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\APT28DropperExcelDoc.xls | document | |
MD5:A2670AC315408FB0808E01244D38FD20 | SHA256:D3B1FFCF25957A1F477D964D923B6FEBAAF3A5E2D37D2E18A1E831051D80AC87 | |||
2904 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\AddIns\P1T5J9B8.txt | text | |
MD5:1B330A7F7CC348CE408C10B64C79A5E8 | SHA256:4E77C794CCD2CB3A0139CE07F70E170B15BC1E618AC6959797CEC889048B5005 | |||
2904 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\AddIns\T1U3H6N7.txt | text | |
MD5:1B330A7F7CC348CE408C10B64C79A5E8 | SHA256:4E77C794CCD2CB3A0139CE07F70E170B15BC1E618AC6959797CEC889048B5005 | |||
3276 | certutil.exe | C:\Users\admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe | executable | |
MD5:BA78410702F0CC8453DA1AFBB2A8B670 | SHA256:9F9E74241D59ECCFE7040BFDCBBCEACB374EDA397CC53A4197B59E4F6F380A91 | |||
2452 | certutil.exe | C:\Users\admin\AppData\Roaming\Microsoft\AddIns\V8H3Q6H5.exe | executable | |
MD5:BA78410702F0CC8453DA1AFBB2A8B670 | SHA256:9F9E74241D59ECCFE7040BFDCBBCEACB374EDA397CC53A4197B59E4F6F380A91 |