File name: | APT28DropperExcelDoc.xls |
Full analysis: | https://app.any.run/tasks/e36170c7-160e-4daf-b6cc-0eae22280443 |
Verdict: | Malicious activity |
Analysis date: | January 11, 2019, 10:36:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: userr, Last Saved By: Windows, Name of Creating Application: Microsoft Excel, Last Printed: Sun Dec 4 23:48:47 2016, Create Time/Date: Wed Oct 19 23:49:03 2016, Last Saved Time/Date: Sun Jul 8 19:08:38 2018, Security: 0 |
MD5: | 5DEBB3535CBA6615526C64E44D0F5E2B |
SHA1: | ABAA744D9504C7F23A237F8220AC6A441016D518 |
SHA256: | 5BAC7A020F173D6C35F73D76CD3745A36564DBB3DD32F2D5FC5021C353E76A54 |
SSDEEP: | 12288:/bkdb1vJu/xtIIcnIE9A3HfOoV+4qF2KhaLZA6H/EHagqNC9:TkdbVJupvSmHfOoaF2KhaLZTx89 |
.doc | | | Microsoft Word document (28.1) |
---|---|---|
.xls | | | Microsoft Excel sheet (26.4) |
.xls | | | Microsoft Excel sheet (alternate) (21.5) |
.doc | | | Microsoft Word document (old ver.) (16.7) |
CompObjUserType: | Hoja de calculo de Microsoft Excel 2003 |
---|---|
CompObjUserTypeLen: | 40 |
HeadingPairs: |
|
TitleOfParts: | Sheet1 |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 15 |
Company: | - |
CodePage: | Unicode (UTF-8) |
Security: | None |
ModifyDate: | 2018:07:08 18:08:38 |
CreateDate: | 2016:10:19 22:49:03 |
LastPrinted: | 2016:12:04 23:48:47 |
Software: | Microsoft Excel |
LastModifiedBy: | Пользователь Windows |
Author: | userr |
CharCountWithSpaces: | 123 |
Paragraphs: | 1 |
Lines: | 1 |
Characters: | 106 |
Words: | 18 |
Pages: | 1 |
TotalEditTime: | - |
RevisionNumber: | 1 |
Template: | Normal |
Keywords: | - |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3000 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3500 | certutil -decode C:\Users\admin\AppData\Roaming\Microsoft\AddIns\T1U3H6N7.txt C:\Users\admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe | C:\Windows\system32\certutil.exe | EXCEL.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2920 | C:\Users\admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe | C:\Users\admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe | — | EXCEL.EXE |
User: admin Company: Simon Tatham Integrity Level: MEDIUM Description: SSH, Telnet and Rlogin client Exit code: 0 Version: Release 0.67 |
(PID) Process: | (3000) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | write | Name: | hh% |
Value: 68682500B80B0000010000000000000000000000 | |||
(PID) Process: | (3000) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (3000) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (3000) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel |
Operation: | write | Name: | MTTT |
Value: B80B000048285D9699A9D40100000000 | |||
(PID) Process: | (3000) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | delete value | Name: | hh% |
Value: 68682500B80B0000010000000000000000000000 | |||
(PID) Process: | (3000) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (3000) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (3000) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3000) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3000) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\19930F |
Operation: | write | Name: | 19930F |
Value: 04000000B80B00003A00000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0041005000540032003800440072006F00700070006500720045007800630065006C0044006F0063002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000F029E49799A9D4010F9319000F93190000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3000 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR8C38.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3000 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF8C39CF4968113A83.TMP | — | |
MD5:— | SHA256:— | |||
3000 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF23C695791E2D4A0F.TMP | — | |
MD5:— | SHA256:— | |||
3000 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\AddIns\T1U3H6N7.txt | text | |
MD5:1B330A7F7CC348CE408C10B64C79A5E8 | SHA256:4E77C794CCD2CB3A0139CE07F70E170B15BC1E618AC6959797CEC889048B5005 | |||
3000 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\APT28DropperExcelDoc.xls | document | |
MD5:F194526F1AB35167A9CD3F21EACCF7C1 | SHA256:793A1B784335A6198EDB2832FE05E916FC10A3D4897804C9B90713479C9AB245 | |||
3000 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5C9AAAEE.emf | emf | |
MD5:01C9488F9742C4A24868B7A7223BBF5A | SHA256:3BEA8295B1F6464EA417CFA969D24FDE876C33C665CE100F100FF760FC7F593C | |||
3000 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5338217.emf | emf | |
MD5:DEC597ECC19741FF34128A06737DDA59 | SHA256:8999BF672ABC83D9E1975B6DF0F72FE9C262E2AFD3F04C630202F355D9E32805 | |||
3500 | certutil.exe | C:\Users\admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe | executable | |
MD5:BA78410702F0CC8453DA1AFBB2A8B670 | SHA256:9F9E74241D59ECCFE7040BFDCBBCEACB374EDA397CC53A4197B59E4F6F380A91 |