analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2022-06-24_1024.xls

Full analysis: https://app.any.run/tasks/5289ea66-350f-4942-bada-87fbe9f1e195
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 27, 2022, 08:57:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
loader
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: SRGHRSHSH, Last Saved By: RGSGK, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Thu Jun 23 21:59:22 2022, Security: 0
MD5:

2E56A25834FD246CA874492AB59BBBC7

SHA1:

331837E06119212D64C6CF7356F0555B516D34A9

SHA256:

61B5B1788CECD68F9AF5C5C08808271CAE7EDB7D29D85D393E4653A94A7C02C2

SSDEEP:

1536:m9Kpb8rGYrMPe3q7Q0XV5xtezEsi8/dgHWV7KRzCS3x9vFhVG1xbCVQa:eKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2060)

    • Registers / Runs the DLL via REGSVR32.EXE

      • EXCEL.EXE (PID: 2060)

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 2060)

    • Drops executable file immediately after starts

      • EXCEL.EXE (PID: 2060)

  • SUSPICIOUS

    • Drops a file with a compile date too recent

      • EXCEL.EXE (PID: 2060)

  • INFO

    • Reads the computer name

      • EXCEL.EXE (PID: 2060)

    • Reads settings of System Certificates

      • EXCEL.EXE (PID: 2060)

    • Checks supported languages

      • EXCEL.EXE (PID: 2060)
      • regsvr32.exe (PID: 3756)
      • regsvr32.exe (PID: 3488)
      • regsvr32.exe (PID: 1184)

    • Checks Windows Trust Settings

      • EXCEL.EXE (PID: 2060)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 2060)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

HeadingPairs:
  • Листы
  • 6
  • Макросы Excel 4.0
  • 1
TitleOfParts:
  • Sheet
  • KBSNTND
  • Vv
  • ORHINSNR
  • THJD
  • SGGSBe
  • KBRSBTL
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
Company: -
CodePage: Windows Cyrillic
Security: None
ModifyDate: 2022:06:23 20:59:22
CreateDate: 2015:06:05 18:19:34
Software: Microsoft Excel
LastModifiedBy: RGSGK
Author: SRGHRSHSH
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2060"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3756C:\Windows\System32\regsvr32.exe /S ..\hso1.ocxC:\Windows\System32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3488C:\Windows\System32\regsvr32.exe /S ..\hso2.ocxC:\Windows\System32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1184C:\Windows\System32\regsvr32.exe /S ..\hso3.ocxC:\Windows\System32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
7 057
Read events
6 970
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
7
Text files
2
Unknown types
3

Dropped files

PID
Process
Filename
Type
2060EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR4681.tmp.cvr
MD5:
SHA256:
2060EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:D376DD170C3BE4A9A29173E4D92A0E37
SHA256:D511CA6E8E54343CBDCBBC302053D498A3B26E12D2068BFF3D14F8363B9E144F
2060EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\72AC05552D3FF6B8AF566551D2256860binary
MD5:0E18901D3374C8AB35F484225C6830DA
SHA256:7753937EB013743DD41CED50ED072BB947C045BED362FB094D5EA8B4DD1E360D
2060EXCEL.EXEC:\Users\admin\AppData\Local\Temp\Cab5B23.tmpcompressed
MD5:308336E7F515478969B24C13DED11EDE
SHA256:889B832323726A9F10AD03F85562048FDCFE20C9FF6F9D37412CF477B4E92FF9
2060EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\K6EAM5KG.txttext
MD5:A07D12FA768C2EDF546F8473387097CE
SHA256:152EFF6E63C64E351117F05F53B4828F3A78DC57162C698896D9B2CAC5B4F8E7
2060EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\72AC05552D3FF6B8AF566551D2256860der
MD5:92A147117401A97D54BE3075B49BF970
SHA256:992FBE6DF117BA369E17EC0A49755EE4809D3C531B68280D61DAD463D9DC56A8
2060EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\GWJMYDGM.txttext
MD5:C36200CB3B17FE72522A4C75B70DDD5D
SHA256:5C526B5701509CE1E31F7B0526F3103393A742AB9CB717363099D6A89BCE8C6B
2060EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:B0B679C9BAD60ACC1C0020FC83CFB5BA
SHA256:C4D824FF8DDA7A2A0C581CCAF0E7E458A75EE2083708A532E21FCEC44C94CCD9
2060EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\4MQpg5y3GNUk[1].dllexecutable
MD5:25EA9824212795CE72687B5BBD118642
SHA256:B1455F8EF9F8F65FD35FC81C87E287FF7C06B978B76DBCE7CDC5B9626649BB0C
2060EXCEL.EXEC:\Users\admin\hso2.ocxexecutable
MD5:25EA9824212795CE72687B5BBD118642
SHA256:B1455F8EF9F8F65FD35FC81C87E287FF7C06B978B76DBCE7CDC5B9626649BB0C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
10
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2060
EXCEL.EXE
GET
202.29.82.3:80
http://eportfolio-bizcom.msci.dusit.ac.th/e_port/AYB2aG2/
TH
suspicious
2060
EXCEL.EXE
GET
200
58.97.58.49:80
http://document.vpservice-online.com/img/cPPHgfsrA/
TH
executable
669 Kb
suspicious
2060
EXCEL.EXE
GET
200
92.123.195.35:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgOGt%2FC6kE4SXGZ48Xm7UOlo%2FA%3D%3D
unknown
der
503 b
shared
2060
EXCEL.EXE
GET
200
23.45.105.185:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
2060
EXCEL.EXE
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d13800c11d524caf
US
compressed
60.0 Kb
whitelisted
2060
EXCEL.EXE
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f9d00665ef9cc5e4
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2060
EXCEL.EXE
23.45.105.185:80
x1.c.lencr.org
Akamai International B.V.
NL
unknown
2060
EXCEL.EXE
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
2060
EXCEL.EXE
94.231.103.111:443
dodsbo-hjelpen.dk
Zitcom A/S
DK
unknown
2060
EXCEL.EXE
31.15.10.16:443
domyzizka.cz
ACTIVE 24
CZ
unknown
2060
EXCEL.EXE
58.97.58.49:80
document.vpservice-online.com
TRUE INTERNET Co.,Ltd.
TH
suspicious
2060
EXCEL.EXE
202.29.82.3:80
eportfolio-bizcom.msci.dusit.ac.th
Suan Dusit University
TH
suspicious
2060
EXCEL.EXE
92.123.195.35:80
r3.o.lencr.org
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
dodsbo-hjelpen.dk
  • 94.231.103.111
unknown
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
x1.c.lencr.org
  • 23.45.105.185
whitelisted
r3.o.lencr.org
  • 92.123.195.35
  • 92.123.195.28
shared
document.vpservice-online.com
  • 58.97.58.49
suspicious
domyzizka.cz
  • 31.15.10.16
unknown
eportfolio-bizcom.msci.dusit.ac.th
  • 202.29.82.3
suspicious

Threats

PID
Process
Class
Message
2060
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2060
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2060
EXCEL.EXE
Misc activity
ET INFO EXE - Served Attached HTTP
2060
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2060
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2060
EXCEL.EXE
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2022-06-24_1024.xls