analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Doc-11722.xls

Full analysis: https://app.any.run/tasks/2c6e7d60-5fbe-4fd8-b14d-0ca648a8c7d3
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: January 18, 2020, 10:05:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
ta505
trojan
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Windows User, Last Saved By: Windows User, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Jun 22 13:23:57 2019, Last Saved Time/Date: Mon Jan 6 11:38:30 2020, Security: 0
MD5:

AF715B8A907364542573A6DD7A5F18EB

SHA1:

5818AD784254E19B93C8470FE2899BA8DFF63B84

SHA256:

65DD73A855E28D6CE4AE9EFEA1BFB616856B47E83D906D5AA43F0900A5D77B08

SSDEEP:

6144:dk3hOdsylKlgryzc4bNhZF+E+W2knA8Vr1nQ133RWQGYEBm:gVZQ133RRGxBm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • EXCEL.EXE (PID: 4032)

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 4032)

    • Connects to CnC server

      • EXCEL.EXE (PID: 4032)

    • Application was dropped or rewritten from another process

      • etis.exe (PID: 3420)
      • etis.exe (PID: 688)

  • SUSPICIOUS

    • Creates files in the Windows directory

      • EXCEL.EXE (PID: 4032)

    • Creates files in the user directory

      • notepad++.exe (PID: 2456)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 4032)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 4032)

    • Manual execution by user

      • etis.exe (PID: 688)
      • cmd.exe (PID: 3772)
      • notepad++.exe (PID: 2456)
      • explorer.exe (PID: 2476)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

Author: Windows User
LastModifiedBy: Windows User
Software: Microsoft Excel
CreateDate: 2019:06:22 12:23:57
ModifyDate: 2020:01:06 11:38:30
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
AppVersion: 15
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: Sheet1
HeadingPairs:
  • Worksheets
  • 1
CompObjUserTypeLen: 31
CompObjUserType: Microsoft Excel 2003 Worksheet
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe explorer.exe no specs etis.exe cmd.exe no specs etis.exe no specs notepad++.exe gup.exe

Process information

PID
CMD
Path
Indicators
Parent process
4032"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2476"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
688"C:\Windows\System32\spool\drivers\color\etis.exe" C:\Windows\System32\spool\drivers\color\etis.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3772"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3420C:\Windows\System32\spool\drivers\color\etis.exe /E:vbs C:\Windows\System32\spool\drivers\color\zldgfavzC:\Windows\System32\spool\drivers\color\etis.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
2456"C:\Program Files\Notepad++\notepad++.exe" "C:\Windows\System32\spool\drivers\color\zldgfavz"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Version:
7.51
2040"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
Total events
844
Read events
695
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
5
Unknown types
3

Dropped files

PID
Process
Filename
Type
4032EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRDD9E.tmp.cvr
MD5:
SHA256:
4032EXCEL.EXEC:\Users\admin\AppData\Local\Temp\Excel8.0\MSForms.exdtlb
MD5:A0456CF0C181740AD00EB990C49D10D8
SHA256:E55CB2BF4B7D9F3D394505A4D70B60EDAA817DB04D0CBCA94391A9D4D98F8C88
4032EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\42C834B4.emfemf
MD5:F5838C10301603C67F6E04BCB21A8A14
SHA256:9FB7EDCDD747988CCAA78C1A26D3BDC632B68606029215B535542A68623A23A0
4032EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ECCE15BF.emfemf
MD5:59C45B1D5037D93024F67C8034057300
SHA256:8406824D64CA5F8D01D520E100953892535F8214446347B6EB4CEC8E2F584B52
4032EXCEL.EXEC:\Windows\System32\spool\drivers\color\zldgfavztext
MD5:7B6025A8C007FE3268C095B07CC3625F
SHA256:950F2DF4B3AA3CAB48DEFBF6A8416B9CF8C16EBC8C10551FEDF605D5766E8C14
2456notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\stylers.xmlxml
MD5:44982E1D48434C0AB3E8277E322DD1E4
SHA256:3E661D3F1FF3977B022A0ACC26B840B5E57D600BC03DCFC6BEFDB408C665904C
2456notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\langs.xmlxml
MD5:E792264BEC29005B9044A435FBA185AB
SHA256:5298FD2F119C43D04F6CF831F379EC25B4156192278E40E458EC356F9B49D624
2456notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\plugins\Config\converter.initext
MD5:F70F579156C93B097E656CABA577A5C9
SHA256:B926498A19CA95DC28964B7336E5847107DD3C0F52C85195C135D9DD6CA402D4
2456notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\shortcuts.xmltext
MD5:AD21A64014891793DD9B21D835278F36
SHA256:C24699C9D00ABDD510140FE1B2ACE97BFC70D8B21BF3462DED85AFC4F73FE52F
4032EXCEL.EXEC:\Windows\System32\spool\drivers\color\etis.exeexecutable
MD5:D1AB72DB2BEDD2F255D35DA3DA0D4B16
SHA256:047F3C5A7AB0EA05F35B2CA8037BF62DD4228786D07707064DBD0D46569305D0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrBBNpPfHTPX6Jy6BVzyBPnBWMnQQUPnQtH89FdQR%2BP8Cihz5MQ4NRE8YCEAxHWpoyfQpCuYL7zNoKQA4%3D
US
der
280 b
whitelisted
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4032
EXCEL.EXE
95.215.225.28:80
foura.biz
M247 Ltd
GB
malicious
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2040
gup.exe
104.31.88.28:443
notepad-plus-plus.org
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
foura.biz
  • 95.215.225.28
whitelisted
notepad-plus-plus.org
  • 104.31.88.28
  • 104.31.89.28
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
4032
EXCEL.EXE
A Network Trojan was detected
ET TROJAN MuddyWater Payload - CnC Checkin
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Doc-11722.xls