analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

11471833606.xls

Full analysis: https://app.any.run/tasks/795f2809-9208-40b6-9088-138e4088f15e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 04:39:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
trojan
loader
qbot
maldoc-42
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Sep 29 12:34:32 2020, Security: 0
MD5:

92B5663063549A19FF99E7160DD8D615

SHA1:

3213B0B025178BCDCCF00F20CDC2B873DB72B2F6

SHA256:

69C6FA802F3FD0613F913682CC953D73C1BADB79CE2C073AB5E54EC8339EAE02

SSDEEP:

1536:z/7uDphYHceXVhca+fMHLtyeGxcl8/dgrD6yzsFWBCKv33O/:z/7uDphYHceXVhca+fMHLtyeGxcl8/dt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Feryrtc.exe (PID: 2280)
      • Feryrtc.exe (PID: 3424)
      • ytfovlym.exe (PID: 3920)
      • ytfovlym.exe (PID: 2548)

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 760)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 760)

    • Downloads executable files with a strange extension

      • EXCEL.EXE (PID: 760)

    • Requests a remote executable file from MS Office

      • EXCEL.EXE (PID: 760)

    • QBOT was detected

      • Feryrtc.exe (PID: 2280)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2152)

  • SUSPICIOUS

    • Application launched itself

      • Feryrtc.exe (PID: 2280)
      • ytfovlym.exe (PID: 3920)

    • Executable content was dropped or overwritten

      • Feryrtc.exe (PID: 2280)
      • cmd.exe (PID: 2152)

    • Creates files in the user directory

      • Feryrtc.exe (PID: 2280)

    • Starts CMD.EXE for commands execution

      • Feryrtc.exe (PID: 2280)

    • Starts itself from another location

      • Feryrtc.exe (PID: 2280)

  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 760)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 760)

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 760)

    • Dropped object may contain Bitcoin addresses

      • cmd.exe (PID: 2152)

    • Manual execution by user

      • explorer.exe (PID: 3660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: -
LastModifiedBy: -
Software: Microsoft Excel
CreateDate: 2006:09:16 00:00:00
ModifyDate: 2020:09:29 11:34:32
Security: None
CodePage: Windows Cyrillic
AppVersion: 14
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • DocuSign®
  • Лист1
  • Лист2
  • Лист3
HeadingPairs:
  • Листы
  • 3
  • Макросы Excel 4.0
  • 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
9
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start excel.exe #QBOT feryrtc.exe feryrtc.exe no specs ytfovlym.exe no specs cmd.exe ping.exe no specs ytfovlym.exe no specs explorer.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
760"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2280"C:\Asuses\gramyuta\Feryrtc.exe" C:\Asuses\gramyuta\Feryrtc.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3424C:\Asuses\gramyuta\Feryrtc.exe /CC:\Asuses\gramyuta\Feryrtc.exeFeryrtc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3920C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeFeryrtc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2152"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Asuses\gramyuta\Feryrtc.exe"C:\Windows\System32\cmd.exe
Feryrtc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
184ping.exe -n 6 127.0.0.1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2548C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /CC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeytfovlym.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3660"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1508C:\Windows\explorer.exeC:\Windows\explorer.exeytfovlym.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
805
Read events
745
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
3
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
760EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR7734.tmp.cvr
MD5:
SHA256:
2280Feryrtc.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:AFD9E32FA01300A6A1DF16E3420DEBEC
SHA256:35C8FEA27BE0BAD3D719B786EA8B62425A184DA884FC8BAEC258E7F697E1BDFB
760EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\11471833606.xls.LNKlnk
MD5:2E412A6E7EE29F9609D237A56ACF0D7F
SHA256:5FD7AACA048C9A49731F155F93E2778A64A9D0E85DCC5798D42503FD7BE66F01
760EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:ECEA25F13D652B22F445A716D1AAB377
SHA256:6EFEE4F2F6F1CA7A2AAEE87E3430A5AC395246FB34453B8D2948B746AC06879C
1508explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:9A025604037299F1F1C77033DCE1FFCD
SHA256:EBF981F8786387A816E45DA42A9C577F84989A24A955572069949D8057A72F11
2280Feryrtc.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeexecutable
MD5:1B1585263E9B2732EE1C657EA84EA156
SHA256:19DB02A9C510910B321E1026F881C2045690836EFFF122A8EC14530F45E3A81B
760EXCEL.EXEC:\Asuses\gramyuta\Feryrtc.exeexecutable
MD5:1B1585263E9B2732EE1C657EA84EA156
SHA256:19DB02A9C510910B321E1026F881C2045690836EFFF122A8EC14530F45E3A81B
760EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\88888[1].pngexecutable
MD5:1B1585263E9B2732EE1C657EA84EA156
SHA256:19DB02A9C510910B321E1026F881C2045690836EFFF122A8EC14530F45E3A81B
2152cmd.exeC:\Asuses\gramyuta\Feryrtc.exeexecutable
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC
SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
760
EXCEL.EXE
GET
200
192.157.208.246:80
http://www.himypets.com/tackzmj/88888.png
US
executable
4.00 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
760
EXCEL.EXE
192.157.208.246:80
www.himypets.com
Enzu Inc
US
malicious

DNS requests

Domain
IP
Reputation
www.himypets.com
  • 192.157.208.246
malicious

Threats

PID
Process
Class
Message
760
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
760
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
760
EXCEL.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
760
EXCEL.EXE
A Network Trojan was detected
AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious
760
EXCEL.EXE
Misc activity
ET INFO EXE - Served Attached HTTP
760
EXCEL.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
11471833606.xls