analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.ssk-avto.ru/downloads/price_infiniti.xls

Full analysis: https://app.any.run/tasks/967044a4-bda2-46e0-8d33-7c4e5d51d593
Verdict: Malicious activity
Analysis date: January 11, 2019, 05:28:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

D01AB59F48C6C4DCA7DC20C30E795F34

SHA1:

A6A421E61A19438EA1326E6820E7AC30B2917731

SHA256:

6BA2958E8F68D93B0A19663D0BCCE593B197C1B858B819C1A090617F242D0174

SSDEEP:

3:N1KJS4cRCQKDLJ4K9gaQMW:Cc4csbVOKW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • EXCEL.EXE (PID: 3812)

    • Application launched itself

      • EXCEL.EXE (PID: 3812)

    • Unusual connect from Microsoft Office

      • EXCEL.EXE (PID: 3812)

  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 3088)
      • iexplore.exe (PID: 2808)
      • EXCEL.EXE (PID: 3812)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3088)

    • Application launched itself

      • iexplore.exe (PID: 2808)

    • Changes internet zones settings

      • iexplore.exe (PID: 2808)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2120)
      • EXCEL.EXE (PID: 3812)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe excel.exe excel.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2808"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3088"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2808 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3812"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2120"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXEEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Excel
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
925
Read events
809
Write events
101
Delete events
15

Modification events

(PID) Process:(2808) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2808) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2808) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2808) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2808) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2808) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2808) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{C4B78BCB-1561-11E9-BAD8-5254004A04AF}
Value:
0
(PID) Process:(2808) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2808) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
3
(PID) Process:(2808) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E307010005000B0005001C0030003F01
Executable files
0
Suspicious files
29
Text files
8
Unknown types
4

Dropped files

PID
Process
Filename
Type
2808iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2808iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3812EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRAA8E.tmp.cvr
MD5:
SHA256:
3812EXCEL.EXEC:\Users\admin\AppData\Local\Temp\{5B4D8155-4384-4C64-9E42-704830924146}
MD5:
SHA256:
3812EXCEL.EXEC:\Users\admin\AppData\Local\Temp\{DF17A1FB-6FCC-4FCB-B129-B3827C3AA374}
MD5:
SHA256:
3812EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF93E1EEBDEB34FECD.TMP
MD5:
SHA256:
3812EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF1B6971BCE3D2E382.TMP
MD5:
SHA256:
2808iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFC797EEFD347C198A.TMP
MD5:
SHA256:
3812EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:A4C2E3636A18A9BAC8ECF04F803CA9DE
SHA256:6C6C80719BD6066F54738903D017C3F1AFD0B1B73282F9237EE1A8FB1B80085A
3812EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:92AD269128CF4C03B5C1EAA8008969A2
SHA256:A041C85EC007AD576062581735E12A83C2008B2732F2BBCB1D0895F6A8C15C94
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
8
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3812
EXCEL.EXE
HEAD
200
195.208.1.102:80
http://www.ssk-avto.ru/downloads/price_infiniti.xls
RU
malicious
3812
EXCEL.EXE
OPTIONS
404
195.208.1.102:80
http://www.ssk-avto.ru/downloads/
RU
html
9.32 Kb
malicious
3812
EXCEL.EXE
OPTIONS
404
195.208.1.102:80
http://www.ssk-avto.ru/downloads/
RU
html
9.32 Kb
malicious
3812
EXCEL.EXE
OPTIONS
404
195.208.1.102:80
http://www.ssk-avto.ru/downloads/
RU
html
9.32 Kb
malicious
3812
EXCEL.EXE
HEAD
200
195.208.1.102:80
http://www.ssk-avto.ru/downloads/price_infiniti.xls
RU
malicious
976
svchost.exe
OPTIONS
195.208.1.102:80
http://www.ssk-avto.ru/downloads/
RU
malicious
3088
iexplore.exe
GET
200
195.208.1.102:80
http://www.ssk-avto.ru/downloads/price_infiniti.xls
RU
document
584 Kb
malicious
976
svchost.exe
OPTIONS
301
195.208.1.102:80
http://www.ssk-avto.ru/downloads
RU
html
333 b
malicious
2808
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2808
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3812
EXCEL.EXE
195.208.1.102:80
www.ssk-avto.ru
Autonomous Non-commercial Organization Regional Network Information Center
RU
malicious
3088
iexplore.exe
195.208.1.102:80
www.ssk-avto.ru
Autonomous Non-commercial Organization Regional Network Information Center
RU
malicious
976
svchost.exe
195.208.1.102:80
www.ssk-avto.ru
Autonomous Non-commercial Organization Regional Network Information Center
RU
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.ssk-avto.ru
  • 195.208.1.102
malicious

Threats

PID
Process
Class
Message
3812
EXCEL.EXE
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source
3812
EXCEL.EXE
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source
3812
EXCEL.EXE
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.ssk-avto.ru/downloads/price_infiniti.xls