analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Remittance_kbaoljecenter.xlsx

Full analysis: https://app.any.run/tasks/4dcf6ebd-b71a-436f-9669-466147b8ba15
Verdict: Malicious activity
Analysis date: March 31, 2020, 06:23:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

CE901B42FD0B01ABA2D733D85797DF71

SHA1:

2748F5EEABF1312A291CC5526438408B1311EF57

SHA256:

7288043C366CFA080F5345333AE279375BF24F6FD5C3E2A8262F63B651CD3C20

SSDEEP:

768:bnoXRoxqE5Sn67uR8TSFCF4IRLjrUOJD6PzQL:MBoxq7ncUOdKQL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executed via COM

      • iexplore.exe (PID: 2540)

    • Unusual connect from Microsoft Office

      • EXCEL.EXE (PID: 2884)

  • INFO

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 2884)
      • iexplore.exe (PID: 2540)
      • iexplore.exe (PID: 2120)

    • Application launched itself

      • iexplore.exe (PID: 2540)

    • Reads internet explorer settings

      • EXCEL.EXE (PID: 2884)
      • iexplore.exe (PID: 916)
      • iexplore.exe (PID: 2120)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2884)

    • Changes internet zones settings

      • iexplore.exe (PID: 2540)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2540)
      • iexplore.exe (PID: 2120)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2540)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0xfa08cdcc
ZipCompressedSize: 361
ZipUncompressedSize: 1202
ZipFileName: [Content_Types].xml

XMP

Title: Capture

XML

LastModifiedBy: pc
CreateDate: 2020:03:30 04:12:35Z
ModifyDate: 2020:03:30 04:12:35Z
Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Worksheets
  • 1
TitlesOfParts: NEW ALWAYS2
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16.03
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe iexplore.exe iexplore.exe no specs iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2884"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2540"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
916"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2540 CREDAT:144385 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2120"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2540 CREDAT:333058 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
5 339
Read events
1 092
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
6
Text files
2
Unknown types
3

Dropped files

PID
Process
Filename
Type
2884EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR5C61.tmp.cvr
MD5:
SHA256:
2884EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CabFC7A.tmp
MD5:
SHA256:
2884EXCEL.EXEC:\Users\admin\AppData\Local\Temp\TarFC7B.tmp
MD5:
SHA256:
2120iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab860.tmp
MD5:
SHA256:
2120iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar861.tmp
MD5:
SHA256:
2540iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2884EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDAder
MD5:5E85608FC7DFEAD699997B1FF748F5F6
SHA256:255A8111B16FB403A7C5238887E54EA13D20BD8591370276B0887830677750C9
2884EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3B6E683A7A45CC59BF035C9BA8C7AB9Dder
MD5:15E1EAD6D64A568D0280273659B287FD
SHA256:8AFF1C859B0881467119BCDB4909221255214AA19D4769B977676D38E2BF1537
2884EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4der
MD5:8E7D3EFB01313E3007F38BE1219E1751
SHA256:9E61938AFB6497D6FE9AE1AC66A919A85D92A6DB6C7762E8FB572A49A7B6A6A5
2120iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\ijnb[1].htmhtml
MD5:DD64B349E6BEEDAB78149AA7C596E11F
SHA256:102140732231D59EA9954C16F311BE2DE37A6BEAB1DFF33FFBAD4BD39885B5C0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
14
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2884
EXCEL.EXE
GET
200
151.139.128.14:80
http://crl.usertrust.com/AddTrustExternalCARoot.crl
US
der
673 b
whitelisted
2884
EXCEL.EXE
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
US
der
471 b
whitelisted
2884
EXCEL.EXE
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEQDwHUvue3yjezwFZqwFlyRY
US
der
728 b
whitelisted
2540
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2884
EXCEL.EXE
151.139.128.14:80
ocsp.usertrust.com
Highwinds Network Group, Inc.
US
suspicious
2884
EXCEL.EXE
198.23.203.252:443
onlinesiege.ru
ColoCrossing
US
unknown
2120
iexplore.exe
198.23.203.252:443
onlinesiege.ru
ColoCrossing
US
unknown
2540
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2540
iexplore.exe
198.23.203.252:443
onlinesiege.ru
ColoCrossing
US
unknown

DNS requests

Domain
IP
Reputation
onlinesiege.ru
  • 198.23.203.252
unknown
ocsp.usertrust.com
  • 151.139.128.14
whitelisted
ocsp.comodoca.com
  • 151.139.128.14
whitelisted
crl.usertrust.com
  • 151.139.128.14
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Remittance_kbaoljecenter.xlsx