analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sample4.xls

Full analysis: https://app.any.run/tasks/40a6bc66-e98b-4cd7-a077-bc773d0ed954
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: July 17, 2019, 09:24:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
opendir
loader
rat
nanocore
trojan
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Last Saved By: DaPhnoT, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Jul 17 04:14:06 2019, Last Saved Time/Date: Wed Jul 17 04:16:32 2019, Security: 0
MD5:

27DF05C21A640FED790123906447E533

SHA1:

E0830421607A671A491CFA56A90980C4A3E5FC5C

SHA256:

73B4563D5D461D68CB3F5D7B4DBAC2DFC78BEA8A6C6CC4D4623CDF3FD8638C5C

SSDEEP:

6144:Gk3hbdlylKsgqopeJBWhZFVE+W2NdAheWVjjsw32cejjPs+Q:4eWVjjswMjjPs+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Requests a remote executable file from MS Office

      • EXCEL.EXE (PID: 2896)
    • Known privilege escalation attack

      • ActionCenterCPL.exe (PID: 3980)
    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2896)
    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 2896)
    • Application was dropped or rewritten from another process

      • ActionCenterCPL.exe (PID: 2268)
      • ActionCenterCPL.exe (PID: 3980)
      • RegSvcs.exe (PID: 3588)
    • Changes the autorun value in the registry

      • ActionCenterCPL.exe (PID: 2268)
      • RegSvcs.exe (PID: 3588)
    • NanoCore was detected

      • RegSvcs.exe (PID: 3588)
    • Connects to CnC server

      • RegSvcs.exe (PID: 3588)
  • SUSPICIOUS

    • Modifies the open verb of a shell class

      • ActionCenterCPL.exe (PID: 3980)
    • Executable content was dropped or overwritten

      • ActionCenterCPL.exe (PID: 2268)
      • RegSvcs.exe (PID: 3588)
    • Creates files in the user directory

      • ActionCenterCPL.exe (PID: 2268)
      • RegSvcs.exe (PID: 3588)
    • Suspicious files were dropped or overwritten

      • ActionCenterCPL.exe (PID: 2268)
    • Creates files in the program directory

      • RegSvcs.exe (PID: 3588)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

Author: -
LastModifiedBy: D£aPhnoT
Software: Microsoft Excel
CreateDate: 2019:07:17 03:14:06
ModifyDate: 2019:07:17 03:16:32
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
AppVersion: 15
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: Sheet1
HeadingPairs:
  • Worksheets
  • 1
CompObjUserTypeLen: 31
CompObjUserType: Microsoft Excel 2003 Worksheet
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
6
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start excel.exe actioncentercpl.exe no specs eventvwr.exe no specs eventvwr.exe actioncentercpl.exe #NANOCORE regsvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
2896"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3980"C:\Users\admin\AppData\Local\Temp\ActionCenterCPL.exe" C:\Users\admin\AppData\Local\Temp\ActionCenterCPL.exeEXCEL.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
360"C:\Windows\System32\eventvwr.exe" C:\Windows\System32\eventvwr.exeActionCenterCPL.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Event Viewer Snapin Launcher
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3220"C:\Windows\System32\eventvwr.exe" C:\Windows\System32\eventvwr.exe
ActionCenterCPL.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Event Viewer Snapin Launcher
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2268"C:\Users\admin\AppData\Local\Temp\ActionCenterCPL.exe" C:\Users\admin\AppData\Local\Temp\ActionCenterCPL.exe
eventvwr.exe
User:
admin
Integrity Level:
HIGH
3588"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
ActionCenterCPL.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Services Installation Utility
Version:
4.7.3062.0 built by: NET472REL1
Total events
695
Read events
654
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2896EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRA529.tmp.cvr
MD5:
SHA256:
3588RegSvcs.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dattext
MD5:9BD349520C448714F0A4A12B0CFA37C0
SHA256:F9D2D7E0C963E21F59E262ACD0CAB1A9163566A7CF8390151943BB656F0D76CB
2268ActionCenterCPL.exeC:\Users\Public\mpCjhrKRLv.vbstext
MD5:00DF91675E71FF1E0F1D2551BC681547
SHA256:84DB82AC845397D95DE11F9B6D82CDEA402E0210EA8784BB2AD01D44BB4B07F1
2896EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\ActionCenterCPL[1].exeexecutable
MD5:42CAEC355209CFB04A43A1021C5231E2
SHA256:570D7EB4A0A2C31E93E02175653018E4FFB8E06FA32FC4E3F119CB358BC5074F
3588RegSvcs.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\catalog.datbinary
MD5:691CC37BF04E06DD984804E431C8DE97
SHA256:821FB1FB2AC46E20151712C31F2F40B9313C9B879153BEBDCA5BA6359AFD7392
3588RegSvcs.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\storage.datbinary
MD5:0F2F6A4B06BE0772056B9BAE520D080B
SHA256:02D949A185B17629136B7DC20C06533B2ABD91965D73705546E9B1D6726F5B0C
2896EXCEL.EXEC:\Users\admin\AppData\Local\Temp\ActionCenterCPL.exeexecutable
MD5:42CAEC355209CFB04A43A1021C5231E2
SHA256:570D7EB4A0A2C31E93E02175653018E4FFB8E06FA32FC4E3F119CB358BC5074F
2268ActionCenterCPL.exeC:\Users\admin\AppData\Roaming\tpmvscmgr\ActionCenterCPL.batexecutable
MD5:E0274B83EDCA7919AA8C4E5AF4B9B0F8
SHA256:771C9E3D1C6F61EE83FBB23563C9FBBCC73853E7E910A6316CF0A529C8243ADD
3588RegSvcs.exeC:\Program Files\TCP Monitor\tcpmon.exeexecutable
MD5:0E06054BEB13192588E745EE63A84173
SHA256:C5D6D56DED55FBD6C150EE3A0EB2E5671CAE83106BE2BE4D70CE50AA50BAB768
3588RegSvcs.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\settings.binbinary
MD5:441D437892E5E1C07D5B4514962B4D57
SHA256:ADA4BCEA05D6F70A193DAA5D2FEC14535B6A74114F08C0D0C67DB0F9C489E402
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
9
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2896
EXCEL.EXE
GET
200
194.59.164.40:80
http://u700222964.hostingerapp.com/ActionCenterCPL.exe
unknown
executable
1.29 Mb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3588
RegSvcs.exe
8.8.8.8:53
Google Inc.
US
whitelisted
2896
EXCEL.EXE
194.59.164.40:80
u700222964.hostingerapp.com
suspicious
3588
RegSvcs.exe
185.247.228.17:47581
etoiilefiiilante.duckdns.org
malicious

DNS requests

Domain
IP
Reputation
u700222964.hostingerapp.com
  • 194.59.164.40
suspicious
etoiilefiiilante.duckdns.org
  • 185.247.228.17
malicious

Threats

PID
Process
Class
Message
2896
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3588
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3588
RegSvcs.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 60B
3588
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore RAT
3588
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
3588
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore RAT
3588
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore RAT
3588
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3588
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3588
RegSvcs.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 60B
86 ETPRO signatures available at the full report
No debug info