File name: | sample4.xls |
Full analysis: | https://app.any.run/tasks/40a6bc66-e98b-4cd7-a077-bc773d0ed954 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | July 17, 2019, 09:24:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Last Saved By: DaPhnoT, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Jul 17 04:14:06 2019, Last Saved Time/Date: Wed Jul 17 04:16:32 2019, Security: 0 |
MD5: | 27DF05C21A640FED790123906447E533 |
SHA1: | E0830421607A671A491CFA56A90980C4A3E5FC5C |
SHA256: | 73B4563D5D461D68CB3F5D7B4DBAC2DFC78BEA8A6C6CC4D4623CDF3FD8638C5C |
SSDEEP: | 6144:Gk3hbdlylKsgqopeJBWhZFVE+W2NdAheWVjjsw32cejjPs+Q:4eWVjjswMjjPs+ |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
Author: | - |
---|---|
LastModifiedBy: | D£aPhnoT |
Software: | Microsoft Excel |
CreateDate: | 2019:07:17 03:14:06 |
ModifyDate: | 2019:07:17 03:16:32 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
AppVersion: | 15 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | Sheet1 |
HeadingPairs: |
|
CompObjUserTypeLen: | 31 |
CompObjUserType: | Microsoft Excel 2003 Worksheet |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2896 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3980 | "C:\Users\admin\AppData\Local\Temp\ActionCenterCPL.exe" | C:\Users\admin\AppData\Local\Temp\ActionCenterCPL.exe | — | EXCEL.EXE |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
360 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | — | ActionCenterCPL.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3220 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | ActionCenterCPL.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2268 | "C:\Users\admin\AppData\Local\Temp\ActionCenterCPL.exe" | C:\Users\admin\AppData\Local\Temp\ActionCenterCPL.exe | eventvwr.exe | |
User: admin Integrity Level: HIGH | ||||
3588 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | ActionCenterCPL.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Services Installation Utility Version: 4.7.3062.0 built by: NET472REL1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2896 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRA529.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3588 | RegSvcs.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat | text | |
MD5:9BD349520C448714F0A4A12B0CFA37C0 | SHA256:F9D2D7E0C963E21F59E262ACD0CAB1A9163566A7CF8390151943BB656F0D76CB | |||
2268 | ActionCenterCPL.exe | C:\Users\Public\mpCjhrKRLv.vbs | text | |
MD5:00DF91675E71FF1E0F1D2551BC681547 | SHA256:84DB82AC845397D95DE11F9B6D82CDEA402E0210EA8784BB2AD01D44BB4B07F1 | |||
2896 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\ActionCenterCPL[1].exe | executable | |
MD5:42CAEC355209CFB04A43A1021C5231E2 | SHA256:570D7EB4A0A2C31E93E02175653018E4FFB8E06FA32FC4E3F119CB358BC5074F | |||
3588 | RegSvcs.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\catalog.dat | binary | |
MD5:691CC37BF04E06DD984804E431C8DE97 | SHA256:821FB1FB2AC46E20151712C31F2F40B9313C9B879153BEBDCA5BA6359AFD7392 | |||
3588 | RegSvcs.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\storage.dat | binary | |
MD5:0F2F6A4B06BE0772056B9BAE520D080B | SHA256:02D949A185B17629136B7DC20C06533B2ABD91965D73705546E9B1D6726F5B0C | |||
2896 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\ActionCenterCPL.exe | executable | |
MD5:42CAEC355209CFB04A43A1021C5231E2 | SHA256:570D7EB4A0A2C31E93E02175653018E4FFB8E06FA32FC4E3F119CB358BC5074F | |||
2268 | ActionCenterCPL.exe | C:\Users\admin\AppData\Roaming\tpmvscmgr\ActionCenterCPL.bat | executable | |
MD5:E0274B83EDCA7919AA8C4E5AF4B9B0F8 | SHA256:771C9E3D1C6F61EE83FBB23563C9FBBCC73853E7E910A6316CF0A529C8243ADD | |||
3588 | RegSvcs.exe | C:\Program Files\TCP Monitor\tcpmon.exe | executable | |
MD5:0E06054BEB13192588E745EE63A84173 | SHA256:C5D6D56DED55FBD6C150EE3A0EB2E5671CAE83106BE2BE4D70CE50AA50BAB768 | |||
3588 | RegSvcs.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\settings.bin | binary | |
MD5:441D437892E5E1C07D5B4514962B4D57 | SHA256:ADA4BCEA05D6F70A193DAA5D2FEC14535B6A74114F08C0D0C67DB0F9C489E402 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2896 | EXCEL.EXE | GET | 200 | 194.59.164.40:80 | http://u700222964.hostingerapp.com/ActionCenterCPL.exe | unknown | executable | 1.29 Mb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3588 | RegSvcs.exe | 8.8.8.8:53 | — | Google Inc. | US | whitelisted |
2896 | EXCEL.EXE | 194.59.164.40:80 | u700222964.hostingerapp.com | — | — | suspicious |
3588 | RegSvcs.exe | 185.247.228.17:47581 | etoiilefiiilante.duckdns.org | — | — | malicious |
Domain | IP | Reputation |
---|---|---|
u700222964.hostingerapp.com |
| suspicious |
etoiilefiiilante.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2896 | EXCEL.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3588 | RegSvcs.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
3588 | RegSvcs.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 60B |
3588 | RegSvcs.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore RAT |
3588 | RegSvcs.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3588 | RegSvcs.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore RAT |
3588 | RegSvcs.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore RAT |
3588 | RegSvcs.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
3588 | RegSvcs.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
3588 | RegSvcs.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 60B |