analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

INV 56011.xls

Full analysis: https://app.any.run/tasks/17798c3a-0be8-43f2-8521-2696a861436b
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: March 31, 2020, 05:48:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
emotet-doc
emotet
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Mar 30 15:55:58 2020, Last Saved Time/Date: Mon Mar 30 16:32:15 2020, Security: 0, Comments: xo57BWdyiQhUSsLd
MD5:

6835F375C4AD0C30035A61FE421654CD

SHA1:

6FE7528DD23D96E67E912EFFCE7A290F141F7A01

SHA256:

7745A7EE24A42A4633560B881266F7E695320EB5B0B5117B9103E1D7D618D8DD

SSDEEP:

3072:Zqk3hbdlylKsgqopeJBWhZFGkE+cL2NdAYPV1111111111111111111111pqYxsu:Ik3hbdlylKsgqopeJBWhZFVE+W2NdAYr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2192)

  • SUSPICIOUS

    • Uses REG.EXE to modify Windows registry

      • EXCEL.EXE (PID: 2192)

    • Executed via COM

      • DllHost.exe (PID: 3700)

  • INFO

    • Manual execution by user

      • explorer.exe (PID: 2956)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: -
LastModifiedBy: -
Software: Microsoft Excel
CreateDate: 2020:03:30 14:55:58
ModifyDate: 2020:03:30 15:32:15
Security: None
Comments: xo57BWdyiQhUSsLd
CodePage: Windows Latin 1 (Western European)
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: Sheet1
HeadingPairs:
  • Worksheets
  • 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe no specs reg.exe no specs explorer.exe no specs Shell Security Editor no specs

Process information

PID
CMD
Path
Indicators
Parent process
2192"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
332"C:\Windows\system32\reg.exe" EXPORT HKCU\Software\Microsoft\Office\14.0\Excel\Security c:\users\public\1.reg /yC:\Windows\system32\reg.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2956"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3700C:\Windows\system32\DllHost.exe /Processid:{4D111E08-CBF7-4F12-A926-2C7920AF52FC}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
750
Read events
684
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2192EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR6BA3.tmp.cvr
MD5:
SHA256:
332reg.exeC:\Users\admin\AppData\Local\Temp\REG7140.tmp
MD5:
SHA256:
2192EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF61CB8D36E5AE0297.TMP
MD5:
SHA256:
332reg.exeC:\users\public\1.regtext
MD5:532A449AF9D242579F9EC3DFA34E44E4
SHA256:1508CA4C705A4088DE449FAC8DF25394F927DE3D9AB8809CCFE93BB38A9E2C96
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
INV 56011.xls