File name: | sgv7qi.xlsm |
Full analysis: | https://app.any.run/tasks/a86d04ee-faed-4583-8b95-83b0e6eea570 |
Verdict: | Malicious activity |
Analysis date: | February 11, 2019, 01:39:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | 4EDD901B77B576506E9396EA3EDF59CE |
SHA1: | 04A8AE60FAE237B7A8EE1C244653E66A928F3AF8 |
SHA256: | 78132071D580D02F75A98B83A0C7412286F51E1C34584D6CE61D324C2FACC94F |
SSDEEP: | 384:HBhUJqQPczqQKrHehHSNvNYixcYcABPJ2cQuiB:hhU7tpe1SCiGtABPqJ |
.xlsm | | | Excel Microsoft Office Open XML Format document (with Macro) (50.8) |
---|---|---|
.xlsx | | | Excel Microsoft Office Open XML Format document (30) |
.zip | | | Open Packaging Conventions container (15.4) |
.zip | | | ZIP compressed archive (3.5) |
AppVersion: | 12 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
TitlesOfParts: | Sheet1 |
HeadingPairs: |
|
ScaleCrop: | No |
DocSecurity: | None |
Application: | Microsoft Excel |
ModifyDate: | 2018:10:23 08:11:36Z |
CreateDate: | 2018:01:04 06:59:16Z |
LastModifiedBy: | http |
Creator: | http |
---|---|
Title: | ://tiny |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1087 |
ZipCompressedSize: | 371 |
ZipCRC: | 0xbc04c63e |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2764 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2804 | Schtasks /Create /SC ONCE /ST 1:40:38 AM /TN "Google Chrome Update" /TR C:\Users\admin\Profile.vbs /F | C:\Windows\system32\Schtasks.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 2147500037 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2868 | Schtasks /Create /SC minute /mo 10 /TN "OfficeUpdate" /TR C:\Users\admin\Users.vbs /F | C:\Windows\system32\Schtasks.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2712 | "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s | C:\Windows\system32\mmc.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Management Console Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3536 | "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s | C:\Windows\system32\mmc.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Management Console Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3836 | C:\Windows\System32\WScript.exe "C:\Users\admin\Users.vbs" | C:\Windows\System32\WScript.exe | taskeng.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
1228 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\qThbhtQ.vbs" | C:\Windows\System32\WScript.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2656 | "C:\Windows\System32\schtasks.exe" /Create /SC minute /mo 1 /TN "Office Update" /TR C:\Users\admin\Users.vbs /F | C:\Windows\System32\schtasks.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2860 | "C:\Windows\System32\schtasks.exe" /Create /SC daily /TN "Intel Inside Monitor" /TR C:\Users\admin\Users.vbs /F | C:\Windows\System32\schtasks.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2812 | C:\Windows\System32\WScript.exe "C:\Users\admin\Users.vbs" | C:\Windows\System32\WScript.exe | taskeng.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 |
(PID) Process: | (2764) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | write | Name: | n{$ |
Value: 6E7B2400CC0A0000010000000000000000000000 | |||
(PID) Process: | (2764) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2764) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2764) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel |
Operation: | write | Name: | MTTT |
Value: CC0A0000184C89A2AAC1D40100000000 | |||
(PID) Process: | (2764) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | delete value | Name: | n{$ |
Value: 6E7B2400CC0A0000010000000000000000000000 | |||
(PID) Process: | (2764) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (2764) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (2764) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2764) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2764) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\1993BB |
Operation: | write | Name: | 1993BB |
Value: 04000000CC0A00002200000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C007300670076003700710069002E0078006C0073006D00000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0001000000000000000041BEA4AAC1D401BB931900BB93190000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2764 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR8B00.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2764 | EXCEL.EXE | C:\Users\admin\Desktop\~$sgv7qi.xlsm | — | |
MD5:— | SHA256:— | |||
2764 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF6F32628CDB46434B.TMP | — | |
MD5:— | SHA256:— | |||
3072 | WScript.exe | C:\Users\admin\pVaxlje.vbs | text | |
MD5:0613DE84995FB3FCFF2761B2373BB264 | SHA256:8BA7044286D6F35A77C4E355169FCAFC4C0E699C18641637B76B270A1E0BC57C | |||
2764 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\sgv7qi.xlsm.LNK | lnk | |
MD5:915DAEB89D065DC47018E825ADD7BDCC | SHA256:6C72E310F1F6A94E999C4C6F7E9D390A8FB3E4BE879E94A5ABA144C32B416795 | |||
2764 | EXCEL.EXE | C:\Users\admin\Users.vbs | text | |
MD5:2DFBD417AA5D99E0778F01D740AC1FBF | SHA256:CD8C37ED8BFFC968F0FE66809226E7714FC93A1CED1671690AEE1869861D6AE4 | |||
2812 | WScript.exe | C:\Users\admin\P7Nut57.vbs | text | |
MD5:0613DE84995FB3FCFF2761B2373BB264 | SHA256:8BA7044286D6F35A77C4E355169FCAFC4C0E699C18641637B76B270A1E0BC57C | |||
2408 | WScript.exe | C:\Users\admin\xJ&Fyca.vbs | text | |
MD5:0613DE84995FB3FCFF2761B2373BB264 | SHA256:8BA7044286D6F35A77C4E355169FCAFC4C0E699C18641637B76B270A1E0BC57C | |||
3976 | WScript.exe | C:\Users\admin\[email protected] | text | |
MD5:0613DE84995FB3FCFF2761B2373BB264 | SHA256:8BA7044286D6F35A77C4E355169FCAFC4C0E699C18641637B76B270A1E0BC57C | |||
2764 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:DD296EE3431B34824A298F616340567D | SHA256:C74268D6034E58BDFC0CE3F4818FC3EA1B071D34CE100C588FAB2CFA4DD1A506 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2812 | WScript.exe | GET | 301 | 192.241.240.89:80 | http://tiny.cc/gogoo | US | html | 184 b | shared |
2764 | EXCEL.EXE | GET | 301 | 192.241.240.89:80 | http://tiny.cc/ccddc | US | html | 184 b | shared |
2408 | WScript.exe | GET | 301 | 192.241.240.89:80 | http://tiny.cc/gogoo | US | html | 184 b | shared |
3072 | WScript.exe | GET | 301 | 192.241.240.89:80 | http://tiny.cc/gogoo | US | html | 184 b | shared |
3976 | WScript.exe | GET | 301 | 192.241.240.89:80 | http://tiny.cc/gogoo | US | html | 184 b | shared |
2764 | EXCEL.EXE | GET | 301 | 192.241.240.89:80 | http://tiny.cc/zzttzz | US | html | 184 b | shared |
3836 | WScript.exe | GET | 301 | 192.241.240.89:80 | http://tiny.cc/gogoo | US | html | 184 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3836 | WScript.exe | 192.241.240.89:80 | tiny.cc | Digital Ocean, Inc. | US | malicious |
2812 | WScript.exe | 192.241.240.89:80 | tiny.cc | Digital Ocean, Inc. | US | malicious |
2764 | EXCEL.EXE | 192.241.240.89:80 | tiny.cc | Digital Ocean, Inc. | US | malicious |
3836 | WScript.exe | 192.241.240.89:443 | tiny.cc | Digital Ocean, Inc. | US | malicious |
2812 | WScript.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
2764 | EXCEL.EXE | 192.241.240.89:443 | tiny.cc | Digital Ocean, Inc. | US | malicious |
3836 | WScript.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
2812 | WScript.exe | 192.241.240.89:443 | tiny.cc | Digital Ocean, Inc. | US | malicious |
2764 | EXCEL.EXE | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
3976 | WScript.exe | 192.241.240.89:80 | tiny.cc | Digital Ocean, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
tiny.cc |
| shared |
pastebin.com |
| shared |
Process | Message |
---|---|
mmc.exe | Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|