File name:

Book1

Full analysis: https://app.any.run/tasks/4d9b7762-ae11-4a5e-99ff-ef7e453bc258
Verdict: Malicious activity
Threats:

Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.

Analysis date: March 18, 2020, 11:57:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
rat
crimson
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Feb 17 03:35:36 2020, Security: 0
MD5:

E074C234858D890502C7BB6905F0716E

SHA1:

64DFA9C6B46EFB3EF41E4905781E4B84A41160E1

SHA256:

876939AA0AA157AA2581B74DDFC4CF03893CEDE542ADE22A2D9AC70E2FEF1656

SSDEEP:

6144:fxEtjPOtioVjDGUU1qfDlavx+W2QnAdh:R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 2544)
    • Application was dropped or rewritten from another process

      • dhrwarhsav.exe (PID: 1832)
    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2544)
    • CRIMSON was detected

      • EXCEL.EXE (PID: 2544)
      • dhrwarhsav.exe (PID: 1832)
  • SUSPICIOUS

    • Creates files in the program directory

      • EXCEL.EXE (PID: 2544)
    • Connects to unusual port

      • dhrwarhsav.exe (PID: 1832)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

CompObjUserType: Microsoft Excel 2003 Worksheet
CompObjUserTypeLen: 31
HeadingPairs:
  • Worksheets
  • 3
TitleOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 14
CodePage: Windows Latin 1 (Western European)
Security: None
ModifyDate: 2020:02:17 03:35:36
CreateDate: 2006:09:16 00:00:00
Software: Microsoft Excel
LastModifiedBy: -
Author: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start #CRIMSON excel.exe #CRIMSON dhrwarhsav.exe

Process information

PID
CMD
Path
Indicators
Parent process
2544"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1832C:\ProgramData\Edlacar\dhrwarhsav.exeC:\ProgramData\Edlacar\dhrwarhsav.exe
EXCEL.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
MLREDM
Version:
1.0.0.0
Modules
Images
c:\programdata\edlacar\dhrwarhsav.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
660
Read events
534
Write events
115
Delete events
11

Modification events

(PID) Process:(2544) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:o80
Value:
6F383000F0090000010000000000000000000000
(PID) Process:(2544) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2544) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2544) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2544) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2544) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2544) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2544) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2544) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2544) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
1
Suspicious files
1
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
2544EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR6C4F.tmp.cvr
MD5:
SHA256:
2544EXCEL.EXEC:\Users\admin\Documents\VB75C8.tmp
MD5:
SHA256:
2544EXCEL.EXEC:\Users\admin\AppData\Local\Temp\VB75C7.tmp
MD5:
SHA256:
2544EXCEL.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:35A7F3C957079A4571111DE93736131D
SHA256:AB377C084C4225BE69DCB3BC54E70F0B560E1E1084D8C034E77866B3AB834866
2544EXCEL.EXEC:\ProgramData\Edlacar\dhrwarhsav.exeexecutable
MD5:E262407A5502FA5607AD3B709A73A2E0
SHA256:B67D764C981A298FA2BB14CA7FAFFC68EC30AD34380AD8A92911B2350104E748
2544EXCEL.EXEC:\ProgramData\Uahaiws\othria.zipcompressed
MD5:643E9D03CF2C03DDF24F55DAD3605AE5
SHA256:6D717A73468029B337DC53A51363AEA78B1350ACE23BCDA04C238B1506B34123
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1832
dhrwarhsav.exe
107.175.64.209:6728
ColoCrossing
US
malicious

DNS requests

No data

Threats

No threats detected
No debug info