File name: | Payment Advice.xlsx |
Full analysis: | https://app.any.run/tasks/e6af4c8b-90a0-4461-92f2-99621993bae8 |
Verdict: | Malicious activity |
Analysis date: | March 14, 2019, 11:53:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | F2B666C80EE1B2E8B0436310D32E570E |
SHA1: | 1303BE021DEE2F044832C1A494DC64DA25A8FF39 |
SHA256: | 87ECE9E0EADB20FF0A6C8D8837782B687C9004E0B621939E5C3B232E6FCE1A00 |
SSDEEP: | 1536:tVNohZ96GmtbkdAheHEDfB4qSLx0F6A29ZXy+P1l:vNoOxkdAcmfB4qSLDR9VD1l |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2868 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
2624 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2868 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRE38E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2624 | EQNEDT32.EXE | C:\Users\Public\vbc.exe | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2624 | EQNEDT32.EXE | GET | — | 192.81.132.172:80 | http://grabilla.com/0930e-e698aa0f-54f0-4448-9aa9-90e29f81b57a.exe?download | US | — | — | suspicious |
2624 | EQNEDT32.EXE | GET | 301 | 91.224.140.71:80 | http://gg.gg/d7qst | NL | — | — | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2624 | EQNEDT32.EXE | 192.81.132.172:80 | grabilla.com | Linode, LLC | US | suspicious |
2624 | EQNEDT32.EXE | 91.224.140.71:80 | gg.gg | Innovation IT Solutions LTD | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
gg.gg |
| shared |
grabilla.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2624 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2624 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2624 | EQNEDT32.EXE | Misc activity | ET INFO EXE - Served Attached HTTP |