analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

8ad0cd2bd06f5145ed6304fbf7755b3ee45836b3ce4fc68807e96429bfd718f3

Full analysis: https://app.any.run/tasks/fd413d7c-0945-407f-aa10-c157cfcb5c55
Verdict: Malicious activity
Analysis date: September 11, 2019, 10:01:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
ole-embedded
macros-on-open
ta505
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: Qs, Subject: XpU, Author: bqqUah, Last Saved By: Microsoft Office, Revision Number: 807, Name of Creating Application: Microsoft Excel, Total Editing Time: 15:53:00, Create Time/Date: Fri Aug 30 10:14:50 2019, Last Saved Time/Date: Tue Sep 10 11:38:58 2019, Number of Pages: 3, Number of Words: 3816, Number of Characters: 1126, Security: 0
MD5:

29491F8F5FDB91F56A72CE4311064C5F

SHA1:

A03F65F47B4D82AB4D8857041FB9838A6980B508

SHA256:

8AD0CD2BD06F5145ED6304FBF7755B3EE45836B3CE4FC68807E96429BFD718F3

SSDEEP:

6144:O8mdr74qRlm5ibfVdL4UikJBGC1XcONN1IgAe:O8UrDtdkUfTTrug1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • EXCEL.EXE (PID: 2872)

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 2872)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2872)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 2872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

HeadingPairs:
  • Листы
  • 1
TitleOfParts: 1
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 11.9999
Paragraphs: 88
Lines: 193
Bytes: 46952
Company: -
CodePage: Windows Cyrillic
Security: None
Characters: 1126
Words: 3816
Pages: 3
ModifyDate: 2019:09:10 10:38:58
CreateDate: 2019:08:30 09:14:50
TotalEditTime: 15.9 hours
Software: Microsoft Excel
RevisionNumber: 807
LastModifiedBy: Microsoft Office
Author: bqqUah
Subject: XpU
Title: Qs
CompObjUserType: Microsoft Forms 2.0 Form
CompObjUserTypeLen: 25
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
1
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start excel.exe

Process information

PID
CMD
Path
Indicators
Parent process
2872"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
Total events
635
Read events
531
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
2872EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR9D7D.tmp.cvr
MD5:
SHA256:
2872EXCEL.EXEC:\Users\admin\AppData\Local\Temp\VBA6C7.tmp
MD5:
SHA256:
2872EXCEL.EXEC:\Users\admin\AppData\Local\Temp\VBA6B6.tmp
MD5:
SHA256:
2872EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFB249F18FEB52B8A6.TMP
MD5:
SHA256:
2872EXCEL.EXEC:\Users\admin\AppData\Local\Temp\77A61000
MD5:
SHA256:
2872EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFC64875AF20274989.TMP
MD5:
SHA256:
2872EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~$13.xlsx
MD5:
SHA256:
2872EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFB6432618D7C880F8.TMP
MD5:
SHA256:
2872EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CEDDB5CB.emfemf
MD5:840578F062696D80F50989BF4B10EF85
SHA256:A875045E32838186476E65B16E7839F79112FC486AB7C1C0577B731B0388B67F
2872EXCEL.EXEC:\Users\admin\AppData\Roaming\carpc1.dllexecutable
MD5:CD4C856F0C7E2906ABFBC0E83B3C1C0D
SHA256:00208B70C6C214A7DC5CBBFF6D5D50A5952AD2ACFD35BC56CC930E52803D278E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2872
EXCEL.EXE
95.216.147.100:443
windows-update-02-en.com
Hetzner Online GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
windows-update-02-en.com
  • 95.216.147.100
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
8ad0cd2bd06f5145ed6304fbf7755b3ee45836b3ce4fc68807e96429bfd718f3