analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

617724eae420e5972f88066ba4c9eb9a24772176.xls

Full analysis: https://app.any.run/tasks/16528d30-cfb4-4388-872b-28c08a03f43d
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: September 30, 2020, 12:30:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
loader
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: DELL, Last Saved By: DELL, Create Time/Date: Wed Sep 30 09:35:34 2020, Last Saved Time/Date: Wed Sep 30 09:35:34 2020, Security: 0
MD5:

68D49604D2AF422137883BBE175597C9

SHA1:

617724EAE420E5972F88066BA4C9EB9A24772176

SHA256:

8F0B57FFEBABF29670832449B17EB4B76E9C9D4ACC7D79A34547CF641521BBB5

SSDEEP:

6144:Pk3hOdsylKlgryzc4bNhZF+E+W2kn08u0keNXFL318Aeu3bjbAOiOEc8ICtLtBDI:Qu03NXB31lf7jnEnIgLt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • osign.exe (PID: 3272)
      • svchost32.exe (PID: 1256)
    • Loads dropped or rewritten executable

      • svchost32.exe (PID: 1256)
    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 948)
    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 948)
    • Changes the autorun value in the registry

      • reg.exe (PID: 1168)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • svchost32.exe (PID: 1256)
    • Starts itself from another location

      • svchost32.exe (PID: 1256)
    • Executable content was dropped or overwritten

      • svchost32.exe (PID: 1256)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 1520)
  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 948)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 948)
    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

CompObjUserType: Microsoft Excel 2003 Worksheet
CompObjUserTypeLen: 31
HeadingPairs:
  • Worksheets
  • 1
TitleOfParts: Sheet 1
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 15
CodePage: Windows Latin 1 (Western European)
Security: None
ModifyDate: 2020:09:30 08:35:34
CreateDate: 2020:09:30 08:35:34
LastModifiedBy: DELL
Author: DELL
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start excel.exe svchost32.exe cmd.exe no specs reg.exe osign.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
948"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
1256"C:\Users\Public\svchost32.exe" C:\Users\Public\svchost32.exe
EXCEL.EXE
User:
admin
Company:
r;24a,#0f5s]u
Integrity Level:
MEDIUM
Description:
u,78r&]5zx(1*6do_0)4t
Exit code:
0
Version:
1.1.2.2
1520"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v sobm /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\admin\osign.exe"C:\Windows\system32\cmd.exesvchost32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1168REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v sobm /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\admin\osign.exe"C:\Windows\system32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3272"C:\Users\admin\osign.exe" C:\Users\admin\osign.exesvchost32.exe
User:
admin
Company:
r;24a,#0f5s]u
Integrity Level:
MEDIUM
Description:
u,78r&]5zx(1*6do_0)4t
Version:
1.1.2.2
Total events
866
Read events
804
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
0
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
948EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRABB2.tmp.cvr
MD5:
SHA256:
948EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\617724eae420e5972f88066ba4c9eb9a24772176.xls.LNKlnk
MD5:76B544C948A0130A32AE9D2BDE19044C
SHA256:56BB757069CB2D0BD991CA622D5146951AE5760EA83D2DB763C8625BDBDB0480
948EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\DFI-6059[1].jpgexecutable
MD5:69A1012645E68EC71F61E3E623CC1802
SHA256:37CEA6E5502E8CAEA195462FDB59B168D238617F2918F0562804F8E6BD2CD9D0
948EXCEL.EXEC:\Users\Public\svchost32.exeexecutable
MD5:69A1012645E68EC71F61E3E623CC1802
SHA256:37CEA6E5502E8CAEA195462FDB59B168D238617F2918F0562804F8E6BD2CD9D0
1256svchost32.exeC:\Users\admin\osign.exeexecutable
MD5:69A1012645E68EC71F61E3E623CC1802
SHA256:37CEA6E5502E8CAEA195462FDB59B168D238617F2918F0562804F8E6BD2CD9D0
948EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:C18DBBEEE55AA6913B14339658E03C80
SHA256:70AA862CDACBFCAAE05C35C02FA1A4382E99AFDEC4E6CD8C86BEB8ED6EEE1058
1256svchost32.exeC:\Users\admin\AppData\Local\Temp\AddInProcess32.exeexecutable
MD5:6A673BFC3B67AE9782CB31AF2F234C68
SHA256:978A4093058AA2EBF05DC353897D90D950324389879B57741B64160825B5EC0E
1256svchost32.exeC:\Users\admin\AppData\Local\Temp\a6a0b8a6-4761-4357-9a31-0eca6ad70093\f.dllexecutable
MD5:14FF402962AD21B78AE0B4C43CD1F194
SHA256:FB9646CB956945BDC503E69645F6B5316D3826B780D3C36738D6B944E884D15B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
948
EXCEL.EXE
GET
200
185.33.85.52:80
http://185.33.85.52/FR/DFI-6059.jpg
GB
executable
406 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
948
EXCEL.EXE
185.33.85.52:80
GB
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
948
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
No debug info