File name: | Api.xlsx |
Full analysis: | https://app.any.run/tasks/0b3f5d30-488d-4643-9a10-defcb3967049 |
Verdict: | Malicious activity |
Analysis date: | September 18, 2019, 17:46:50 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | D663BADCAA2ED66E46FE2C40070DFB6A |
SHA1: | 34066DC32E1BD8EC5685FBDD53C675E25AB61B33 |
SHA256: | 9BD3DB55472AA810ED1D87DC72ED5BCBDA9267FE52C61C63D624041D10E62305 |
SSDEEP: | 1536:d8t/oP5QYMMscvJSvn3hhb2mnGh7zMC56Px3DeKpzOamN:d8G1MMVvJSf3hhbA5ACWx3DhpS1 |
.xlsx | | | Excel Microsoft Office Open XML Format document (61.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (31.5) |
.zip | | | ZIP compressed archive (7.2) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0002 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:09:17 11:20:14 |
ZipCRC: | 0xa97f1e42 |
ZipCompressedSize: | 386 |
ZipUncompressedSize: | 1505 |
ZipFileName: | [Content_Types].xml |
Creator: | Windows User |
---|
LastModifiedBy: | Windows User |
---|---|
CreateDate: | 2019:09:11 23:33:40Z |
ModifyDate: | 2019:09:14 05:13:44Z |
Application: | Microsoft Excel |
DocSecurity: | None |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | Sheet1 |
Company: | - |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 15.03 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3408 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3500 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2556 | "C:\ProgramData\intel.exe" | C:\ProgramData\intel.exe | EQNEDT32.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3360 | "C:\Users\admin\AppData\Local\Temp\09141351\gfj.exe" mkkkqe | C:\Users\admin\AppData\Local\Temp\09141351\gfj.exe | intel.exe | |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Version: 3, 3, 8, 1 | ||||
3908 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | gfj.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Version: 4.7.3062.0 built by: NET472REL1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3408 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR9C44.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2556 | intel.exe | C:\Users\admin\AppData\Local\Temp\09141351\mkkkqe | — | |
MD5:— | SHA256:— | |||
2556 | intel.exe | C:\Users\admin\AppData\Local\Temp\09141351\hjx.docx | text | |
MD5:2410475D04D860CB08227642B79D1D09 | SHA256:5DB35856D0ECF832913634F53B5F4DE44FCDA90E0A4423938B56EE4D68FE1743 | |||
2556 | intel.exe | C:\Users\admin\AppData\Local\Temp\09141351\sji.icm | text | |
MD5:25BD06C3E038B2004DACE144DFE51ED5 | SHA256:3D27090A7BC9E1B64DBC4E2EE4354F77E1C1AD9DBAFD1F9DE484CF346E6685C5 | |||
2556 | intel.exe | C:\Users\admin\AppData\Local\Temp\09141351\nmj.dat | text | |
MD5:55950DDAFD81C7D0B748F827378893EC | SHA256:EA06FA8939954902A3CD79377E35AD95AE37C37EA7DD28B5152B8079BDCB4543 | |||
2556 | intel.exe | C:\Users\admin\AppData\Local\Temp\09141351\ivb.exe | text | |
MD5:EDB1CCA2C4C759BD14D671F2D04B7D76 | SHA256:A9FE6F36F6374D7370D0D41F0FC2DC5ED43040DDA4561ECCD592ACF89BC3FD78 | |||
2556 | intel.exe | C:\Users\admin\AppData\Local\Temp\09141351\dmq.xls | text | |
MD5:147DB52CC89E60EF6B4C9AFEBEE07A52 | SHA256:CA52A43B3921AF968F8AA3E33E2E49F37D0518FA423BB0C4D4F45BF1940F62D9 | |||
2556 | intel.exe | C:\Users\admin\AppData\Local\Temp\09141351\gut.docx | text | |
MD5:C54A81C7B639F16883A8DEA52B33B67B | SHA256:CD6B63E55F55461D47BFB15AEE17263083DBC0EBA59EA8D7561659FE1ABB803F | |||
2556 | intel.exe | C:\Users\admin\AppData\Local\Temp\09141351\oix.cpl | text | |
MD5:B87F7AB2DC57E74004AD280BA60915CF | SHA256:FF5726EBA400823042F355EEF5CD790102C99C3D3B4D88E2B17A41257291256F | |||
2556 | intel.exe | C:\Users\admin\AppData\Local\Temp\09141351\utt.jpg | text | |
MD5:C15A1BCC06ECB45B9056494CF5340707 | SHA256:768C0D94F36947E71A1183995FBEC5F53385DF2606415BB2308E64D7D387176A |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3908 | RegSvcs.exe | 79.134.225.61:5552 | info1.nowddns.com | Andreas Fink trading as Fink Telecom Services | CH | malicious |
3500 | EQNEDT32.EXE | 207.174.215.236:80 | indulfastag.com | PDR | US | malicious |
Domain | IP | Reputation |
---|---|---|
indulfastag.com |
| malicious |
info1.nowddns.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3500 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
3500 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |