analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

bda64c90876dbe725635aabae1218d6a9fe9bcab076c4f074a6084068e95c9a1

Full analysis: https://app.any.run/tasks/a204a956-7f74-4519-9a5f-1cc6f51ed1f1
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: May 24, 2019, 08:14:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
loader
opendir
rat
remcos
stealer
maldoc-14
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Last Saved By: USER HP, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue May 21 09:46:12 2019, Last Saved Time/Date: Tue May 21 09:47:46 2019, Security: 0
MD5:

13C7237128C9C7FD6669CA9905833B76

SHA1:

CA4F84BCAA873AC928EA9F8C58222034F7B52B79

SHA256:

BDA64C90876DBE725635AABAE1218D6A9FE9BCAB076C4F074A6084068E95C9A1

SSDEEP:

1536:StY35qAOJl/YrLYz+WrNhZFGzE+cL2RdAbR7rvdRRLgSJhaZbScONSQJnr:yY35qAOJl/YrLYz+WrNhZFGzE+cL2Rdm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • xcf4cd9.exe (PID: 2520)
      • mp3.exe (PID: 2684)
    • Requests a remote executable file from MS Office

      • EXCEL.EXE (PID: 2972)
    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 2972)
    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2972)
    • Changes the autorun value in the registry

      • mp3.exe (PID: 2684)
    • Actions looks like stealing of personal data

      • InstallUtil.exe (PID: 3696)
      • InstallUtil.exe (PID: 3292)
    • Stealing of credential data

      • InstallUtil.exe (PID: 3696)
      • InstallUtil.exe (PID: 3292)
    • REMCOS RAT was detected

      • InstallUtil.exe (PID: 1520)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 3876)
      • cmd.exe (PID: 3232)
    • Starts CMD.EXE for commands execution

      • xcf4cd9.exe (PID: 2520)
      • mp3.exe (PID: 2684)
    • Application launched itself

      • InstallUtil.exe (PID: 1520)
    • Loads DLL from Mozilla Firefox

      • InstallUtil.exe (PID: 3352)
      • InstallUtil.exe (PID: 3292)
    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 3956)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2972)
    • Creates files in the user directory

      • EXCEL.EXE (PID: 2972)
    • Manual execution by user

      • chrome.exe (PID: 3956)
    • Application launched itself

      • chrome.exe (PID: 3956)
    • Application was crashed

      • mp3.exe (PID: 2684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (36.8)
.xls | Microsoft Excel sheet (alternate) (30)
.doc | Microsoft Word document (old ver.) (23.3)

EXIF

FlashPix

Title: -
Subject: -
Author: -
Keywords: -
Comments: -
LastModifiedBy: USER HP
Software: Microsoft Excel
CreateDate: 2019:05:21 08:46:12
ModifyDate: 2019:05:21 08:47:46
Security: None
Company: -
AppVersion: 12
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • Example Test
  • Format Abbr.
  • Readme
  • RTKXT
HeadingPairs:
  • Worksheets
  • 3
  • Excel 4.0 Macros
  • 1
CodePage: Windows Latin 1 (Western European)
Hyperlinks:
  • http://www.cmu.edu/blackboard/files/evaluate/tests-example.xls
CompObjUserTypeLen: 38
CompObjUserType: Microsoft Office Excel 2003 Worksheet
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
79
Monitored processes
37
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start excel.exe cmd.exe xcf4cd9.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe cmd.exe no specs mp3.exe cmd.exe no specs cmd.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs #REMCOS installutil.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs installutil.exe installutil.exe no specs installutil.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2972"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3876"C:\Windows\System32\cmd.exe" /c ren "C:\Users\admin\AppData\Local\Temp\xcf4cd9.png" "xcf4cd9.exe" &start "" "C:\Users\admin\AppData\Local\Temp\xcf4cd9.exe" C:\Windows\System32\cmd.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2520"C:\Users\admin\AppData\Local\Temp\xcf4cd9.exe" C:\Users\admin\AppData\Local\Temp\xcf4cd9.execmd.exe
User:
admin
Company:
iduzayedenopulonim
Integrity Level:
MEDIUM
Description:
ojoxaqif
Exit code:
0
Version:
3.4.5.7
2096"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\AppData\Local\Temp\xcf4cd9.exe:Zone.Identifier"C:\Windows\System32\cmd.exexcf4cd9.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4092"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\AppData\Local\Temp\xcf4cd9.exe:Zone.Identifier"C:\Windows\System32\cmd.exexcf4cd9.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3232"C:\Windows\System32\cmd.exe" /c copy "C:\Users\admin\AppData\Local\Temp\xcf4cd9.exe" "C:\Users\admin\Music\mp3.exe"C:\Windows\System32\cmd.exe
xcf4cd9.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3820"C:\Windows\System32\cmd.exe" /c, "C:\Users\admin\Music\mp3.exe"C:\Windows\System32\cmd.exexcf4cd9.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3762504530
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2684"C:\Users\admin\Music\mp3.exe"C:\Users\admin\Music\mp3.exe
cmd.exe
User:
admin
Company:
iduzayedenopulonim
Integrity Level:
MEDIUM
Description:
ojoxaqif
Exit code:
3762504530
Version:
3.4.5.7
3532"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\Music\mp3.exe:Zone.Identifier"C:\Windows\System32\cmd.exemp3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3028"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\Music\mp3.exe:Zone.Identifier"C:\Windows\System32\cmd.exemp3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 456
Read events
1 294
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
82
Text files
162
Unknown types
4

Dropped files

PID
Process
Filename
Type
2972EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRE398.tmp.cvr
MD5:
SHA256:
2972EXCEL.EXEC:\Users\admin\AppData\Local\Temp\xcf4cd9.png
MD5:
SHA256:
2972EXCEL.EXEC:\Users\admin\AppData\Local\Temp\{46D079B7-2307-49F7-918A-D8B41CAB727D}
MD5:
SHA256:
2972EXCEL.EXEC:\Users\admin\AppData\Local\Temp\{08BF9940-54EB-4558-ACFA-07E79FA569AC}
MD5:
SHA256:
2972EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\tests-example[1].xls
MD5:
SHA256:
2972EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF8198914FFB05570B.TMP
MD5:
SHA256:
2972EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF3353BFAD7D1B9021.TMP
MD5:
SHA256:
3956chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
MD5:
SHA256:
3956chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
MD5:
SHA256:
3956chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
43
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2972
EXCEL.EXE
OPTIONS
301
128.2.42.52:80
http://www.cmu.edu/blackboard/files/evaluate/
US
whitelisted
2972
EXCEL.EXE
GET
301
128.2.42.52:80
http://www.cmu.edu/blackboard/files/evaluate/tests-example.xls
US
whitelisted
2972
EXCEL.EXE
OPTIONS
301
128.2.42.52:80
http://www.cmu.edu/blackboard/files/evaluate/
US
whitelisted
976
svchost.exe
PROPFIND
301
128.2.42.52:80
http://www.cmu.edu/blackboard/files
US
whitelisted
2972
EXCEL.EXE
HEAD
301
128.2.42.52:80
http://www.cmu.edu/blackboard/files/evaluate/tests-example.xls
US
whitelisted
976
svchost.exe
OPTIONS
301
128.2.42.52:80
http://www.cmu.edu/blackboard/files/evaluate
US
whitelisted
976
svchost.exe
PROPFIND
301
128.2.42.52:80
http://www.cmu.edu/blackboard/files
US
whitelisted
976
svchost.exe
PROPFIND
301
128.2.42.52:80
http://www.cmu.edu/
US
whitelisted
976
svchost.exe
PROPFIND
301
128.2.42.52:80
http://www.cmu.edu/blackboard
US
whitelisted
976
svchost.exe
PROPFIND
301
128.2.42.52:80
http://www.cmu.edu/blackboard/files
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3956
chrome.exe
216.58.207.35:443
www.google.com.ua
Google Inc.
US
whitelisted
2972
EXCEL.EXE
217.65.97.65:80
ddl7.data.hu
Magyar Telekom plc.
HU
suspicious
3956
chrome.exe
172.217.23.163:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
976
svchost.exe
128.2.42.52:443
www.cmu.edu
Carnegie Mellon University
US
unknown
2972
EXCEL.EXE
128.2.42.52:80
www.cmu.edu
Carnegie Mellon University
US
unknown
2972
EXCEL.EXE
128.2.42.52:443
www.cmu.edu
Carnegie Mellon University
US
unknown
976
svchost.exe
128.2.42.52:80
www.cmu.edu
Carnegie Mellon University
US
unknown
3956
chrome.exe
172.217.22.109:443
accounts.google.com
Google Inc.
US
whitelisted
3956
chrome.exe
216.58.205.227:443
www.gstatic.com
Google Inc.
US
whitelisted
3956
chrome.exe
172.217.16.142:443
clients1.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
ddl7.data.hu
  • 217.65.97.65
  • 217.65.97.68
  • 217.65.97.33
whitelisted
www.cmu.edu
  • 128.2.42.52
whitelisted
clientservices.googleapis.com
  • 172.217.23.163
whitelisted
www.google.com.ua
  • 216.58.207.35
whitelisted
accounts.google.com
  • 172.217.22.109
shared
clients1.google.com
  • 172.217.16.142
whitelisted
ssl.gstatic.com
  • 216.58.208.35
whitelisted
www.gstatic.com
  • 216.58.205.227
whitelisted
apis.google.com
  • 172.217.21.206
whitelisted
clients2.google.com
  • 172.217.23.142
whitelisted

Threats

PID
Process
Class
Message
2972
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
2972
EXCEL.EXE
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
2972
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2972
EXCEL.EXE
Misc activity
ET INFO EXE - Served Attached HTTP
1520
InstallUtil.exe
A Network Trojan was detected
MALWARE [PTsecurity] Backdoor.Win32/Remcos RAT connection
3072
WerFault.exe
Potential Corporate Privacy Violation
ET POLICY Application Crash Report Sent to Microsoft
1 ETPRO signatures available at the full report
No debug info