File name: | inv_755031.xls |
Full analysis: | https://app.any.run/tasks/6913c8e5-34ae-4a5a-89d4-8cdf1e86f90d |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | March 30, 2020, 21:46:33 |
OS: | Windows 10 Professional (build: 16299, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Mar 19 13:21:36 2020, Last Saved Time/Date: Mon Mar 30 15:13:48 2020, Security: 0 |
MD5: | 12C929ED85A1B9AEB10FFBFB784C4B24 |
SHA1: | 6BE32C13566BBF3187E5117A97A0E25EB3E6C50D |
SHA256: | C062C4986F85F174809C7CFF7591DB1C4B4127E68DA57FB69719432A5E010AB2 |
SSDEEP: | 1536:zZk3hbdlylKsgqopeJBWhZFGkE+cL2NdA4VSEGBCCwfQjpDoXb1zkaKrvgexmE:zZk3hbdlylKsgqopeJBWhZFGkE+cL2Na |
.xls | | | Microsoft Excel sheet (78.9) |
---|
Author: | - |
---|---|
LastModifiedBy: | - |
Software: | Microsoft Excel |
CreateDate: | 2020:03:19 13:21:36 |
ModifyDate: | 2020:03:30 14:13:48 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | Sheet1 |
HeadingPairs: |
|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
5184 | "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\inv_755031.xls" | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 4 Version: 16.0.12026.20264 | ||||
2412 | "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 4092 | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Application Error Reporting Exit code: 0 Version: 16.0.12026.20252 | ||||
4232 | C:\WINDOWS\system32\dwwin.exe -x -s 4092 | C:\WINDOWS\system32\dwwin.exe | — | DW20.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Error Reporting Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) |
PID | Process | Filename | Type | |
---|---|---|---|---|
4232 | dwwin.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER5858.tmp.mdmp | — | |
MD5:— | SHA256:— | |||
5184 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF212647B481FDE9F7.TMP | — | |
MD5:— | SHA256:— | |||
5184 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal | binary | |
MD5:4061E42681292A93C310C5EE667D6AFF | SHA256:D992F7BE1EF98285375FD32907741C4E23453961DC892E99FEEEA27F974A5224 | |||
5184 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-shm | binary | |
MD5:A653B79A23CCA851B816C95FCA9DDC33 | SHA256:FE5990237F7765084F89927A2BF6513F98695F1F01F732B8DB40BEE2E001D98E | |||
4232 | dwwin.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER5ED2.tmp.WERInternalMetadata.xml | xml | |
MD5:BB12D247678216CA0BBC239D03D8DB90 | SHA256:1F59B73F5CC63AF0151E03F3DF0A5F391B797DCF78ABD20EA1CFF467E2D507D0 | |||
5184 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\.ses | text | |
MD5:14BB9C2B0849293583D2074271A3194E | SHA256:AA084F3D862A4F66EDB68B78B927CB36EC86AE7228548B81A8CAF60489978A8F | |||
5184 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\inv_755031.xls.LNK | lnk | |
MD5:D48AC6025E4CAA51BBFF23D4109F49BC | SHA256:16FF0CB6C000FB309B13DE2FBEC99BBAA31157FD099A68F8A40A303B91FCD7BF | |||
5184 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:ED2E90D741B355794F26A60722D6F166 | SHA256:FCCF43B27BD3ADB7E6E13F006FCC30D1BF75CECC35793C3BD9B5DCD9BFF4FE22 | |||
4232 | dwwin.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_a2f0be3fbba3375c9c4ad00688d285bfa2d811c_00000000_108d6345\Report.wer | text | |
MD5:D6BD30664BF9DA7820BD7E36984D9155 | SHA256:4ABD87D86E3BD3A115978AEBD10CF623ACEE9EEC79D5E5E6EB4D571612358FDB |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
5184 | EXCEL.EXE | 13.107.3.128:443 | config.edge.skype.com | Microsoft Corporation | US | whitelisted |
3668 | svchost.exe | 20.191.48.196:443 | settings-win-ppe.data.microsoft.com | Microsoft Corporation | US | unknown |
5184 | EXCEL.EXE | 52.114.158.91:443 | self.events.data.microsoft.com | Microsoft Corporation | US | unknown |
Domain | IP | Reputation |
---|---|---|
config.edge.skype.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
settings-win-ppe.data.microsoft.com |
| whitelisted |