analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

inv_755031.xls

Full analysis: https://app.any.run/tasks/6913c8e5-34ae-4a5a-89d4-8cdf1e86f90d
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: March 30, 2020, 21:46:33
OS: Windows 10 Professional (build: 16299, 64 bit)
Tags:
macros
emotet-doc
emotet
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Mar 19 13:21:36 2020, Last Saved Time/Date: Mon Mar 30 15:13:48 2020, Security: 0
MD5:

12C929ED85A1B9AEB10FFBFB784C4B24

SHA1:

6BE32C13566BBF3187E5117A97A0E25EB3E6C50D

SHA256:

C062C4986F85F174809C7CFF7591DB1C4B4127E68DA57FB69719432A5E010AB2

SSDEEP:

1536:zZk3hbdlylKsgqopeJBWhZFGkE+cL2NdA4VSEGBCCwfQjpDoXb1zkaKrvgexmE:zZk3hbdlylKsgqopeJBWhZFGkE+cL2Na

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 5184)
      • DW20.EXE (PID: 2412)
  • SUSPICIOUS

    • Starts Microsoft Office Application

      • EXCEL.EXE (PID: 5184)
    • Reads CPU info

      • dwwin.exe (PID: 4232)
    • Reads the machine GUID from the registry

      • dwwin.exe (PID: 4232)
    • Reads Environment values

      • dwwin.exe (PID: 4232)
    • Creates files in the program directory

      • dwwin.exe (PID: 4232)
  • INFO

    • Reads Environment values

      • EXCEL.EXE (PID: 5184)
    • Scans artifacts that could help determine the target

      • EXCEL.EXE (PID: 5184)
    • Creates files in the user directory

      • EXCEL.EXE (PID: 5184)
    • Reads the machine GUID from the registry

      • EXCEL.EXE (PID: 5184)
    • Reads Microsoft Office registry keys

      • DW20.EXE (PID: 2412)
      • EXCEL.EXE (PID: 5184)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: -
LastModifiedBy: -
Software: Microsoft Excel
CreateDate: 2020:03:19 13:21:36
ModifyDate: 2020:03:30 14:13:48
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: Sheet1
HeadingPairs:
  • Worksheets
  • 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
91
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe dw20.exe no specs dwwin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5184"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\inv_755031.xls"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
4
Version:
16.0.12026.20264
2412"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 4092C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXEEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Application Error Reporting
Exit code:
0
Version:
16.0.12026.20252
4232C:\WINDOWS\system32\dwwin.exe -x -s 4092C:\WINDOWS\system32\dwwin.exeDW20.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Error Reporting
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Total events
1 334
Read events
1 192
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
5
Unknown types
2

Dropped files

PID
Process
Filename
Type
4232dwwin.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER5858.tmp.mdmp
MD5:
SHA256:
5184EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF212647B481FDE9F7.TMP
MD5:
SHA256:
5184EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-walbinary
MD5:4061E42681292A93C310C5EE667D6AFF
SHA256:D992F7BE1EF98285375FD32907741C4E23453961DC892E99FEEEA27F974A5224
5184EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-shmbinary
MD5:A653B79A23CCA851B816C95FCA9DDC33
SHA256:FE5990237F7765084F89927A2BF6513F98695F1F01F732B8DB40BEE2E001D98E
4232dwwin.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER5ED2.tmp.WERInternalMetadata.xmlxml
MD5:BB12D247678216CA0BBC239D03D8DB90
SHA256:1F59B73F5CC63AF0151E03F3DF0A5F391B797DCF78ABD20EA1CFF467E2D507D0
5184EXCEL.EXEC:\Users\admin\AppData\Local\Temp\.sestext
MD5:14BB9C2B0849293583D2074271A3194E
SHA256:AA084F3D862A4F66EDB68B78B927CB36EC86AE7228548B81A8CAF60489978A8F
5184EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\inv_755031.xls.LNKlnk
MD5:D48AC6025E4CAA51BBFF23D4109F49BC
SHA256:16FF0CB6C000FB309B13DE2FBEC99BBAA31157FD099A68F8A40A303B91FCD7BF
5184EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:ED2E90D741B355794F26A60722D6F166
SHA256:FCCF43B27BD3ADB7E6E13F006FCC30D1BF75CECC35793C3BD9B5DCD9BFF4FE22
4232dwwin.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_a2f0be3fbba3375c9c4ad00688d285bfa2d811c_00000000_108d6345\Report.wertext
MD5:D6BD30664BF9DA7820BD7E36984D9155
SHA256:4ABD87D86E3BD3A115978AEBD10CF623ACEE9EEC79D5E5E6EB4D571612358FDB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5184
EXCEL.EXE
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
3668
svchost.exe
20.191.48.196:443
settings-win-ppe.data.microsoft.com
Microsoft Corporation
US
unknown
5184
EXCEL.EXE
52.114.158.91:443
self.events.data.microsoft.com
Microsoft Corporation
US
unknown

DNS requests

Domain
IP
Reputation
config.edge.skype.com
  • 13.107.3.128
whitelisted
self.events.data.microsoft.com
  • 52.114.158.91
  • 52.114.132.73
whitelisted
settings-win-ppe.data.microsoft.com
  • 20.191.48.196
whitelisted

Threats

No threats detected
No debug info