Malware analysis c6f066035c64a1309d1d958b6536882847da51f2eb5cebe670b05bbdd97c12d1 Malicious activity

Add for printing

File name:	c6f066035c64a1309d1d958b6536882847da51f2eb5cebe670b05bbdd97c12d1
Full analysis:	https://app.any.run/tasks/fe17b636-3a35-4728-b6f7-3043b063760d
Verdict:	Malicious activity
Threats:	Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	November 01, 2020, 19:05:06
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	macros macros-on-open macros40 rat netwire emotet-doc emotet
Indicators:
MIME:	application/vnd.ms-excel
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: DrMDtHRzznZBX, Last Saved By: fckav, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Jun 22 19:07:27 2020, Last Saved Time/Date: Wed Oct 14 12:47:11 2020, Security: 0
MD5:	332F8351C92D72260846A9F8B5FDD7CB
SHA1:	1B924898977E10900EAFCD655E282AE49BB476C1
SHA256:	C6F066035C64A1309D1D958B6536882847DA51F2EB5CEBE670B05BBDD97C12D1
SSDEEP:	1536:7Yk3hbdlylKsgqopeJBWhZFGkE+cL2NdAomrUq/r4lDCUw5l64bycklZhVCeBq1V:7Yk3hbdlylKsgqopeJBWhZFGkE+cL2Nj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.17843 KB3058515
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)
srvpost (2.12.72)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Hyphenation Parent Package English
IE Spelling Parent Package English
IE Troubleshooters Package
InternetExplorer Optional Package
InternetExplorer Package TopLevel
KB2533623
KB2534111
KB2639308
KB2729094
KB2731771
KB2786081
KB2834140
KB2882822
KB2888049
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
PlatformUpdate Win7 SRV08R2 Package TopLevel
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Loads dropped or rewritten executable
  - LJDVSoK.exe (PID: 2752)
- Unusual execution from Microsoft Office
  - EXCEL.EXE (PID: 1788)
- Executable content was dropped or overwritten
  - EXCEL.EXE (PID: 1788)
- Writes to a start menu file
  - LJDVSoK.exe (PID: 2752)
- Application was dropped or rewritten from another process
  - LJDVSoK.exe (PID: 2752)
- NETWIRE was detected
  - LJDVSoK.exe (PID: 2752)
SUSPICIOUS
- Executable content was dropped or overwritten
  - LJDVSoK.exe (PID: 2752)
- Creates files in the user directory
  - LJDVSoK.exe (PID: 2752)
INFO
- Reads Microsoft Office registry keys
  - EXCEL.EXE (PID: 1788)
- Reads Internet Cache Settings
  - EXCEL.EXE (PID: 1788)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.xls	\|	Microsoft Excel sheet (48)
.xls	\|	Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

CompObjUserType:	Microsoft Excel 2003 Worksheet
CompObjUserTypeLen:	32
HeadingPairs:	Worksheets 1 Excel 4.0 Macros 1
TitleOfParts:	Sheet1 E
HyperlinksChanged:	No
SharedDoc:	No
LinksUpToDate:	No
ScaleCrop:	No
AppVersion:	16
Company:	-
CodePage:	Windows Latin 1 (Western European)
Security:	None
ModifyDate:	2020:10:14 11:47:11
CreateDate:	2020:06:22 18:07:27
Software:	Microsoft Excel
LastModifiedBy:	fckav
Author:	DrMDtHRzznZBX

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Parent process
1788	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000
2752	"C:\jokwzPk\luFzdsM\LJDVSoK.exe"	C:\jokwzPk\luFzdsM\LJDVSoK.exe	EXCEL.EXE
User: admin Company: Nevada Graph company Integrity Level: MEDIUM Description: Nevada Graph Application Version: 1.2.4

Add for printing

Total events

936

Read events

870

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1788	EXCEL.EXE	C:\Users\admin\AppData\Local\Temp\CVR3FC0.tmp.cvr		—
		MD5:—	SHA256:—
1788	EXCEL.EXE	C:\Users\admin\AppData\Local\Temp\Cab4B89.tmp		—
		MD5:—	SHA256:—
1788	EXCEL.EXE	C:\Users\admin\AppData\Local\Temp\Tar4B8A.tmp		—
		MD5:—	SHA256:—
2752	LJDVSoK.exe	C:\Users\admin\AppData\Local\Temp\fdsdf		—
		MD5:—	SHA256:—
1788	EXCEL.EXE	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\63076534ABCEF805BA677A217115E0D0		der
		MD5:B595A697E17C3816617FFF501BA2E800	SHA256:D89FA9F87950558120433D54A532D50CD30DFE9A6F28B33A68DC95B446E9CAA5
2752	LJDVSoK.exe	C:\Users\admin\AppData\Local\Temp\nnffdn.png		image
		MD5:5A4B0DE87F02958549A9C2B41812BC73	SHA256:C04DBF53B37FD357CACC0CD591AA36AC0861A68BD4D3BA7E141C83BAF87F8149
1788	EXCEL.EXE	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\63076534ABCEF805BA677A217115E0D0		binary
		MD5:83E58C72EC3DD0E03213231C05C4B958	SHA256:0FB7140436C68FEFBEE170493AA602AE79C3E3A2D6393F56D0AADD610240F6B0
1788	EXCEL.EXE	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08		binary
		MD5:9497E4E30DF648C1056999F800463942	SHA256:C17B297C953611DBCE411220245E2935636CC709E59994879065CA76E1664D3E
1788	EXCEL.EXE	C:\jokwzPk\luFzdsM\LJDVSoK.exe		executable
		MD5:B8D054E4138B04D7A4C0884E24877345	SHA256:A776FEEB1C909A3791E550E399C4ABBFFEA22D62E687302F9DED26064D29E295
1788	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\2019[1].png		executable
		MD5:B8D054E4138B04D7A4C0884E24877345	SHA256:A776FEEB1C909A3791E550E399C4ABBFFEA22D62E687302F9DED26064D29E295

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

959

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1788	EXCEL.EXE	GET	200	2.16.186.11:80	http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D	unknown	der	1.37 Kb	whitelisted
1788	EXCEL.EXE	GET	200	2.16.186.27:80	http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgRwY0accMWhlW7PTdQZAscz%2Bg%3D%3D	unknown	der	527 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1788	EXCEL.EXE	2.16.186.27:80	ocsp.int-x3.letsencrypt.org	Akamai International B.V.	—	whitelisted
1788	EXCEL.EXE	2.16.186.11:80	isrg.trustid.ocsp.identrust.com	Akamai International B.V.	—	whitelisted
1788	EXCEL.EXE	87.98.154.146:443	17-14.com	OVH SAS	FR	malicious
—	—	89.39.107.244:443	—	WorldStream B.V.	NL	malicious
2752	LJDVSoK.exe	89.39.107.244:443	—	WorldStream B.V.	NL	malicious

DNS requests

Domain	IP	Reputation
17-14.com	87.98.154.146	malicious
isrg.trustid.ocsp.identrust.com	2.16.186.11 2.16.186.35	whitelisted
ocsp.int-x3.letsencrypt.org	2.16.186.27 2.16.186.11	whitelisted
dns.msftncsi.com	131.107.255.255	shared

Threats

PID	Process	Class	Message
2752	LJDVSoK.exe	A Network Trojan was detected	REMOTE [PTsecurity] NanoCore/NetWire/Kovter
2752	LJDVSoK.exe	A Network Trojan was detected	MALWARE [PTsecurity] Netwire.RAT
2752	LJDVSoK.exe	A Network Trojan was detected	REMOTE [PTsecurity] NanoCore/NetWire/Kovter
2752	LJDVSoK.exe	A Network Trojan was detected	MALWARE [PTsecurity] Netwire.RAT
2752	LJDVSoK.exe	A Network Trojan was detected	REMOTE [PTsecurity] NanoCore/NetWire/Kovter
2752	LJDVSoK.exe	A Network Trojan was detected	MALWARE [PTsecurity] Netwire.RAT
2752	LJDVSoK.exe	A Network Trojan was detected	REMOTE [PTsecurity] NanoCore/NetWire/Kovter
2752	LJDVSoK.exe	A Network Trojan was detected	MALWARE [PTsecurity] Netwire.RAT
2752	LJDVSoK.exe	A Network Trojan was detected	REMOTE [PTsecurity] NanoCore/NetWire/Kovter
2752	LJDVSoK.exe	A Network Trojan was detected	MALWARE [PTsecurity] Netwire.RAT

Add for printing

No debug info

General Info

c6f066035c64a1309d1d958b6536882847da51f2eb5cebe670b05bbdd97c12d1

332F8351C92D72260846A9F8B5FDD7CB

1B924898977E10900EAFCD655E282AE49BB476C1

C6F066035C64A1309D1D958B6536882847DA51F2EB5CEBE670B05BBDD97C12D1

1536:7Yk3hbdlylKsgqopeJBWhZFGkE+cL2NdAomrUq/r4lDCUw5l64bycklZhVCeBq1V:7Yk3hbdlylKsgqopeJBWhZFGkE+cL2Nj

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads dropped or rewritten executable

Unusual execution from Microsoft Office

Executable content was dropped or overwritten

Writes to a start menu file

Application was dropped or rewritten from another process

NETWIRE was detected

SUSPICIOUS

Executable content was dropped or overwritten

Creates files in the user directory

INFO

Reads Microsoft Office registry keys

Reads Internet Cache Settings

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings