File name: | a363b6bd5fafda8a0fb4ba75e1046bc6a29688bc.xls |
Full analysis: | https://app.any.run/tasks/148bc65e-9bf5-4235-be97-ffd6f38d3a52 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | February 19, 2019, 12:55:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Last Saved By: office, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Feb 19 08:42:35 2019, Last Saved Time/Date: Tue Feb 19 08:48:19 2019, Security: 0 |
MD5: | EEB1F011327633310A3D3D9F80F44076 |
SHA1: | A363B6BD5FAFDA8A0FB4BA75E1046BC6A29688BC |
SHA256: | C6FFBEAC3B43D79319CEB09A23690A0004A2C02CFD3E66F31BB7BAD84D2A688A |
SSDEEP: | 1536:Xkk3hbdlylKsgqopeJBWhZFGkE+cL2NdA901AJjfl0pcCqFjZak6kW3:Xkk3hbdlylKsgqopeJBWhZFGkE+cL2Nx |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
Author: | - |
---|---|
LastModifiedBy: | office |
Software: | Microsoft Excel |
CreateDate: | 2019:02:19 08:42:35 |
ModifyDate: | 2019:02:19 08:48:19 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | Sheet1 |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Excel 2003 Worksheet |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3588 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3332 | C:\Users\admin\AppData\Local\Temp\rw5t9.exe | C:\Users\admin\AppData\Local\Temp\rw5t9.exe | EXCEL.EXE | |
User: admin Company: CANTARPROD SRL Integrity Level: MEDIUM Description: Search Integration Handler Exit code: 3762504530 Version: 8.10.11.3 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3588 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRDDCE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3588 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFCFF5C222AA15EDBD.TMP | — | |
MD5:— | SHA256:— | |||
3588 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF344FD933D84B3151.TMP | — | |
MD5:— | SHA256:— | |||
3588 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\a363b6bd5fafda8a0fb4ba75e1046bc6a29688bc.xls | document | |
MD5:FA8AFA11F57B2E492ECAFB46B003A7B5 | SHA256:CE9AF7138DE219A9C2EB5C221EB78E5F15B0B80E58035F075A349F2F0D1DDB8B | |||
3588 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\padam[1].exe | executable | |
MD5:7707ADCE0B0E9AF8373D8DCEB1D16FDC | SHA256:1CA77A80AD2274F8E94187C0D271F78D28EC101A7256B00E68ECC410EA561B8E | |||
3588 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\rw5t9.exe | executable | |
MD5:7707ADCE0B0E9AF8373D8DCEB1D16FDC | SHA256:1CA77A80AD2274F8E94187C0D271F78D28EC101A7256B00E68ECC410EA561B8E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3588 | EXCEL.EXE | GET | 200 | 107.180.76.168:80 | http://lemycofreight.com/wp-content/themes/temp/padam.exe | US | executable | 273 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3588 | EXCEL.EXE | 107.180.76.168:80 | lemycofreight.com | GoDaddy.com, LLC | US | suspicious |
Domain | IP | Reputation |
---|---|---|
lemycofreight.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3588 | EXCEL.EXE | A Network Trojan was detected | ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious |
3588 | EXCEL.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |