File name: | cc5e40bf4742aba6aad75c0a4a4b7ada6e1c9408ff351544a1925dbec07412a1 |
Full analysis: | https://app.any.run/tasks/26f3b848-dfa3-4c11-9483-cc9b9e7ef3f2 |
Verdict: | Malicious activity |
Analysis date: | March 22, 2019, 06:42:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 936, Author: luying, Last Saved By: sunli, Create Time/Date: Thu Nov 1 00:43:29 2018, Last Saved Time/Date: Mon Mar 11 07:11:04 2019, Security: 0 |
MD5: | 7FE06955EF66CC4718790D090A0A7810 |
SHA1: | 56ECAF08E3D2D0B2007AA6F1CB32F9B59A70D27D |
SHA256: | CC5E40BF4742ABA6AAD75C0A4A4B7ADA6E1C9408FF351544A1925DBEC07412A1 |
SSDEEP: | 6144:lVUpjDqF+wRj/eA05i2ACGKJ/7KOHwIkJVs/whqJ9YPMFjoklGCL8RtzaPqnA2cH:1dd8/p |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
CompObjUserType: | Microsoft Excel 2003 ?????? |
---|---|
CompObjUserTypeLen: | 29 |
HeadingPairs: |
|
TitleOfParts: |
|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CodePage: | Windows Simplified Chinese (PRC, Singapore) |
Security: | None |
ModifyDate: | 2019:03:11 07:11:04 |
CreateDate: | 2018:11:01 00:43:29 |
LastModifiedBy: | sunli |
Author: | luying |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2968 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3468 | C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS" | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3528 | C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS" | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3632 | C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS" | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 267 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3004 | attrib -S -h "C:\Users\admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS" | C:\Windows\system32\attrib.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2968 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR745.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2968 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Excel\XLSTART\k4.xls | — | |
MD5:— | SHA256:— | |||
2968 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFF2A1B117F6B82D58.TMP | — | |
MD5:— | SHA256:— | |||
2968 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFDD6B5A594C45D828.TMP | — | |
MD5:— | SHA256:— | |||
2968 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\cc5e40bf4742aba6aad75c0a4a4b7ada6e1c9408ff351544a1925dbec07412a1.xls | document | |
MD5:A91D574102092722D385744B8A1979CB | SHA256:9BD1CF49F83AB73DA98AB7C0A207F6EB1D8A6F3B04936D4B6FCFCAD63B0FF86F |