File name: | cc5e40bf4742aba6aad75c0a4a4b7ada6e1c9408ff351544a1925dbec07412a1 |
Full analysis: | https://app.any.run/tasks/d8f57d52-42b9-4086-b904-64c736c19179 |
Verdict: | Malicious activity |
Analysis date: | March 22, 2019, 07:35:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 936, Author: luying, Last Saved By: sunli, Create Time/Date: Thu Nov 1 00:43:29 2018, Last Saved Time/Date: Mon Mar 11 07:11:04 2019, Security: 0 |
MD5: | 7FE06955EF66CC4718790D090A0A7810 |
SHA1: | 56ECAF08E3D2D0B2007AA6F1CB32F9B59A70D27D |
SHA256: | CC5E40BF4742ABA6AAD75C0A4A4B7ADA6E1C9408FF351544A1925DBEC07412A1 |
SSDEEP: | 6144:lVUpjDqF+wRj/eA05i2ACGKJ/7KOHwIkJVs/whqJ9YPMFjoklGCL8RtzaPqnA2cH:1dd8/p |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
Author: | luying |
---|---|
LastModifiedBy: | sunli |
CreateDate: | 2018:11:01 00:43:29 |
ModifyDate: | 2019:03:11 07:11:04 |
Security: | None |
CodePage: | Windows Simplified Chinese (PRC, Singapore) |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: |
|
HeadingPairs: |
|
CompObjUserTypeLen: | 29 |
CompObjUserType: | Microsoft Excel 2003 ?????? |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1924 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2252 | C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS" | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2836 | C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS" | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2876 | C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS" | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 267 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1824 | attrib -S -h "C:\Users\admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS" | C:\Windows\system32\attrib.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3060 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1012 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1924 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR8AA3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1924 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFF28C7FE344B8A02E.TMP | — | |
MD5:— | SHA256:— | |||
1924 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFFAF041B6C4569E7F.TMP | — | |
MD5:— | SHA256:— | |||
1012 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR6624.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1012 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF87B7736590E3F9CD.TMP | — | |
MD5:— | SHA256:— | |||
1012 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF3B4B12BD14305727.TMP | — | |
MD5:— | SHA256:— | |||
1012 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFCC559A9A189F33F7.TMP | — | |
MD5:— | SHA256:— | |||
1012 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF8E9001598F63C894.TMP | — | |
MD5:— | SHA256:— | |||
1012 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF0687CF41A0973E5C.TMP | — | |
MD5:— | SHA256:— | |||
1924 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\cc5e40bf4742aba6aad75c0a4a4b7ada6e1c9408ff351544a1925dbec07412a1.xls | document | |
MD5:BEF9F55F7F7A61D5D2D61D38D79DBF06 | SHA256:28AFAC8864673CBE528985489FEA39B9E0078A64F174DD1A2046962F6F1A72EF |