analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ced55d03720094441f11d4b815c8aec5901540dbf5ff5dd2978d86f047a649eb

Full analysis: https://app.any.run/tasks/273db0fe-9263-43fd-bdc3-8eb252134614
Verdict: Malicious activity
Analysis date: March 21, 2019, 21:16:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: [email protected], Last Saved By: Windows User, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Mar 6 15:34:52 2019, Last Saved Time/Date: Mon Mar 11 14:16:26 2019, Security: 0
MD5:

68C950579570352143DAE0B5A8BEF91B

SHA1:

D8B67BC88916B5AD90DA07A59FC87D10A282A20C

SHA256:

CED55D03720094441F11D4B815C8AEC5901540DBF5FF5DD2978D86F047A649EB

SSDEEP:

12288:JBFixggjJ/gUkK9abdyVQzDKzw7X97gICa9avb/aRlDATPGQtxPO8ike:JTiHjJQKWyKvN7XtKwavz+1Az7VOzB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • CR_7344BE.cmd (PID: 1284)
    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 1524)
    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 1524)
    • Suspicious files were dropped or overwritten

      • EXCEL.EXE (PID: 1524)
  • SUSPICIOUS

    • Starts application with an unusual extension

      • EXCEL.EXE (PID: 1524)
  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 1524)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 1524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

CompObjUserType: Microsoft Excel 2003 Worksheet
CompObjUserTypeLen: 31
HeadingPairs:
  • Worksheets
  • 1
TitleOfParts: Breach Checker
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
Company: -
CodePage: Windows Latin 1 (Western European)
Security: None
ModifyDate: 2019:03:11 14:16:26
CreateDate: 2019:03:06 15:34:52
Software: Microsoft Excel
LastModifiedBy: Windows User
Author: [email protected]
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start excel.exe wmiapsrv.exe no specs cr_7344be.cmd

Process information

PID
CMD
Path
Indicators
Parent process
1524"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3892C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Performance Reverse Adapter
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1284C:\Users\admin\AppData\Roaming\CR_7344BE.cmdC:\Users\admin\AppData\Roaming\CR_7344BE.cmd
EXCEL.EXE
User:
admin
Integrity Level:
MEDIUM
Total events
706
Read events
593
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
1524EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR898A.tmp.cvr
MD5:
SHA256:
1524EXCEL.EXEC:\Users\admin\AppData\Local\Temp\Excel8.0\MSForms.exdtlb
MD5:D7589180916B83F387BD2EAD7545A492
SHA256:972F074BAF6396FEF7617B57EC4213DA2046B6DD122B8E4E4D39ABB5CE8B0D98
1524EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9F379D69.emfemf
MD5:D3D565A0DF2C73E7DB59CE56E78E6ADD
SHA256:0C6FC87F0A09456FFB13618864AA2CA330AB6953D5FB44C05DC18516E9CEAF2E
1524EXCEL.EXEC:\Users\admin\AppData\Roaming\CR_7344BE.cmdexecutable
MD5:5BF2C90AFFD99E9B8139ECE6C7AAA87D
SHA256:08E80B4B00BE81E0CBE8351369CC2CB54B9547932001B38A963527229EDB6462
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
12
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1284
CR_7344BE.cmd
13.32.219.23:443
revenuedata.doi.gov
Amazon.com, Inc.
US
unknown
13.32.219.23:443
revenuedata.doi.gov
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
revenuedata.doi.gov
  • 13.32.219.23
  • 13.32.219.185
  • 13.32.219.127
  • 13.32.219.30
suspicious

Threats

No threats detected
No debug info