File name: | d3d10273ea444e7511feb4e1f3a588c249335ca34ce376aaff0ad94e74bf2cb6.xlsx |
Full analysis: | https://app.any.run/tasks/8e6daf60-5bb4-4902-b326-ae06f423eea0 |
Verdict: | Malicious activity |
Analysis date: | March 31, 2020, 02:46:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | CD3A44680F1DC942597F1CC866BCB43E |
SHA1: | 6CC5EEFA65682E6D179371D24EAB90A6EB217256 |
SHA256: | D3D10273EA444E7511FEB4E1F3A588C249335CA34CE376AAFF0AD94E74BF2CB6 |
SSDEEP: | 12288:rzsQSpelMSDiTg9kIJ7qcK0WBGtmxVsv3GsOTrDmfmC:rzUelgg9k4hK0WYozrDmmC |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3376 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3824 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2072 | "C:\Users\admin\AppData\Roaming\vbc.exe" | C:\Users\admin\AppData\Roaming\vbc.exe | EQNEDT32.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3080 | "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | vbc.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3376 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR7C6C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3376 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4C998172.jpeg | — | |
MD5:— | SHA256:— | |||
3376 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF6407059F7CEC5CFF.TMP | — | |
MD5:— | SHA256:— | |||
3376 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~$d3d10273ea444e7511feb4e1f3a588c249335ca34ce376aaff0ad94e74bf2cb6.xlsx | — | |
MD5:— | SHA256:— | |||
2072 | vbc.exe | C:\Users\admin\LogonUI\LogonUI.vbs | text | |
MD5:ED6F164D5982B2C1AC750AAA7888CC2E | SHA256:536DF6C9629B4DABB505E54B6E4C4FDC74276396F48B03279AF7369838827B8B | |||
2072 | vbc.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LogonUI.url | text | |
MD5:7574603FE405ADAFDDF2B275C4F31FB4 | SHA256:AE75CC03EDC329578B9EE9F632295A3DBEB79ACC7150E8F68435C7A2428DFF89 | |||
3376 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\177F73F5.emf | emf | |
MD5:DC36EDDE438AA316BDF2A6DE81DD4F6C | SHA256:12C1C4E9D398D438FEFD6C918199619D1DEBD8F786F3E67745BC36260E377E0E | |||
3824 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\vbc.exe | executable | |
MD5:0A3C56BE44A9B0A25FD25AD8DA0A6D64 | SHA256:DC5AA227079D5F33AF016F3160E4F33994AA9FECE3D7D7EED3FB09C8C8271B7E | |||
3824 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\vbc[1].exe | executable | |
MD5:0A3C56BE44A9B0A25FD25AD8DA0A6D64 | SHA256:DC5AA227079D5F33AF016F3160E4F33994AA9FECE3D7D7EED3FB09C8C8271B7E | |||
2072 | vbc.exe | C:\Users\admin\LogonUI\imjpuexc.exe | executable | |
MD5:0A3C56BE44A9B0A25FD25AD8DA0A6D64 | SHA256:DC5AA227079D5F33AF016F3160E4F33994AA9FECE3D7D7EED3FB09C8C8271B7E |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3080 | RegSvcs.exe | 198.54.120.244:587 | ike2020.xyz | Namecheap, Inc. | US | malicious |
3824 | EQNEDT32.EXE | 103.133.104.32:80 | prodigorganizationalgroupoffrdy1company.duckdns.org | — | — | malicious |
Domain | IP | Reputation |
---|---|---|
prodigorganizationalgroupoffrdy1company.duckdns.org |
| malicious |
ike2020.xyz |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
3824 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
3824 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3080 | RegSvcs.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |