File name: | 999c8498ae23b4122cb02e715f6e6d3b.xls |
Full analysis: | https://app.any.run/tasks/4f88c40d-fe75-4f3a-8289-8e0849be0319 |
Verdict: | Malicious activity |
Analysis date: | February 19, 2019, 03:25:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | 999C8498AE23B4122CB02E715F6E6D3B |
SHA1: | 9A3CB9FA829890F576B89275158437DB2FEE4D53 |
SHA256: | D4E7AE81D10C77ED6DFE2057FB7C055A94B63A2E16CB2BB7C97F6DFBDCF2A17B |
SSDEEP: | 98304:rghdv7SKEHyQ4VxltmiVWbhM0IWNownmHgl:2StHWHPm/qlgl |
.xlam | | | Excel Macro-enabled Open XML add-in (42.4) |
---|---|---|
.xlsm | | | Excel Microsoft Office Open XML Format document (with Macro) (29.2) |
.xlsx | | | Excel Microsoft Office Open XML Format document (17.3) |
.zip | | | Open Packaging Conventions container (8.9) |
.zip | | | ZIP compressed archive (2) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3084 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
1300 | C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS" | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2848 | C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS" | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2940 | C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS" | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 267 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2484 | attrib -S -h "C:\Users\admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS" | C:\Windows\system32\attrib.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3084 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR72EE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3084 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9A2A75E9.emf | emf | |
MD5:CD4E6813CBD0D9ADA1EB63D157229FA9 | SHA256:FE572690BB515514ADA61ADC75F5268283FEF81B753BF6E0849AD4738C804729 | |||
3084 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C278F8DF.emf | emf | |
MD5:E76B339C4882A33F0C886F092AC094FB | SHA256:8E8D819C36536F97AE7A56919E497E857948FD5C2A2B4D56FBCD1920150BDF5C | |||
3084 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8E17FC9B.emf | emf | |
MD5:57530E16088ED55FD9738277792E1613 | SHA256:69E502503F4E7138B90321719E1D87BCB973FF95DB0794C4419F91DBDA68B86D | |||
3084 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\51D811D9.emf | emf | |
MD5:1EF5060006863CB7A6B3EE20F9871832 | SHA256:9DD5A783311751E377429B0170006F79D9B4C0AC4DEF420556EC7406247DA7A0 | |||
3084 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9B9EDC61.emf | emf | |
MD5:16757B8BB9B729BB4E6A7AAA2758A7F2 | SHA256:8C981B3F3A096EF05AA89E893F689249A4FC1DC44DD3024A2CE64A3D8F491C62 | |||
3084 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D67F3953.emf | emf | |
MD5:2626431746310DFAEC3A3A081E87F19F | SHA256:6109262F790EBF1381D37A9FF1EEAEB9EB4DA42F7ACFC80C52981B37E54239B4 | |||
3084 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\710095E0.emf | emf | |
MD5:CD924EF65CE69B84DCFF5A716F9803FA | SHA256:2EE35E22C238D542E92E962F6D513BCDF7E9F162D0F048015B10E6DBBF9A0082 | |||
3084 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6A0A5282.emf | emf | |
MD5:C478413624A79B170260C33DEB0AF681 | SHA256:F82BF7374B372310F8715E0AB4E2502FC790E34A5A6921386CBECCA5561C9C21 | |||
3084 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BF63BE17.emf | emf | |
MD5:DD55CBA2E92D6ABC6F6BF56D0CC0079F | SHA256:FC50B8D043ECE8EDFE72C8680F0E06303D5576EE053826EEFB282A10C6E4E5B7 |