File name: | 0c4b081b61a89b5a8914da12cefe15de.xls |
Full analysis: | https://app.any.run/tasks/2fbc10b0-162f-49bc-aeaa-14581c370db8 |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 07:37:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: kerio, Last Saved By: alex, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat May 18 08:27:21 2019, Last Saved Time/Date: Sun Jun 2 21:56:10 2019, Security: 0 |
MD5: | 0C4B081B61A89B5A8914DA12CEFE15DE |
SHA1: | 46B61D7C99EF0D57899BEBAC401EC3FF706A9000 |
SHA256: | D5347F95512BE99C463877AF379C9A7CEFF4166BAB4567F79A0FBE043AF072F2 |
SSDEEP: | 3072:mKpb8rGYrMPelwhKmFV5xtezEsg8/dgQk4/ikCf8TJijkpht6rJBgyLMYpE4y:mKpb8rGYrMPelwhKmFV5xtuEsg8/dgyL |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
Security: | None |
---|---|
ModifyDate: | 2019:06:02 20:56:10 |
CreateDate: | 2019:05:18 07:27:21 |
Software: | Microsoft Excel |
LastModifiedBy: | alex |
Author: | kerio |
CodePage: | Windows Cyrillic |
CompObjUserType: | Microsoft Forms 2.0 Form |
CompObjUserTypeLen: | 25 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3348 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
1876 | cmd.exe /c start "" xlx.exe | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3476 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3348 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRD021.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3476 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs31D9.tmp | — | |
MD5:— | SHA256:— | |||
3476 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs31DA.tmp | — | |
MD5:— | SHA256:— | |||
3348 | EXCEL.EXE | C:\Users\admin\Documents\xlx.exe | html | |
MD5:B6974A64F7CAB21FDECCAFC2737EDF9C | SHA256:8B05D85A961F53AAB23E4933559F7748205B2BC6501EA73F3392517B912D8EC7 | |||
3348 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:42052F09E835C29892144B50321FA8C1 | SHA256:5BEC56F4858A0B7957C28CDBEE1FA6FC0C247FA7602C08BD1277EE4446207579 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3348 | EXCEL.EXE | GET | 200 | 151.237.80.80:80 | http://vairina.top/t1 | BG | html | 669 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3348 | EXCEL.EXE | 151.237.80.80:80 | vairina.top | IPACCT Ltd. | BG | malicious |
3348 | EXCEL.EXE | 151.237.138.38:80 | vairina.top | IPACCT Ltd. | BG | malicious |
Domain | IP | Reputation |
---|---|---|
vairina.top |
| malicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
3348 | EXCEL.EXE | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
3348 | EXCEL.EXE | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |