analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

d642109e621c6758027c2fc0e5ea3d1126963a001ab1858b95f82e09403943bd.xls

Full analysis: https://app.any.run/tasks/eae994c0-aeeb-42d7-8724-ddda5068bfe8
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: May 20, 2022, 16:58:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
opendir
loader
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Posik, Last Saved By: Dream, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Thu May 19 10:49:31 2022, Security: 0
MD5:

64D4AB18BBD8E191F74FC14198FDEC87

SHA1:

0A13D417F779071B5263163AD7DA839E6B3C5738

SHA256:

D642109E621C6758027C2FC0E5EA3D1126963A001AB1858B95F82E09403943BD

SSDEEP:

1536:t5nKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgYAezwrMC1vJec/RtbEtfE:/Kpb8rGYrMPe3q7Q0XV5xtezEsi8/dgt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 4060)
    • Drops executable file immediately after starts

      • EXCEL.EXE (PID: 4060)
    • Registers / Runs the DLL via REGSVR32.EXE

      • EXCEL.EXE (PID: 4060)
    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 4060)
  • SUSPICIOUS

    • Drops a file with a compile date too recent

      • EXCEL.EXE (PID: 4060)
  • INFO

    • Reads settings of System Certificates

      • EXCEL.EXE (PID: 4060)
    • Reads the computer name

      • EXCEL.EXE (PID: 4060)
    • Checks supported languages

      • EXCEL.EXE (PID: 4060)
      • regsvr32.exe (PID: 3432)
      • regsvr32.exe (PID: 4020)
      • regsvr32.exe (PID: 1920)
      • regsvr32.exe (PID: 3900)
    • Checks Windows Trust Settings

      • EXCEL.EXE (PID: 4060)
    • Creates files in the user directory

      • EXCEL.EXE (PID: 4060)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 4060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

HeadingPairs:
  • Листы
  • 4
  • Макросы Excel 4.0
  • 3
TitleOfParts:
  • Sheet
  • Fhgyk
  • Tjdtjf
  • Vehsrg
  • PVVEBZ
  • Btd
  • Btdd
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
Company: -
CodePage: Windows Cyrillic
Security: None
ModifyDate: 2022:05:19 09:49:31
CreateDate: 2015:06:05 18:19:34
Software: Microsoft Excel
LastModifiedBy: Dream
Author: Posik
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4060"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\excel.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\sechost.dll
3432C:\Windows\System32\regsvr32.exe /S ..\soam1.dllC:\Windows\System32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4020C:\Windows\System32\regsvr32.exe /S ..\soam2.dllC:\Windows\System32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1920C:\Windows\System32\regsvr32.exe /S ..\soam3.dllC:\Windows\System32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\regsvr32.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3900C:\Windows\System32\regsvr32.exe /S ..\soam4.dllC:\Windows\System32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
7 177
Read events
7 090
Write events
76
Delete events
11

Modification events

(PID) Process:(4060) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:t9
Value:
7F743900DC0F0000010000000000000000000000
(PID) Process:(4060) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(4060) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(4060) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(4060) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(4060) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(4060) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(4060) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(4060) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(4060) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
4
Suspicious files
8
Text files
1
Unknown types
4

Dropped files

PID
Process
Filename
Type
4060EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR94CF.tmp.cvr
MD5:
SHA256:
4060EXCEL.EXEC:\Users\admin\AppData\Local\Temp\TarB54A.tmpcat
MD5:E721613517543768F0DE47A6EEEE3475
SHA256:3163B82D1289693122EF99ED6C3C1911F68AA2A7296907CEBF84C897141CED4E
4060EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:F024CDBA49F09DFE446B8C00E90E7535
SHA256:792D8A29C5E26D42358C8D28C529BBDC7082170F12CF5FA048652F4AAC0E7005
4060EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:84C23969C2426B4D748B5E4F23163268
SHA256:544D23E4904B6B2BFF3C86ECE20F26C9E6A2CF57F20A315877B952FA53EAB311
4060EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:6DAE5BF3792686F4D6785C69647B09EA
SHA256:52E80EBB346B07C2015832FA13B33A6C1AA467B922111B2709310A61C2074042
4060EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3148AC2BE02041AB5248CB13215DB801binary
MD5:56800244BAE6C9E4B02445F1BF7106F2
SHA256:E60E990A69711D34FFC2016A4BC4B206DF4348B5FFEB4A3660CED1E565E69490
4060EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\776D95906341D109173230C3B29693C7der
MD5:28116FCD5C7065511373441FDC81B8BF
SHA256:09F35C12A5CFD86FF9F5F7CC17E7DA8D8A24FCECD8DAF75755FCD9507A35A668
4060EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751der
MD5:54E9306F95F32E50CCD58AF19753D929
SHA256:45F94DCEB18A8F738A26DA09CE4558995A4FE02B971882E8116FC9B59813BB72
4060EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:B9F21D8DB36E88831E5352BB82C438B3
SHA256:998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
4060EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\6JJ9ZN4D.txttext
MD5:411ED559BC3CFC21718BEAADE7EA6B3C
SHA256:A275CBD1CBF41C0EB67C7686C44D1A37A8DF09ECCEE3D69FFA5086E507D35F6E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
8
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4060
EXCEL.EXE
GET
200
104.125.75.233:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
4060
EXCEL.EXE
GET
200
2.18.212.193:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgTZwPRtOzDjnyH7nuhj%2B%2BoXbQ%3D%3D
unknown
der
503 b
shared
4060
EXCEL.EXE
GET
200
8.248.149.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9a8dc7e733ba800d
US
compressed
60.0 Kb
whitelisted
4060
EXCEL.EXE
GET
200
173.231.245.32:80
http://mybiscotto.com/images/BDcjQT/
US
executable
362 Kb
suspicious
4060
EXCEL.EXE
GET
200
2.18.212.193:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgPVux9RolOjQvXAkNkNURw0tQ%3D%3D
unknown
der
503 b
shared
4060
EXCEL.EXE
GET
200
8.248.149.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?510b837e73a86ea5
US
compressed
4.70 Kb
whitelisted
4060
EXCEL.EXE
GET
404
50.31.160.160:80
http://myramark.com/mail/rdhEPylXD8BuTA/
US
html
315 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4060
EXCEL.EXE
104.125.75.233:80
x1.c.lencr.org
Akamai Technologies, Inc.
NL
suspicious
4060
EXCEL.EXE
103.1.238.211:443
myphamcuatui.com
SUPERDATA
VN
suspicious
4060
EXCEL.EXE
8.248.149.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious
4060
EXCEL.EXE
2.18.212.193:80
r3.o.lencr.org
Akamai International B.V.
unknown
4060
EXCEL.EXE
103.227.62.66:443
myechoproject.com
Diadem Technologies Pvt. Ltd.
IN
suspicious
4060
EXCEL.EXE
50.31.160.160:80
myramark.com
Server Central Network
US
suspicious
4060
EXCEL.EXE
173.231.245.32:80
mybiscotto.com
tzulo, inc.
US
suspicious

DNS requests

Domain
IP
Reputation
myphamcuatui.com
  • 103.1.238.211
suspicious
ctldl.windowsupdate.com
  • 8.248.149.254
  • 8.248.135.254
  • 67.26.73.254
  • 67.27.157.254
  • 67.27.159.254
whitelisted
x1.c.lencr.org
  • 104.125.75.233
whitelisted
r3.o.lencr.org
  • 2.18.212.193
  • 2.18.212.153
shared
myramark.com
  • 50.31.160.160
suspicious
myechoproject.com
  • 103.227.62.66
suspicious
mybiscotto.com
  • 173.231.245.32
suspicious

Threats

PID
Process
Class
Message
4060
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4060
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
4060
EXCEL.EXE
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info