File name: | Bundle_info_104171.xlsm |
Full analysis: | https://app.any.run/tasks/e894b67e-f131-4273-8c0b-02b140bdd6ef |
Verdict: | Malicious activity |
Analysis date: | May 20, 2019, 20:47:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | E4B64E28E7F9F65C3BF44D2FCDD6A961 |
SHA1: | E80857F144CF406C81D786064E8EA84DA6E7C190 |
SHA256: | D760D6663E0319AA4664F8D147FED8658934A9F731B048CC2A64BAD6EF612AE5 |
SSDEEP: | 768:8Hug5V4bx2ThbyQY2IBlzG5ke/h0bldSSu:Wdk2Fbi2IBF6ZqdSSu |
.xlam | | | Excel Macro-enabled Open XML add-in (42.4) |
---|---|---|
.xlsm | | | Excel Microsoft Office Open XML Format document (with Macro) (29.2) |
.xlsx | | | Excel Microsoft Office Open XML Format document (17.3) |
.zip | | | Open Packaging Conventions container (8.9) |
.zip | | | ZIP compressed archive (2) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0xe69d70d7 |
ZipCompressedSize: | 413 |
ZipUncompressedSize: | 1393 |
ZipFileName: | [Content_Types].xml |
Creator: | - |
---|
LastModifiedBy: | - |
---|---|
CreateDate: | 2006:09:16 00:00:00Z |
ModifyDate: | 2019:05:16 16:59:30Z |
Application: | Microsoft Excel |
DocSecurity: | None |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | Лист1 |
Company: | - |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 15.03 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2464 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3048 | cmd.exe /c C:\Users\admin\AppData\Local\Temp\999.hta | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3484 | "C:\Windows\System32\mshta.exe" "C:\Users\admin\AppData\Local\Temp\999.hta" | C:\Windows\System32\mshta.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2108 | "C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\5702uray.exe | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2656 | "C:\Windows\system32\ntvdm.exe" | C:\Windows\system32\ntvdm.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2464 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR3F9C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2656 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs4CCB.tmp | — | |
MD5:— | SHA256:— | |||
2656 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs4CCC.tmp | — | |
MD5:— | SHA256:— | |||
2464 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\999.hta | html | |
MD5:14DF192CDC815BF57B768B5D97320365 | SHA256:D4E37A29FF4011CAD258CA60080B2F366619570FEC08EC50F95285F725BF8A0D | |||
2464 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:8838165C4940C309600CED2586781960 | SHA256:80E29633A89690DD2A1D12B53DF42B0B9437384ADBB220CA35F092C3B08CA449 | |||
3484 | mshta.exe | C:\Users\admin\AppData\Local\Temp\5702uray.exe | html | |
MD5:3526531CCD6C6A1D2340574A305A18F8 | SHA256:B663321AB439CC53A329EE352C1B855D9998D3AF95524A05795A88B42A9ACF07 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3484 | mshta.exe | GET | 200 | 64.44.133.144:80 | http://64.44.133.144/?3mhZb5 | US | html | 10.6 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3484 | mshta.exe | 64.44.133.144:80 | — | Nexeon Technologies, Inc. | US | suspicious |