File name: | نتائج استفتاء الدستور-الخارج.xls |
Full analysis: | https://app.any.run/tasks/0642668b-e7fe-4ddc-9c89-9a5f2eef1a50 |
Verdict: | Malicious activity |
Analysis date: | April 25, 2019, 13:00:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Admin, Last Saved By: Research, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Apr 13 10:30:01 2019, Last Saved Time/Date: Mon Apr 22 14:15:51 2019, Security: 1 |
MD5: | 44B9203FED19829E24D1601DBD141C0E |
SHA1: | 2DAC9ED7BE4DD83DF607A6C7F847C1ED92FA0219 |
SHA256: | D8589625BBEA522E927FC1B7A3484308F79C481C5D32294BA26A496DFEF18F94 |
SSDEEP: | 768:f5wOYrxfcfo9nJgafwgEuKpzOsNAzBGoydrpU8Pd8Q:f5wHkfanJgewgoxNyBGXFUcd |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
CompObjUserTypeLen: | 31 |
---|---|
CompObjUserType: | Microsoft Excel 2003 Worksheet |
Author: | Admin |
LastModifiedBy: | Research |
Software: | Microsoft Excel |
CreateDate: | 2019:04:13 09:30:01 |
ModifyDate: | 2019:04:22 13:15:51 |
Security: | Password protected |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: |
|
HeadingPairs: |
|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2836 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3128 | cmd.exe /C echo %appdata%\Microsoft\Protect\Update.vbs > C:\Users\Public\t.txt | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1032 | explorer.exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\Update.vbs | C:\Windows\explorer.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3012 | C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | C:\Windows\explorer.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4060 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Protect\Update.vbs" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
3460 | "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m calc.exe /c "powershell -C (Get-Content "$ENV:APPDATA\Microsoft\Protect\antiquityn.txt") | iex" | C:\Windows\System32\forfiles.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: ForFiles - Executes a command on selected files Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2212 | -C (Get-Content $ENV:APPDATA\Microsoft\Protect\antiquityn.txt) | iex | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | forfiles.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2836 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRFC88.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2212 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5ALY3HZQGYCCOC4SNI4B.temp | — | |
MD5:— | SHA256:— | |||
2212 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:5F9A7BF5388376D94C2EDCA422810BEC | SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C | |||
2836 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Protect\Update.vbs | text | |
MD5:6EC9DCBE73D07D423AC8A723E960FAB4 | SHA256:20633C66282DE9076829342B5D86B08E033CF282C98E26A05C5521B4C16E04CE | |||
2212 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF132406.TMP | binary | |
MD5:5F9A7BF5388376D94C2EDCA422810BEC | SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C | |||
3128 | cmd.exe | C:\Users\Public\t.txt | text | |
MD5:67F591E07212871DE5E9D8831420AF5A | SHA256:A8A14C6141F02FCC751F619164AC18BACDD63F0B3EC9EF66B9FD773D58876CF1 | |||
4060 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Protect\antiquityn.txt | text | |
MD5:843848E54CA0D8C7862EC29C454903A7 | SHA256:E6DCE62226C6BE74B7DCE5901F27C041C1C76C71E0E180B278C9106326C54313 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2212 | powershell.exe | 104.18.33.7:443 | windows-security.net | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
windows-security.net |
| suspicious |