analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

نتائج استفتاء الدستور-الخارج.xls

Full analysis: https://app.any.run/tasks/12d48c60-2349-4e6c-82d5-fd31b99768a1
Verdict: Malicious activity
Analysis date: April 24, 2019, 06:56:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Admin, Last Saved By: Research, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Apr 13 10:30:01 2019, Last Saved Time/Date: Mon Apr 22 14:15:51 2019, Security: 1
MD5:

44B9203FED19829E24D1601DBD141C0E

SHA1:

2DAC9ED7BE4DD83DF607A6C7F847C1ED92FA0219

SHA256:

D8589625BBEA522E927FC1B7A3484308F79C481C5D32294BA26A496DFEF18F94

SSDEEP:

768:f5wOYrxfcfo9nJgafwgEuKpzOsNAzBGoydrpU8Pd8Q:f5wHkfanJgewgoxNyBGXFUcd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 2812)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2812)

  • SUSPICIOUS

    • Executes scripts

      • explorer.exe (PID: 3288)

    • Creates files in the user directory

      • WScript.exe (PID: 2296)
      • powershell.exe (PID: 2408)

    • Executes PowerShell scripts

      • forfiles.exe (PID: 3720)

  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 2812)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2812)

    • Reads settings of System Certificates

      • powershell.exe (PID: 2408)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

HeadingPairs:
  • Worksheets
  • 2
  • Excel 4.0 Macros
  • 1
TitleOfParts:
  • Sheet1
  • Sheet2
  • Sheet15
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
Company: -
CodePage: Windows Latin 1 (Western European)
Security: Password protected
ModifyDate: 2019:04:22 13:15:51
CreateDate: 2019:04:13 09:30:01
Software: Microsoft Excel
LastModifiedBy: Research
Author: Admin
CompObjUserType: Microsoft Excel 2003 Worksheet
CompObjUserTypeLen: 31
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe no specs cmd.exe no specs explorer.exe no specs explorer.exe no specs wscript.exe no specs forfiles.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2812"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3452cmd.exe /C echo %appdata%\Microsoft\Protect\Update.vbs > C:\Users\Public\t.txtC:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2484explorer.exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\Update.vbs C:\Windows\explorer.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3288C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2296"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Protect\Update.vbs" C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
3720"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m calc.exe /c "powershell -C (Get-Content "$ENV:APPDATA\Microsoft\Protect\antiquityn.txt") | iex"C:\Windows\System32\forfiles.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ForFiles - Executes a command on selected files
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2408-C (Get-Content $ENV:APPDATA\Microsoft\Protect\antiquityn.txt) | iexC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
forfiles.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
927
Read events
810
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2812EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRFCE6.tmp.cvr
MD5:
SHA256:
2408powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G4IKUTA20MLFJA4B2IUG.temp
MD5:
SHA256:
2812EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Protect\Update.vbstext
MD5:6EC9DCBE73D07D423AC8A723E960FAB4
SHA256:20633C66282DE9076829342B5D86B08E033CF282C98E26A05C5521B4C16E04CE
2408powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:5F9A7BF5388376D94C2EDCA422810BEC
SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C
2408powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1341ee.TMPbinary
MD5:5F9A7BF5388376D94C2EDCA422810BEC
SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C
2296WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Protect\antiquityn.txttext
MD5:843848E54CA0D8C7862EC29C454903A7
SHA256:E6DCE62226C6BE74B7DCE5901F27C041C1C76C71E0E180B278C9106326C54313
3452cmd.exeC:\Users\Public\t.txttext
MD5:67F591E07212871DE5E9D8831420AF5A
SHA256:A8A14C6141F02FCC751F619164AC18BACDD63F0B3EC9EF66B9FD773D58876CF1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2408
powershell.exe
104.18.32.7:443
windows-security.net
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
windows-security.net
  • 104.18.32.7
  • 104.18.33.7
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
نتائج استفتاء الدستور-الخارج.xls