analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

documento1_410.xls

Full analysis: https://app.any.run/tasks/e9183743-ba3c-4e8b-bc36-006cf50c3028
Verdict: Malicious activity
Analysis date: October 20, 2020, 04:10:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: dppFJMEcrkUCFZCGUe, Last Saved By: administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Oct 20 00:28:19 2020, Last Saved Time/Date: Tue Oct 20 00:48:19 2020, Security: 1
MD5:

E2739B11FA9EF4DDEE5F9AB41B1A56FF

SHA1:

A10B9A7D05F7E4F04983AED34BA3E52AAC0A8642

SHA256:

D9E458B03EAA69BB9CC9A3950D38C6CC78C4AAC8DF53E0048C7D562E88B61C5F

SSDEEP:

6144:uZKOXZdpjpVBrRWJ+Vl0T2q3T9UnoVEsOUqjLxjn:JOXZHpbrsJS03RUX6G

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2432)

  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • EXCEL.EXE (PID: 2432)

  • INFO

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 2432)

    • Manual execution by user

      • chrome.exe (PID: 3840)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 2432)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2432)

    • Reads the hosts file

      • chrome.exe (PID: 3840)
      • chrome.exe (PID: 3696)

    • Dropped object may contain TOR URL's

      • chrome.exe (PID: 888)

    • Application launched itself

      • chrome.exe (PID: 3840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

HeadingPairs:
  • Fogli di lavoro
  • 24
  • Macro di Excel 4.0
  • 1
TitleOfParts:
  • qlPfxSlfVBKKJNyry
  • Foglio2
  • Foglio3
  • Foglio4
  • Foglio5
  • Foglio6
  • Foglio7
  • Foglio8
  • Foglio9
  • Foglio10
  • Foglio11
  • Foglio12
  • Foglio13
  • Foglio14
  • Foglio15
  • Foglio16
  • Foglio17
  • Foglio18
  • Foglio19
  • Foglio20
  • Foglio21
  • Foglio22
  • Foglio23
  • Sheet1
  • rnc
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
Company: -
CodePage: Windows Latin 1 (Western European)
Security: Password protected
ModifyDate: 2020:10:19 23:48:19
CreateDate: 2020:10:19 23:28:19
Software: Microsoft Excel
LastModifiedBy: administrator
Author: dppFJMEcrkUCFZCGUe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
73
Monitored processes
31
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe rundll32.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2432"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2652"C:\Windows\System32\rundll32.exe" IDgiPjo.dll,DllRegisterServerC:\Windows\System32\rundll32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3840"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2696"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6c78a9d0,0x6c78a9e0,0x6c78a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3264"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3820 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3060"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=988,11044182080854413661,4596998670317970410,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=11871111669226495697 --mojo-platform-channel-handle=1004 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
3696"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=988,11044182080854413661,4596998670317970410,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=9959578492617519542 --mojo-platform-channel-handle=1616 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
124"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,11044182080854413661,4596998670317970410,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15266733404786782799 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2384"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,11044182080854413661,4596998670317970410,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10090835502479974591 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2476 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
1500"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,11044182080854413661,4596998670317970410,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5344841069107381620 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2484 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
1 260
Read events
1 111
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
23
Text files
116
Unknown types
8

Dropped files

PID
Process
Filename
Type
2432EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR4088.tmp.cvr
MD5:
SHA256:
3840chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5F8E6395-F00.pma
MD5:
SHA256:
3840chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old
MD5:
SHA256:
3840chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\9de264cb-57cf-467a-a131-04d0e53affc8.tmp
MD5:
SHA256:
3840chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000048.dbtmp
MD5:
SHA256:
3840chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:FB5B20517A0D1F7DAD485989565BEE5E
SHA256:99405F66EDBEB2306F4D0B4469DCADFF5293B5E1549C588CCFACEA439BB3B101
3840chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:C2DDBA63E4A2BD2E39A8B6C2C6384AAE
SHA256:6D5C1C78341C6F84911055D970ADDB0EC3499F8BF7FADE062122A22209CE67D9
2432EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\documento1_410.xls.LNKlnk
MD5:0964E7319ABBCF27160F688E09534356
SHA256:606BB5C809C752CB6ED3E4803F0CEE906AC60C5899D357CA86C9F96A72738092
3840chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF2e2ec1.TMPtext
MD5:D4322EEBAC92D1B8F7A6F5E39F6264B7
SHA256:A3EEDF21B850DCC7CE5AE04395ECDD2D29DA4EA549C8A185DD9E8B552A87B8C2
2432EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:2006149217EB76240FAC218F420425D0
SHA256:08E71585F173D214C81E8CB948C6933390358942DBC271A5CE655082EAEC803D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
57
TCP/UDP connections
25
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
302
216.58.208.174:80
http://redirector.gvt1.com/edgedl/release2/chrome_component/RICrvMN8bkQRllgID8xWJw_6187/H6ZPXmz_Yx1gzS8iWmCgCQ
US
whitelisted
HEAD
200
82.85.147.13:80
http://r2---sn-upnj5appu5-j5bl.gvt1.com/edgedl/release2/chrome_component/RICrvMN8bkQRllgID8xWJw_6187/H6ZPXmz_Yx1gzS8iWmCgCQ?cms_redirect=yes&mh=K8&mip=94.32.66.48&mm=28&mn=sn-upnj5appu5-j5bl&ms=nvh&mt=1603167112&mv=u&mvi=2&pl=20&shardbypass=yes
IT
whitelisted
HEAD
200
216.58.209.48:80
http://storage.googleapis.com/update-delta/khaoiebndkojlmppeemjhbpbandiljpe/43/42/e0b8b1fb7c27acac43c236b9f6b029b07f2a3b661b5d8eed22848180aaf4f04e.crxd
US
whitelisted
GET
206
82.85.147.13:80
http://r2---sn-upnj5appu5-j5bl.gvt1.com/edgedl/release2/chrome_component/RICrvMN8bkQRllgID8xWJw_6187/H6ZPXmz_Yx1gzS8iWmCgCQ?cms_redirect=yes&mh=K8&mip=94.32.66.48&mm=28&mn=sn-upnj5appu5-j5bl&ms=nvh&mt=1603167112&mv=u&mvi=2&pcm2cms=yes&pl=20&shardbypass=yes
IT
binary
6.08 Kb
whitelisted
GET
302
216.58.208.174:80
http://redirector.gvt1.com/edgedl/release2/chrome_component/RICrvMN8bkQRllgID8xWJw_6187/H6ZPXmz_Yx1gzS8iWmCgCQ
US
html
497 b
whitelisted
GET
200
216.58.209.48:80
http://storage.googleapis.com/update-delta/khaoiebndkojlmppeemjhbpbandiljpe/43/42/e0b8b1fb7c27acac43c236b9f6b029b07f2a3b661b5d8eed22848180aaf4f04e.crxd
US
binary
4.33 Kb
whitelisted
GET
206
82.85.147.13:80
http://r2---sn-upnj5appu5-j5bl.gvt1.com/edgedl/release2/chrome_component/RICrvMN8bkQRllgID8xWJw_6187/H6ZPXmz_Yx1gzS8iWmCgCQ?cms_redirect=yes&mh=K8&mip=94.32.66.48&mm=28&mn=sn-upnj5appu5-j5bl&ms=nvh&mt=1603167112&mv=u&mvi=2&pcm2cms=yes&pl=20&shardbypass=yes
IT
binary
9.67 Kb
whitelisted
GET
302
216.58.208.174:80
http://redirector.gvt1.com/edgedl/release2/chrome_component/RICrvMN8bkQRllgID8xWJw_6187/H6ZPXmz_Yx1gzS8iWmCgCQ
US
html
497 b
whitelisted
GET
206
216.58.209.48:80
http://storage.googleapis.com/update-delta/gcmjkmgdlgnkkcocmoeiminaijmmjnii/9.17.0/9.16.0/092573746769772bd5e3208f6dcc3c31a029e78c61989771a8cefa8e4d829c55.crxd
US
binary
9.61 Kb
whitelisted
HEAD
200
216.58.209.48:80
http://storage.googleapis.com/update-delta/gcmjkmgdlgnkkcocmoeiminaijmmjnii/9.17.0/9.16.0/092573746769772bd5e3208f6dcc3c31a029e78c61989771a8cefa8e4d829c55.crxd
US
binary
4.33 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2432
EXCEL.EXE
109.248.203.236:80
linksystems.casa
Business Consulting LLC
RU
suspicious
3696
chrome.exe
216.58.205.67:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3696
chrome.exe
216.58.206.67:443
www.gstatic.com
Google Inc.
US
whitelisted
3696
chrome.exe
216.58.206.45:443
accounts.google.com
Google Inc.
US
suspicious
3696
chrome.exe
216.58.198.10:443
fonts.googleapis.com
Google Inc.
US
whitelisted
3696
chrome.exe
216.58.198.36:443
www.google.com
Google Inc.
US
whitelisted
3696
chrome.exe
216.58.205.78:443
apis.google.com
Google Inc.
US
whitelisted
3696
chrome.exe
216.58.209.35:443
fonts.gstatic.com
Google Inc.
US
whitelisted
216.58.208.174:80
redirector.gvt1.com
Google Inc.
US
whitelisted
3696
chrome.exe
216.58.198.14:443
ogs.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
linksystems.casa
  • 109.248.203.236
suspicious
clientservices.googleapis.com
  • 216.58.205.67
whitelisted
accounts.google.com
  • 216.58.206.45
shared
www.google.com
  • 216.58.198.36
whitelisted
fonts.googleapis.com
  • 216.58.198.10
whitelisted
www.gstatic.com
  • 216.58.206.67
whitelisted
fonts.gstatic.com
  • 216.58.209.35
whitelisted
apis.google.com
  • 216.58.205.78
whitelisted
ogs.google.com
  • 216.58.198.14
whitelisted
clients2.google.com
  • 216.58.209.46
whitelisted

Threats

PID
Process
Class
Message
3696
chrome.exe
Potentially Bad Traffic
ET INFO Unconfigured nginx Access
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
documento1_410.xls