analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

documento2_532.xls

Full analysis: https://app.any.run/tasks/3284454f-5328-4182-ab8b-9e5c2d95a664
Verdict: Malicious activity
Analysis date: October 20, 2020, 06:57:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: kKKktGiChFXwXic, Last Saved By: administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Oct 20 00:28:50 2020, Last Saved Time/Date: Tue Oct 20 00:52:59 2020, Security: 1
MD5:

38A3900F8C8E06C36495BA26BEF3CB54

SHA1:

87E359917AE2B563A06201B7C2E5108B486E7DD3

SHA256:

DEEBE3304488C19CA4D78DBDA7E61C3448F0A3599037ADB572FD33565F49C5FC

SSDEEP:

6144:z9YO/tCX+2LMGNon3XSXT3DsE3zx3Wd63aCg4Rw0:2MCXJLMf3CXbAEDdS6Vp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2724)
      • EXCEL.EXE (PID: 2384)
    • Requests a remote executable file from MS Office

      • EXCEL.EXE (PID: 2384)
  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • EXCEL.EXE (PID: 2724)
      • EXCEL.EXE (PID: 2384)
  • INFO

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 2724)
      • EXCEL.EXE (PID: 2384)
    • Creates files in the user directory

      • EXCEL.EXE (PID: 2724)
      • EXCEL.EXE (PID: 2384)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2724)
      • EXCEL.EXE (PID: 2384)
    • Manual execution by user

      • EXCEL.EXE (PID: 2384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: kKKktGiChFXwXic
LastModifiedBy: administrator
Software: Microsoft Excel
CreateDate: 2020:10:19 23:28:50
ModifyDate: 2020:10:19 23:52:59
Security: Password protected
CodePage: Windows Latin 1 (Western European)
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • lnIkpDzi
  • Foglio2
  • Foglio3
  • Foglio4
  • Foglio5
  • Foglio6
  • Foglio7
  • Foglio8
  • Foglio9
  • Foglio10
  • Foglio11
  • Foglio12
  • Foglio13
  • Foglio14
  • Foglio15
  • Foglio16
  • Foglio17
  • Foglio18
  • Foglio19
  • Foglio20
  • Sheet1
  • Y
HeadingPairs:
  • Fogli di lavoro
  • 21
  • Macro di Excel 4.0
  • 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe rundll32.exe no specs excel.exe rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2724"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
3988"C:\Windows\System32\rundll32.exe" JMEcrkU.dll,DllRegisterServerC:\Windows\System32\rundll32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2384"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2084"C:\Windows\System32\rundll32.exe" JMEcrkU.dll,DllRegisterServerC:\Windows\System32\rundll32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 237
Read events
1 110
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
6
Unknown types
4

Dropped files

PID
Process
Filename
Type
2724EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR3F7F.tmp.cvr
MD5:
SHA256:
2724EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF7785F6F5FDACA5E6.TMP
MD5:
SHA256:
2384EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRD2C6.tmp.cvr
MD5:
SHA256:
2724EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:8713BAA4B066D99A13F306D190BAE5B1
SHA256:5057E8EF9A153DF97BD068FEC6337A3647BA9A08F3D9A815DCBE299FA7A81CC0
2384EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\documento2_532.xls.LNKlnk
MD5:18EED72A3B0933A12BE00C115E74D720
SHA256:02B6340C41E0EA5627C834F9AA778C35069E32CE9328EDD01DAD096470FEC000
2724EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\documento2_532.xls.LNKlnk
MD5:970C8672C9C4804D53262959ED1ABA90
SHA256:482CEF81A3B6ABE71E02C10B9F408B6FC8E7CD1C1B72FB42AB9672ED4D320BA8
2724EXCEL.EXEC:\Users\admin\Desktop\documento2_532.xlsdocument
MD5:483703E1CA81ABFAE1441726EF62B4D7
SHA256:CC828997502B556FBEFD1A5F01CDFFD0D3BE246E21B7B534B87E74462A578B13
2384EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:8713BAA4B066D99A13F306D190BAE5B1
SHA256:5057E8EF9A153DF97BD068FEC6337A3647BA9A08F3D9A815DCBE299FA7A81CC0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2384
EXCEL.EXE
GET
188.130.138.51:80
http://systemlinks.casa/installa.dll
RU
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
188.130.138.51:80
systemlinks.casa
Business Consulting LLC
RU
suspicious
2724
EXCEL.EXE
188.130.138.51:80
systemlinks.casa
Business Consulting LLC
RU
suspicious

DNS requests

Domain
IP
Reputation
systemlinks.casa
  • 188.130.138.51
suspicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info