File name: | documento2_532.xls |
Full analysis: | https://app.any.run/tasks/3284454f-5328-4182-ab8b-9e5c2d95a664 |
Verdict: | Malicious activity |
Analysis date: | October 20, 2020, 06:57:00 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: kKKktGiChFXwXic, Last Saved By: administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Oct 20 00:28:50 2020, Last Saved Time/Date: Tue Oct 20 00:52:59 2020, Security: 1 |
MD5: | 38A3900F8C8E06C36495BA26BEF3CB54 |
SHA1: | 87E359917AE2B563A06201B7C2E5108B486E7DD3 |
SHA256: | DEEBE3304488C19CA4D78DBDA7E61C3448F0A3599037ADB572FD33565F49C5FC |
SSDEEP: | 6144:z9YO/tCX+2LMGNon3XSXT3DsE3zx3Wd63aCg4Rw0:2MCXJLMf3CXbAEDdS6Vp |
.xls | | | Microsoft Excel sheet (78.9) |
---|
Author: | kKKktGiChFXwXic |
---|---|
LastModifiedBy: | administrator |
Software: | Microsoft Excel |
CreateDate: | 2020:10:19 23:28:50 |
ModifyDate: | 2020:10:19 23:52:59 |
Security: | Password protected |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: |
|
HeadingPairs: |
|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2724 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3988 | "C:\Windows\System32\rundll32.exe" JMEcrkU.dll,DllRegisterServer | C:\Windows\System32\rundll32.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2384 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
2084 | "C:\Windows\System32\rundll32.exe" JMEcrkU.dll,DllRegisterServer | C:\Windows\System32\rundll32.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2724 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR3F7F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2724 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF7785F6F5FDACA5E6.TMP | — | |
MD5:— | SHA256:— | |||
2384 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRD2C6.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2724 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:8713BAA4B066D99A13F306D190BAE5B1 | SHA256:5057E8EF9A153DF97BD068FEC6337A3647BA9A08F3D9A815DCBE299FA7A81CC0 | |||
2384 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\documento2_532.xls.LNK | lnk | |
MD5:18EED72A3B0933A12BE00C115E74D720 | SHA256:02B6340C41E0EA5627C834F9AA778C35069E32CE9328EDD01DAD096470FEC000 | |||
2724 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\documento2_532.xls.LNK | lnk | |
MD5:970C8672C9C4804D53262959ED1ABA90 | SHA256:482CEF81A3B6ABE71E02C10B9F408B6FC8E7CD1C1B72FB42AB9672ED4D320BA8 | |||
2724 | EXCEL.EXE | C:\Users\admin\Desktop\documento2_532.xls | document | |
MD5:483703E1CA81ABFAE1441726EF62B4D7 | SHA256:CC828997502B556FBEFD1A5F01CDFFD0D3BE246E21B7B534B87E74462A578B13 | |||
2384 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:8713BAA4B066D99A13F306D190BAE5B1 | SHA256:5057E8EF9A153DF97BD068FEC6337A3647BA9A08F3D9A815DCBE299FA7A81CC0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2384 | EXCEL.EXE | GET | — | 188.130.138.51:80 | http://systemlinks.casa/installa.dll | RU | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 188.130.138.51:80 | systemlinks.casa | Business Consulting LLC | RU | suspicious |
2724 | EXCEL.EXE | 188.130.138.51:80 | systemlinks.casa | Business Consulting LLC | RU | suspicious |
Domain | IP | Reputation |
---|---|---|
systemlinks.casa |
| suspicious |
dns.msftncsi.com |
| shared |