analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

3d0be12a336816e34ae5703f7e8ef2821f2c192e.xls

Full analysis: https://app.any.run/tasks/700b1c5b-e4b8-4ce0-aa92-bbac69c77c81
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 13:52:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
loader
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: DELL, Last Saved By: DELL, Create Time/Date: Wed Sep 30 09:43:02 2020, Last Saved Time/Date: Wed Sep 30 09:43:02 2020, Security: 0
MD5:

12C38F68535836D33A57D6D0A7F7697C

SHA1:

3D0BE12A336816E34AE5703F7E8EF2821F2C192E

SHA256:

E25E35094BBEE6D2F045032A829E068C8D8D4A25B407B28F4589ED3C29731F17

SSDEEP:

6144:Wk3hOdsylKlgryzc4bNhZF+E+W2kn68u0keNXFL318Aeu3bjbAOiOEc8ICtLtBDI:ru03NXB31lf7jnEnIgLt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 3576)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3576)

    • Application was dropped or rewritten from another process

      • svchost32.exe (PID: 2632)
      • osign.exe (PID: 2576)
      • InstallUtil.exe (PID: 3400)

    • Requests a remote executable file from MS Office

      • EXCEL.EXE (PID: 3576)

    • Loads dropped or rewritten executable

      • svchost32.exe (PID: 2632)
      • osign.exe (PID: 2576)

    • Downloads executable files from IP

      • EXCEL.EXE (PID: 3576)

    • Changes the autorun value in the registry

      • reg.exe (PID: 3880)

    • Actions looks like stealing of personal data

      • InstallUtil.exe (PID: 3400)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • svchost32.exe (PID: 2632)

    • Starts CMD.EXE for commands execution

      • svchost32.exe (PID: 2632)

    • Starts itself from another location

      • svchost32.exe (PID: 2632)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2604)

    • Reads Environment values

      • InstallUtil.exe (PID: 3400)

  • INFO

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 3576)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 3576)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3576)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

Author: DELL
LastModifiedBy: DELL
CreateDate: 2020:09:30 08:43:02
ModifyDate: 2020:09:30 08:43:02
Security: None
CodePage: Windows Latin 1 (Western European)
AppVersion: 15
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: Sheet 1
HeadingPairs:
  • Worksheets
  • 1
CompObjUserTypeLen: 31
CompObjUserType: Microsoft Excel 2003 Worksheet
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start excel.exe svchost32.exe cmd.exe no specs reg.exe osign.exe no specs installutil.exe

Process information

PID
CMD
Path
Indicators
Parent process
3576"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2632"C:\Users\Public\svchost32.exe" C:\Users\Public\svchost32.exe
EXCEL.EXE
User:
admin
Company:
r;24a,#0f5s]u
Integrity Level:
MEDIUM
Description:
u,78r&]5zx(1*6do_0)4t
Exit code:
0
Version:
1.1.2.2
2604"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v sobm /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\admin\osign.exe"C:\Windows\system32\cmd.exesvchost32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3880REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v sobm /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\admin\osign.exe"C:\Windows\system32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2576"C:\Users\admin\osign.exe" C:\Users\admin\osign.exesvchost32.exe
User:
admin
Company:
r;24a,#0f5s]u
Integrity Level:
MEDIUM
Description:
u,78r&]5zx(1*6do_0)4t
Exit code:
0
Version:
1.1.2.2
3400"C:\Users\admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\admin\AppData\Local\Temp\InstallUtil.exe
osign.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
.NET Framework installation utility
Version:
4.7.3062.0 built by: NET472REL1
Total events
953
Read events
868
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
0
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
3576EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRA70E.tmp.cvr
MD5:
SHA256:
3576EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\DFI-63078[1].jpgexecutable
MD5:B7EC3E3E0F5C3114DC06399434178CB3
SHA256:36BD1B916C5FDDC7CAB66F5CF0DC406849B3D6EAB594C47896475DACA4F84766
2632svchost32.exeC:\Users\admin\osign.exeexecutable
MD5:B7EC3E3E0F5C3114DC06399434178CB3
SHA256:36BD1B916C5FDDC7CAB66F5CF0DC406849B3D6EAB594C47896475DACA4F84766
3576EXCEL.EXEC:\Users\Public\svchost32.exeexecutable
MD5:B7EC3E3E0F5C3114DC06399434178CB3
SHA256:36BD1B916C5FDDC7CAB66F5CF0DC406849B3D6EAB594C47896475DACA4F84766
3576EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\3d0be12a336816e34ae5703f7e8ef2821f2c192e.xls.LNKlnk
MD5:808AEA11EC8664E8692D035FC0FE3A4A
SHA256:22FA20BA03AC5A5E86A03821CB15BFCB557A7FCB79A52B6D6648436283DBE79C
3576EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:6814E8E6DE2B8F23518B60340341A060
SHA256:A7974A090A678CFB200A4A4A8651AFE07EE61369A8312ECE8BD6D3447254B3B1
2632svchost32.exeC:\Users\admin\AppData\Local\Temp\a6a0b8a6-4761-4357-9a31-0eca6ad70093\f.dllexecutable
MD5:14FF402962AD21B78AE0B4C43CD1F194
SHA256:FB9646CB956945BDC503E69645F6B5316D3826B780D3C36738D6B944E884D15B
2632svchost32.exeC:\Users\admin\AppData\Local\Temp\InstallUtil.exeexecutable
MD5:91C9AE9C9A17A9DB5E08B120E668C74C
SHA256:E56A7E5D3AB9675555E2897FC3FAA2DD9265008A4967A7D54030AB8184D2D38F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3576
EXCEL.EXE
GET
200
185.33.85.52:80
http://185.33.85.52/FR/DFI-63078.jpg
GB
executable
402 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3400
InstallUtil.exe
54.235.182.194:443
api.ipify.org
Amazon.com, Inc.
US
suspicious
3576
EXCEL.EXE
185.33.85.52:80
GB
malicious
3400
InstallUtil.exe
77.88.21.158:587
smtp.yandex.ru
YANDEX LLC
RU
whitelisted

DNS requests

Domain
IP
Reputation
api.ipify.org
  • 54.235.182.194
shared
smtp.yandex.ru
  • 77.88.21.158
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
3d0be12a336816e34ae5703f7e8ef2821f2c192e.xls