analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2441892418.xls

Full analysis: https://app.any.run/tasks/0d510ed9-b135-4376-88af-0db8e480410a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 04:32:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
trojan
loader
qbot
maldoc-42
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Sep 29 12:36:11 2020, Security: 0
MD5:

82C564B3565667B60256BA0B2CBF8835

SHA1:

0BAFD2B5523CC74F61E810428C4FB0E5C34CF4B8

SHA256:

E5D4A4DB656F02F5DC840E8D8EF362F479C4D65A53CFAC408007A31236607B17

SSDEEP:

1536:j/7uDphYHceXVhca+fMHLtyeGxcl8/dgKD6yzsFyBCKHtfBE:j/7uDphYHceXVhca+fMHLtyeGxcl8/ds

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3648)

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 3648)

    • Application was dropped or rewritten from another process

      • Feryrtc.exe (PID: 924)
      • Feryrtc.exe (PID: 3216)
      • ytfovlym.exe (PID: 1292)
      • ytfovlym.exe (PID: 2600)

    • QBOT was detected

      • Feryrtc.exe (PID: 924)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2756)

  • SUSPICIOUS

    • Application launched itself

      • Feryrtc.exe (PID: 924)
      • ytfovlym.exe (PID: 1292)

    • Executable content was dropped or overwritten

      • Feryrtc.exe (PID: 924)
      • cmd.exe (PID: 2756)

    • Creates files in the user directory

      • Feryrtc.exe (PID: 924)

    • Starts CMD.EXE for commands execution

      • Feryrtc.exe (PID: 924)

    • Starts itself from another location

      • Feryrtc.exe (PID: 924)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3648)

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 3648)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 3648)

    • Dropped object may contain Bitcoin addresses

      • cmd.exe (PID: 2756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

HeadingPairs:
  • Листы
  • 3
  • Макросы Excel 4.0
  • 1
TitleOfParts:
  • DocuSign®
  • Лист1
  • Лист2
  • Лист3
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 14
CodePage: Windows Cyrillic
Security: None
ModifyDate: 2020:09:29 11:36:11
CreateDate: 2006:09:16 00:00:00
Software: Microsoft Excel
LastModifiedBy: -
Author: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start excel.exe #QBOT feryrtc.exe feryrtc.exe no specs ytfovlym.exe no specs cmd.exe ping.exe no specs ytfovlym.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3648"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
924"C:\Asuses\gramyuta\Feryrtc.exe" C:\Asuses\gramyuta\Feryrtc.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3216C:\Asuses\gramyuta\Feryrtc.exe /CC:\Asuses\gramyuta\Feryrtc.exeFeryrtc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1292C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeFeryrtc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2756"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Asuses\gramyuta\Feryrtc.exe"C:\Windows\System32\cmd.exe
Feryrtc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2132ping.exe -n 6 127.0.0.1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2600C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /CC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeytfovlym.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2556C:\Windows\explorer.exeC:\Windows\explorer.exeytfovlym.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
769
Read events
709
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
3
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
3648EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR7734.tmp.cvr
MD5:
SHA256:
3648EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:0DFBD6845B6E5DDF445C36B8278C161F
SHA256:A66EEE5C80D0CDDA7CBEACCC2B013B8ABF9D76BC87321C804731BDF94B05C3C1
2556explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:A119B21A5A58F3640DFCFE11BBDEE14F
SHA256:A8B95269BD86BD00DCD464B99EB23F68AC1FE71FC62C1F4E81188CBC38DC7A06
924Feryrtc.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:40ECE3D82B955A3AC9DE6AF33BDA705A
SHA256:895A7EDCBE1A1FF5028941E127B430122F6B74CD2D9EA7ED50E517D5E6FC3C52
3648EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\2441892418.xls.LNKlnk
MD5:F738E2363814342C11514BA107AE602E
SHA256:55FD96209DC1F001610ADE329FF7A96F5D38C70C74388CB85115DAA16DDA1DD4
3648EXCEL.EXEC:\Asuses\gramyuta\Feryrtc.exeexecutable
MD5:EAD7665D3F904228CEC94B6E7DE80C5C
SHA256:CDABA04E9D3F19DAA3B2176DD9A78046361664112777B1F2DBF0758D66B28E19
3648EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\88888[1].pngexecutable
MD5:EAD7665D3F904228CEC94B6E7DE80C5C
SHA256:CDABA04E9D3F19DAA3B2176DD9A78046361664112777B1F2DBF0758D66B28E19
924Feryrtc.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeexecutable
MD5:EAD7665D3F904228CEC94B6E7DE80C5C
SHA256:CDABA04E9D3F19DAA3B2176DD9A78046361664112777B1F2DBF0758D66B28E19
2756cmd.exeC:\Asuses\gramyuta\Feryrtc.exeexecutable
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC
SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3648
EXCEL.EXE
GET
200
41.185.103.105:80
http://www.designerconceptsonline.co.za/vauwvgmkcuw/88888.png
ZA
executable
231 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3648
EXCEL.EXE
41.185.103.105:80
www.designerconceptsonline.co.za
webafrica
ZA
malicious

DNS requests

Domain
IP
Reputation
www.designerconceptsonline.co.za
  • 41.185.103.105
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
3648
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3648
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
3648
EXCEL.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
3648
EXCEL.EXE
A Network Trojan was detected
AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious
3648
EXCEL.EXE
Misc activity
ET INFO EXE - Served Attached HTTP
3648
EXCEL.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2441892418.xls