File name: | eed5945c36ba22a2531dd2d9dd7bc4e17e68544d512be75670919caf287c1b4a.xls |
Full analysis: | https://app.any.run/tasks/1376e6f3-d0d0-4e67-a15c-34e9931f6f29 |
Verdict: | Malicious activity |
Analysis date: | January 17, 2019, 21:52:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 950, Last Saved By: Windows , Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Apr 17 04:04:50 2015, Last Saved Time/Date: Tue Dec 5 16:58:17 2017, Security: 0 |
MD5: | 48E03A26FBC82DFB5B0E62A0EBC00BCE |
SHA1: | 760D04A12369628B37E2EB1E2B5D00712BC048B3 |
SHA256: | EED5945C36BA22A2531DD2D9DD7BC4E17E68544D512BE75670919CAF287C1B4A |
SSDEEP: | 6144:2exjAPC07ELi14dO2NlvhqxYKkCnLatihg3oYHJC4RPlB+Te1A9oesaTYztE3cZe:3+TevaTEG3casG |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
LastModifiedBy: | Windows ?ϥΪ? |
---|---|
Software: | Microsoft Excel |
CreateDate: | 2015:04:17 03:04:50 |
ModifyDate: | 2017:12:05 16:58:17 |
Security: | None |
CodePage: | Windows Traditional Chinese (Taiwan) |
AppVersion: | 15 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: |
|
HeadingPairs: |
|
CompObjUserTypeLen: | 28 |
CompObjUserType: | Microsoft Excel 2003 ?u?@?? |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3012 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3504 | C:\Users\admin\AppData\Local\Temp\wscript.exe | C:\Users\admin\AppData\Local\Temp\wscript.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Bit Service Version: 2,1,6164,17541 |
(PID) Process: | (3012) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | write | Name: | f/, |
Value: 662F2C00C40B0000010000000000000000000000 | |||
(PID) Process: | (3012) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (3012) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (3012) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel |
Operation: | write | Name: | MTTT |
Value: C40B000084EE4A09AFAED40100000000 | |||
(PID) Process: | (3012) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | delete value | Name: | f/, |
Value: 662F2C00C40B0000010000000000000000000000 | |||
(PID) Process: | (3012) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (3012) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (3012) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3012) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3012) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\20ECC6 |
Operation: | write | Name: | 20ECC6 |
Value: 04000000C40B00006600000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0065006500640035003900340035006300330036006200610032003200610032003500330031006400640032006400390064006400370062006300340065003100370065003600380035003400340064003500310032006200650037003500360037003000390031003900630061006600320038003700630031006200340061002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000D056770AAFAED401C6EC2000C6EC200000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3012 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRE766.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3012 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\wscript.exe | executable | |
MD5:783E2F1FD25D493B17E790D4BF602A2A | SHA256:18EC68E1BD9B11F22E481D48C415F8D80EDB76E9032BA4E1D31D87E16EED9959 |