File name: | f0c85a1c9cf80ad424acebbe7af54176d0cb778a639da2f2f59828af5bb79842.xls |
Full analysis: | https://app.any.run/tasks/df8c8013-181e-409d-9831-c2f6e00692c9 |
Verdict: | Malicious activity |
Analysis date: | March 15, 2019, 02:41:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Qaatil, Last Saved By: Testing, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Aug 28 11:39:29 2018, Last Saved Time/Date: Tue Feb 5 10:04:08 2019, Security: 0 |
MD5: | A6270064F1630CDF5BCDA858762DB516 |
SHA1: | 514862E015A43B914971AD9ECE05A3EA0939C6FD |
SHA256: | F0C85A1C9CF80AD424ACEBBE7AF54176D0CB778A639DA2F2F59828AF5BB79842 |
SSDEEP: | 6144:6Y35qAOJl/YrLYz+WrNhZF+E+W2RnATF3Ht:yd |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
CompObjUserType: | Microsoft Office Excel 2003 Worksheet |
---|---|
CompObjUserTypeLen: | 38 |
HeadingPairs: |
|
TitleOfParts: |
|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 12 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
ModifyDate: | 2019:02:05 10:04:08 |
CreateDate: | 2018:08:28 10:39:29 |
Software: | Microsoft Excel |
LastModifiedBy: | Testing |
Author: | Qaatil |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3492 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
2996 | cmd /c C:\Users\admin\AppData\bat.bat | C:\Windows\system32\cmd.exe | EXCEL.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2108 | attrib +a +h +s "C:\Users\admin\DriveData" | C:\Windows\system32\attrib.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2528 | attrib +a +h +s "C:\Users\admin\Printers" | C:\Windows\system32\attrib.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2860 | attrib +a +h +s "C:\Users\admin\Print" | C:\Windows\system32\attrib.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3304 | reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Files /f | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3828 | reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Wins /f | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2256 | reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v BigSyn /f | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2760 | reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Dataupdate /f | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3144 | reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Files /t REG_SZ /d C:\Users\admin\DriveData\Wins\juchek.exe | C:\Windows\system32\reg.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3492 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRDEA9.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3492 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\VBF1B6.tmp | — | |
MD5:— | SHA256:— | |||
2996 | cmd.exe | C:\Users\admin\DriveData\Wins\juchek.ttp | — | |
MD5:— | SHA256:— | |||
3492 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:E97699E13BD98344BB00BD73973D4258 | SHA256:FA1B6495A339A3F2A900A255FB50B323D6CE7F8CA6409415DF8A10B84A075EFE | |||
2996 | cmd.exe | C:\Users\admin\DriveData\Wins\win.txt | text | |
MD5:D6A061E87BDF342C866266CFC443006E | SHA256:F4FA48C5D6CE0CA11695EA0D1C0ACCAAF8050E5717023BBADE3626E79F92361A | |||
2996 | cmd.exe | C:\Users\admin\DriveData\Files\win.txt | text | |
MD5:D6A061E87BDF342C866266CFC443006E | SHA256:F4FA48C5D6CE0CA11695EA0D1C0ACCAAF8050E5717023BBADE3626E79F92361A | |||
3492 | EXCEL.EXE | C:\Users\admin\AppData\bat.bat | text | |
MD5:36D4AE4FC464D65F409CCE8E837CE4BD | SHA256:57A9A17BAAF61DE5CFFA8B2E2EC340A179E7E1CD70E046CBD832655C44BC7C1D | |||
2996 | cmd.exe | C:\Users\admin\DriveData\Wins\juchek.exe | executable | |
MD5:19F3545EB0B262A719C6C60A97E1E55C | SHA256:62DFEC7FE0025E8863C2252ABB4EC1ABDB4B916B76972910C6A47728BFB648A7 | |||
3492 | EXCEL.EXE | C:\Users\admin\AppData\juchek.ttp | executable | |
MD5:19F3545EB0B262A719C6C60A97E1E55C | SHA256:62DFEC7FE0025E8863C2252ABB4EC1ABDB4B916B76972910C6A47728BFB648A7 | |||
3492 | EXCEL.EXE | C:\Users\admin\Documents\VBF1B7.tmp | text | |
MD5:CE3AA199828757CEDA69E7928016DA86 | SHA256:41438FE49FDDA98F3891180F731B47F899BD4C60B92B4A0F181FE333110F685A |