File name: | Paymentadvice.xlsx |
Full analysis: | https://app.any.run/tasks/45245ab2-b94c-4068-a9c7-483b0fd7f90f |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | March 14, 2019, 13:34:00 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | 77C25F788EF53769BACE7EEDA30C2009 |
SHA1: | D6956D7AB4DF07C0025D0A5ED58A2A4F6D1C54F1 |
SHA256: | F44EE86652999164C7D40D90C97F924C2C0E8D500E342ED1EC4B9558571DBFF6 |
SSDEEP: | 768:NnSlNxqmSKKsxqCbTAX1QM8Txw3txxI0AVrQYDi3d08GmplnVkIz9EfxJ:FSlWJsgCfAFIxU0DoNkIzuJ |
.xlsx | | | Excel Microsoft Office Open XML Format document (61.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (31.5) |
.zip | | | ZIP compressed archive (7.2) |
AppVersion: | 12 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
Company: | - |
TitlesOfParts: |
|
HeadingPairs: |
|
ScaleCrop: | No |
DocSecurity: | None |
Application: | Microsoft Excel |
ModifyDate: | 2019:03:04 04:41:20Z |
CreateDate: | 2006:09:16 00:00:00Z |
LastModifiedBy: | - |
Creator: | - |
---|
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1947 |
ZipCompressedSize: | 425 |
ZipCRC: | 0xf9b9528b |
ZipModifyDate: | 2019:03:13 23:44:18 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0002 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1640 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.4756.1000 | ||||
2596 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3000 | C:\Users\admin\AppData\Local\Temp\nbvcx.exe | C:\Users\admin\AppData\Local\Temp\nbvcx.exe | — | EQNEDT32.EXE |
User: admin Company: Umps Integrity Level: MEDIUM Description: Augiteporphyrite Exit code: 0 Version: 8.08.0001 | ||||
2312 | :\Users\admin\AppData\Local\Temp\nbvcx.exe | C:\Users\admin\AppData\Local\Temp\nbvcx.exe | nbvcx.exe | |
User: admin Company: Umps Integrity Level: MEDIUM Description: Augiteporphyrite Version: 8.08.0001 | ||||
2800 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\SysWOW64\eventvwr.exe | — | nbvcx.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2772 | "C:\Windows\SysWOW64\eventvwr.exe" | C:\Windows\SysWOW64\eventvwr.exe | nbvcx.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
544 | "C:\Users\admin\AppData\Local\Temp\8edf29e3-ce99-451c-884e-2303f15ee2a2.exe" C:\Users\admin\AppData\Local\Temp\4572c12e-00a9-461c-918c-1d7734a7d6fc.tmp | C:\Users\admin\AppData\Local\Temp\8edf29e3-ce99-451c-884e-2303f15ee2a2.exe | nbvcx.exe | |
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 |
(PID) Process: | (1640) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | write | Name: | v2$ |
Value: 7632240068060000010000000000000000000000 | |||
(PID) Process: | (1640) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (1640) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (1640) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel |
Operation: | write | Name: | MTTT |
Value: 680600000EB4B89B6ADAD40100000000 | |||
(PID) Process: | (1640) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | delete value | Name: | v2$ |
Value: 7632240068060000010000000000000000000000 | |||
(PID) Process: | (1640) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (1640) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (1640) EXCEL.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage |
Operation: | write | Name: | EXCELFiles |
Value: 1315831831 | |||
(PID) Process: | (1640) EXCEL.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1315831934 | |||
(PID) Process: | (1640) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1640 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRFAF6.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1640 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E997D8B1.png | — | |
MD5:— | SHA256:— | |||
1640 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\865586FE.png | — | |
MD5:— | SHA256:— | |||
1640 | EXCEL.EXE | C:\Users\admin\Desktop\~$Paymentadvice.xlsx | — | |
MD5:— | SHA256:— | |||
1640 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Paymentadvice.LNK | lnk | |
MD5:28624137FFB5C14BED6247749251CE2F | SHA256:110008C8F5E7A80AE450B801AD9766CFA9F54CA0B40B2E9C54306E36561FD916 | |||
2312 | nbvcx.exe | C:\Users\admin\AppData\Local\Temp\8edf29e3-ce99-451c-884e-2303f15ee2a2.exe | executable | |
MD5:AFC242F6E1D17A413E034F9EAB70E28B | SHA256:5FF4BEA99B66DA3E069F890D298B54CBB4809631CAD7224E2AD8664E8BC3729D | |||
2596 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Temp\nbvcx.exe | executable | |
MD5:5C173C26C57E0D0249F6E5E3EC1362F0 | SHA256:B4BF672CFC8F70D09393EAC68D203B204C14ECAD7F00ED2FB17D7D39AA4BABA4 | |||
3000 | nbvcx.exe | C:\Users\admin\AppData\Local\Temp\~DF83CCBF87CC1F2FBF.TMP | binary | |
MD5:7B7BCAC37973BC6CCDA8396E9A021C8E | SHA256:CAB361D91CB67B0BA82071C4E6EA912364E94D35E5ECA3FF95B5DEFB75644F0C | |||
2596 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\du[1].com | executable | |
MD5:5C173C26C57E0D0249F6E5E3EC1362F0 | SHA256:B4BF672CFC8F70D09393EAC68D203B204C14ECAD7F00ED2FB17D7D39AA4BABA4 | |||
1640 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:F7B6CAC7F188EB792D18081CDBEA3A0B | SHA256:E6CB618FDCEF31BA718560DD734A256C03A61CFA496FFD9F2EC5D4DAB1D4F04E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2596 | EQNEDT32.EXE | GET | 200 | 204.93.161.26:80 | http://simplex-express.com/zs/du.com | US | executable | 970 Kb | suspicious |
2312 | nbvcx.exe | GET | 200 | 52.200.125.74:80 | http://checkip.amazonaws.com/ | US | text | 16 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2312 | nbvcx.exe | 208.91.199.223:587 | smtp.tpczj.biz | PDR | US | shared |
2596 | EQNEDT32.EXE | 204.93.161.26:80 | simplex-express.com | Server Central Network | US | suspicious |
2312 | nbvcx.exe | 52.200.125.74:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
Domain | IP | Reputation |
---|---|---|
simplex-express.com |
| suspicious |
smtp.tpczj.biz |
| malicious |
checkip.amazonaws.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2596 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2596 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
2312 | nbvcx.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
2312 | nbvcx.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
2312 | nbvcx.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP |