| File name: | 4MAY_177.xls |
| Full analysis: | https://app.any.run/tasks/a27db4c2-c83e-4d51-9417-b5ee244ae53d |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | May 04, 2020, 20:28:26 |
| OS: | Windows 10 Professional (build: 16299, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.ms-excel |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon May 4 17:32:23 2020, Last Saved Time/Date: Mon May 4 17:53:35 2020, Security: 1 |
| MD5: | 5C6853F5433112583BD663B5D52CF2C8 |
| SHA1: | 5009F541779E260BE8B4AD87AC998413CEAEE525 |
| SHA256: | FB47082C64D66D09312CC0E8336F49369AFE502B466FD13A1224E0E065D19917 |
| SSDEEP: | 12288:0d1WfADU3UREm0q5e2yR0G6GINp2OSo9aa0ej1PgiLlg+k:0NDUEdvPymGsTSob0eJPVC+k |
MALICIOUS
Executable content was dropped or overwritten
- EXCEL.EXE (PID: 5780)
Unusual execution from Microsoft Office
- EXCEL.EXE (PID: 5780)
Known privilege escalation attack
- DllHost.exe (PID: 860)
Application was dropped or rewritten from another process
- bWLfWNa.exe (PID: 5872)
- bWLfWNa.exe (PID: 552)
Requests a remote executable file from MS Office
- EXCEL.EXE (PID: 5780)
Loads the Task Scheduler COM API
- wermgr.exe (PID: 1724)
Loads the Task Scheduler DLL interface
- wermgr.exe (PID: 1724)
Connects to CnC server
- wermgr.exe (PID: 1724)
Actions looks like stealing of personal data
- wermgr.exe (PID: 1724)
SUSPICIOUS
Creates files in the program directory
- EXCEL.EXE (PID: 5780)
Creates files in the user directory
- wermgr.exe (PID: 1724)
- SystemSettings.exe (PID: 4952)
Executable content was dropped or overwritten
- wermgr.exe (PID: 1724)
Executed via COM
- DllHost.exe (PID: 860)
- ApplicationFrameHost.exe (PID: 724)
- RuntimeBroker.exe (PID: 5836)
- backgroundTaskHost.exe (PID: 4612)
- SpeechRuntime.exe (PID: 4452)
- SystemSettings.exe (PID: 4952)
Reads the machine GUID from the registry
- backgroundTaskHost.exe (PID: 4612)
- SpeechRuntime.exe (PID: 4452)
- wermgr.exe (PID: 1724)
Checks supported languages
- SystemSettings.exe (PID: 4952)
- backgroundTaskHost.exe (PID: 4612)
INFO
Reads the machine GUID from the registry
- EXCEL.EXE (PID: 5780)
Scans artifacts that could help determine the target
- EXCEL.EXE (PID: 5780)
Reads the software policy settings
- EXCEL.EXE (PID: 5780)
- wermgr.exe (PID: 1724)
Reads settings of System Certificates
- EXCEL.EXE (PID: 5780)
- wermgr.exe (PID: 1724)
Creates files in the user directory
- EXCEL.EXE (PID: 5780)
Reads Environment values
- EXCEL.EXE (PID: 5780)
Reads Microsoft Office registry keys
- EXCEL.EXE (PID: 5780)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .xls | | | Microsoft Excel sheet (78.9) |
|---|
EXIF
FlashPix
| Author: | - |
|---|---|
| LastModifiedBy: | - |
| Software: | Microsoft Excel |
| CreateDate: | 2020:05:04 16:32:23 |
| ModifyDate: | 2020:05:04 16:53:35 |
| Security: | Password protected |
| CodePage: | Windows Cyrillic |
| Company: | - |
| AppVersion: | 16 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: |
|
| HeadingPairs: |
|
Total processes
104
Monitored processes
10
Malicious processes
3
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 552 | "C:\ProgramData\bWLfWNa.exe" | C:\ProgramData\bWLfWNa.exe | — | DllHost.exe | |||||||||||
User: admin Company: DragonQuest Integrity Level: HIGH Description: I hope someone learns something from this Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 724 | C:\WINDOWS\system32\ApplicationFrameHost.exe -Embedding | C:\WINDOWS\system32\ApplicationFrameHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Application Frame Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 860 | C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | C:\WINDOWS\SysWOW64\DllHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1724 | C:\WINDOWS\system32\wermgr.exe | C:\WINDOWS\system32\wermgr.exe | bWLfWNa.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Problem Reporting Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4452 | C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe -Embedding | C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Speech Runtime Executable Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4612 | "C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca | C:\WINDOWS\system32\backgroundTaskHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Background Task Host Exit code: 1 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4952 | "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel | C:\Windows\ImmersiveControlPanel\SystemSettings.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Settings Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5780 | "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\4MAY_177.xls" | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 16.0.12026.20264 Modules
| |||||||||||||||
| 5836 | C:\Windows\System32\RuntimeBroker.exe -Embedding | C:\Windows\System32\RuntimeBroker.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Runtime Broker Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5872 | "C:\ProgramData\bWLfWNa.exe" | C:\ProgramData\bWLfWNa.exe | — | EXCEL.EXE | |||||||||||
User: admin Company: DragonQuest Integrity Level: MEDIUM Description: I hope someone learns something from this Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
Total events
5 567
Read events
5 247
Write events
277
Delete events
43
Modification events
| (PID) Process: | (5780) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\Sampling |
| Operation: | write | Name: | 1 |
Value: 01D014000000001000284FFA2E02000000000000000500000000000000 | |||
| (PID) Process: | (5780) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\Common\CrashPersistence\EXCEL\5780 |
| Operation: | write | Name: | 0 |
Value: 0B0E10433974A18C06164888343EC2A118CC70230046A89DE4D7A9CA88EB016A0410240044FA5D64A89E01008500A907556E6B6E6F776EC9062E226D2B484F4D616659574A5464337373702B3165327141506A326C775347586F6C4A7635624B6E337449506B3D2200 | |||
| (PID) Process: | (5780) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | en-US |
Value: 2 | |||
| (PID) Process: | (5780) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | es-es |
Value: 2 | |||
| (PID) Process: | (5780) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | de-de |
Value: 2 | |||
| (PID) Process: | (5780) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | fr-fr |
Value: 2 | |||
| (PID) Process: | (5780) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | it-it |
Value: 2 | |||
| (PID) Process: | (5780) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | ja-jp |
Value: 2 | |||
| (PID) Process: | (5780) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | ko-kr |
Value: 2 | |||
| (PID) Process: | (5780) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | pt-br |
Value: 2 | |||
Executable files
3
Suspicious files
0
Text files
197
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5780 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4OPB0R2NL2DNQF1BX7D3.temp | — | |
MD5:— | SHA256:— | |||
| 5780 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E24NA3BGUG3C9KS5D34W.temp | — | |
MD5:— | SHA256:— | |||
| 5780 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\.ses | text | |
MD5:— | SHA256:— | |||
| 5780 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFAECBBEABDBA52F34.TMP | — | |
MD5:— | SHA256:— | |||
| 5780 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-shm | — | |
MD5:— | SHA256:— | |||
| 5780 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal | — | |
MD5:— | SHA256:— | |||
| 4952 | SystemSettings.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YFMTKU18IH40499UF7AS.temp | — | |
MD5:— | SHA256:— | |||
| 5780 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\4MAY_177.xls.LNK | lnk | |
MD5:— | SHA256:— | |||
| 5780 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLQBH2R9\278EYJSFYHMS[1].exe | executable | |
MD5:— | SHA256:— | |||
| 5872 | bWLfWNa.exe | C:\Users\admin\AppData\Local\Temp\logC0C7.tmp | text | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
18
DNS requests
6
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5780 | EXCEL.EXE | GET | 200 | 149.255.58.66:443 | https://toulousa.com/omg/rockspa.php | GB | executable | 748 Kb | whitelisted |
5780 | EXCEL.EXE | POST | 200 | 52.114.158.91:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | US | text | 60 b | whitelisted |
5780 | EXCEL.EXE | GET | 200 | 13.107.3.128:443 | https://config.edge.skype.com/config/v2/Office/excel/16.0.12026.20264/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=excel&Platform=win32&Version=16.0.12026.20264&MsoVersion=16.0.12026.20194&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7bA1743943-068C-4816-8834-3EC2A118CC70%7d&LabMachine=false | US | text | 84.2 Kb | malicious |
1724 | wermgr.exe | POST | 200 | 40.90.137.124:443 | https://login.live.com/RST2.srf | US | xml | 1.29 Kb | whitelisted |
1724 | wermgr.exe | POST | 200 | 40.90.137.124:443 | https://login.live.com/RST2.srf | US | xml | 11.1 Kb | whitelisted |
1724 | wermgr.exe | POST | 200 | 40.90.137.124:443 | https://login.live.com/RST2.srf | US | xml | 11.1 Kb | whitelisted |
1724 | wermgr.exe | POST | 200 | 40.90.137.124:443 | https://login.live.com/RST2.srf | US | xml | 1.98 Kb | whitelisted |
1724 | wermgr.exe | POST | 200 | 40.90.137.124:443 | https://login.live.com/RST2.srf | US | xml | 10.6 Kb | whitelisted |
1724 | wermgr.exe | POST | 200 | 40.90.137.124:443 | https://login.live.com/RST2.srf | US | xml | 11.1 Kb | whitelisted |
1724 | wermgr.exe | POST | 200 | 40.90.137.124:443 | https://login.live.com/RST2.srf | US | xml | 1.98 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
5780 | EXCEL.EXE | 13.107.3.128:443 | config.edge.skype.com | Microsoft Corporation | US | whitelisted |
5780 | EXCEL.EXE | 149.255.58.66:443 | toulousa.com | Awareness Software Limited | GB | suspicious |
5780 | EXCEL.EXE | 52.114.158.91:443 | self.events.data.microsoft.com | Microsoft Corporation | US | unknown |
1724 | wermgr.exe | 121.100.19.18:449 | — | PT Indonesia Comnets Plus | ID | malicious |
3296 | svchost.exe | 20.191.48.196:443 | settings-win-ppe.data.microsoft.com | Microsoft Corporation | US | unknown |
4572 | svchost.exe | 40.90.137.124:443 | login.live.com | Microsoft Corporation | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
config.edge.skype.com |
| malicious |
toulousa.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
settings-win-ppe.data.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1724 | wermgr.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 3 |
1724 | wermgr.exe | Not Suspicious Traffic | ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) |
1724 | wermgr.exe | Not Suspicious Traffic | ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) |