File name:	sample2.XLS
Full analysis:	https://app.any.run/tasks/7d8d848d-92fe-4c17-8ee0-4d0404e685ba
Verdict:	Malicious activity
Analysis date:	July 17, 2019, 08:13:21
OS:	Windows 10 Professional (build: 16299, 32 bit)
Tags:	macros macros-on-open maldoc-5
Indicators:
MIME:	application/vnd.ms-excel
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: autore, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Tue Jul 16 12:19:40 2019, Security: 0
MD5:	9582B06BFF0F2B43D6693150FCB49C6A
SHA1:	2A90CA7964576B9210C8F35234214F32B412684E
SHA256:	1145EEE29B0805AFBB9CF03FA578CF79A1F94C43125AE6F3D2867810248FB555
SSDEEP:	3072:PjvlYkRIPPm3eNCZmbpoahZhC0cixIiG0iIFLR8m9xe0VukmBj:rvlYkRIPPm3eNCZmbpoahZhC0cixIiGb

Author:	autore
Software:	Microsoft Excel
CreateDate:	2015:06:05 18:19:34
ModifyDate:	2019:07:16 11:19:40
Security:	None
CodePage:	Windows Latin 1 (Western European)
Company:	-
AppVersion:	16
ScaleCrop:	No
LinksUpToDate:	No
SharedDoc:	No
HyperlinksChanged:	No
TitleOfParts:	20190716-83748
HeadingPairs:	Fogli di lavoro 1
CompObjUserTypeLen:	42
CompObjUserType:	(Foglio di lavoro di Microsoft Excel 2019


(PID) Process:	(1020) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	1
Value: 01E009000000001000BE4E402C02000000000000000400000000000000
(PID) Process:	(1020) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 2
(PID) Process:	(1020) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 1
(PID) Process:	(1020) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	it-IT
Value: 1
(PID) Process:	(1020) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
Operation:	write	Name:	r`?
Value: 72603F00FC030000010000000000000047850D8B773CD50100000000
(PID) Process:	(1020) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
Operation:	write	Name:	!a?
Value: 21613F00FC0300000000044001000000ADE60F8B773CD501BE0600001D79B334EEFFF448AC89FE068DB4E036ADE60F8B773CD5010000000000001000BE4E402C000000000600000002000000000000000000556E6B6E6F776E0000000000000000000000000000000000000000000000000000000000000000000DF0ADDE0DF0ADDE0DF0ADDE0DF0ADDE440045004600410055004C00540000005E0000000000600398F25503087DE1045000000000006003A8F25503D0077C0020000000680000007C0D7C00D0077C000000000058000000C820E20400007C000000000078D4640338CCD8042C007C00E4017C00130000002000000000007C0058CCD8040300000020000000FF3F0000B40E7C0000000000B00E7C00D0077C00A0F25503A90D447750000000000000002700000000006003500000000000600330F35503000000000D00000000007C0070A0E104000000000B0000000200000000000000059917EDB0556403040000001708745C50F5550370D8D804D607447707000000D607447700000000C9D1427750000000F8A7E1040400000024F35503D4F25503ECF255038D2A825C43000000B8F5550374F3550300000000F8FFFFFF80F5550394F555030029825C88F5550308000000B8F5550374F355030000000040F6550340000000B129825C280000002F00012E2400000000000000F8646203B0586203E8546203015564031B000000F054620300000000070000000000000000000000000000000000000000000000000000000700000000000000B8F555030000008008000000FFFFFFFF0800000030F6550300000000000000004EDA865CE0F355030100000070D8D804000000001D000000FCF4550380F45503FCF45503B09B6C0350A0E10400000000C09B1D00570022002842D804440045004600410055004C00540000009CF35503000000000000835C00F35503600260031D000000600260031D00000020000000000060034000000000006003C8F45503FCF45503A4F45503D0077C0000000000D0077C0000000000480000000000000000007C00000000002029D70470C9DB0442007C00DC017C0000007C00C890D50400007C00C0C9DB040D000000200000008CC9DB0434087C000000000030087C00A90D4477C0F45503A90D4477400000000000000000000000000060037818835CFFFFFFFFB8F4550372EB715C0100000000000000050000000000000009000000020000000000000040000000000060034800000000000000D6074477E4F45503D607447730000000D6074477000000000000000040000000400000000000600304F55503234F815C0000600300000000400000002000000000006003C8F5550320F55503FE46815C4000000058009A00D0077C0028F555032800000070F7550300007C0000000000087DE1045E0000000000600300F65503087DE104500000000000600310F65503D0077C0020000000680000007C0D7C00D0077C000000000058000000C820E20400007C000000000078D4640338CCD80448007C00E4017C00030000002000000000007C0058CCD8040900000020000000FF3F0000B40E7C0000000000B00E7C00D0077C0008F65503A90D447750000000000000002700000000006003440045004600410055004C00540000000D00000000007C0070A0E104000000000B0000000200000000000000B72A44774CDD2EB3C80600000000600308F8550380DAD804D607447707000000D60744770200000200000000458C00C910A9E104AE0708A14CF65503234F815C000060030200000250000000458C00C90700000018F7550368F65503FE46815C500000007CF65503D607447707000000D607447774F655032F000000EC73FFFF310000005DF9FFFF2026D304359C17EDD80000009574FFFF80F75503CC7C600380D643770000600318F75503E8F75503ECF6550368D4640338CCD80431000000880260030000D304B00E7C0064000000C00060035C8B600301000000FF07000000000000000000000B010000EE42815C390000000000000000000000390000394800B6048B000000D0060000B8F8550301000000E8F7550331000000B09B6C0350A0390027000000DA0000000B0100000100000001000000000000001826D3041826D3040401010102000002E857835C00000000EE42815C310000002026D30402000000C8F755039100015C10A9E104FEFFFFFF3100000064F85502600260030000000000000000110000003100000031000000E89A6C03C09D6C0364F855039073497704022BC7FEFFFFFF00F85503070E4477C8060000D0060000A48D6003E4F7550398F8550300006003000060030000000040AC6C03F0F755030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003
(PID) Process:	(1020) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1020) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1020) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1020) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0

PID	Process	Filename		Type
1020	EXCEL.EXE	C:\Users\admin\AppData\Local\Temp\~DF169BA7242E4DE96B.TMP		—
		MD5:—	SHA256:—
1020	EXCEL.EXE	C:\Users\admin\AppData\Local\Temp\~DFF78A73433917DBED.TMP		—
		MD5:—	SHA256:—
1020	EXCEL.EXE	C:\Users\admin\AppData\Local\Temp\~DF0EE690CFE9221897.TMP		—
		MD5:—	SHA256:—
3756	powErsHell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2uf1futw.wiv.ps1		—
		MD5:—	SHA256:—
3756	powErsHell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_x4cyz2wq.kaw.psm1		—
		MD5:—	SHA256:—
1020	EXCEL.EXE	C:\Users\admin\AppData\Local\Temp\~DF5D4FE50DC5F602D3.TMP		—
		MD5:—	SHA256:—
1020	EXCEL.EXE	C:\Users\admin\AppData\Local\Temp\~DF22891B1A824CBA16.TMP		—
		MD5:—	SHA256:—
1020	EXCEL.EXE	C:\Users\admin\AppData\Local\Temp\~DF2ADE026E654A8591.TMP		—
		MD5:—	SHA256:—
1020	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-shm		—
		MD5:—	SHA256:—
1020	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3756	powErsHell.exe	GET	200	185.158.249.75:443	https://woeiuyfgowe.xyz/image.php?2019-07-17T10:14:03.0040809	NL	text	198 Kb	suspicious
—	—	POST	200	40.90.23.223:443	https://login.live.com/RST2.srf	US	xml	11.2 Kb	whitelisted
—	—	POST	200	40.90.23.223:443	https://login.live.com/RST2.srf	US	xml	9.83 Kb	whitelisted
1020	EXCEL.EXE	POST	200	52.114.75.78:443	https://self.events.data.microsoft.com/OneCollector/1.0/	NL	text	64 b	whitelisted
3164	SystemSettings.exe	GET	200	152.199.19.161:443	https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset	US	html	15.6 Kb	whitelisted
—	—	POST	200	40.90.23.223:443	https://login.live.com/RST2.srf	US	xml	9.83 Kb	whitelisted
1840	svchost.exe	GET	200	13.74.179.117:443	https://sls.update.microsoft.com/SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x86/10.0.16299.0/0?CH=469&L=en-US&P=&PT=0x30&WUA=10.0.16299.98&MK=DELL&MD=DELL	IE	compressed	31.4 Kb	whitelisted
—	—	POST	200	40.90.23.223:443	https://login.live.com/RST2.srf	US	xml	11.2 Kb	whitelisted
1020	EXCEL.EXE	GET	200	52.109.32.27:443	https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1040&uilcid=1033&build=16.0.11328&crev=3	GB	xml	103 Kb	whitelisted
1628	svchost.exe	GET	200	2.16.186.120:80	http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	unknown	der	555 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	40.90.23.223:443	login.live.com	Microsoft Corporation	US	unknown
1020	EXCEL.EXE	13.107.3.128:443	config.edge.skype.com	Microsoft Corporation	US	whitelisted
1020	EXCEL.EXE	52.114.75.78:443	self.events.data.microsoft.com	Microsoft Corporation	NL	unknown
3756	powErsHell.exe	185.158.249.75:443	woeiuyfgowe.xyz	easystores GmbH	NL	suspicious
1628	svchost.exe	93.184.220.29:80	ocsp.digicert.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted
1628	svchost.exe	2.18.233.62:80	www.microsoft.com	Akamai International B.V.	—	whitelisted
1020	EXCEL.EXE	52.109.32.27:443	officeclient.microsoft.com	Microsoft Corporation	GB	whitelisted
1628	svchost.exe	2.16.186.120:80	crl.microsoft.com	Akamai International B.V.	—	whitelisted
1020	EXCEL.EXE	52.109.76.31:443	nexusrules.officeapps.live.com	Microsoft Corporation	IE	whitelisted
3164	SystemSettings.exe	152.199.19.161:443	onecs-live.azureedge.net	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted

Domain	IP	Reputation
login.live.com	40.90.23.223 40.90.23.211 40.90.23.213	whitelisted
self.events.data.microsoft.com	52.114.75.78	whitelisted
config.edge.skype.com	13.107.3.128	malicious
woeiuyfgowe.xyz	185.158.249.75	suspicious
nexusrules.officeapps.live.com	52.109.76.31	whitelisted
ocsp.digicert.com	93.184.220.29	whitelisted
crl.microsoft.com	2.16.186.120 2.16.186.74	whitelisted
www.microsoft.com	2.18.233.62	whitelisted
officeclient.microsoft.com	52.109.32.27	whitelisted
onecs-live.azureedge.net	152.199.19.161	whitelisted

Process	Message
conhost.exe	InitSideBySide failed create an activation context. Error: 1814
conhost.exe	InitSideBySide failed create an activation context. Error: 1814
EXCEL.EXE	2019-07-17 08:17:23.664 T#684 <E> [AriaSDK.PAL] PAL is already shutdown!

General Info

sample2.XLS

9582B06BFF0F2B43D6693150FCB49C6A

2A90CA7964576B9210C8F35234214F32B412684E

1145EEE29B0805AFBB9CF03FA578CF79A1F94C43125AE6F3D2867810248FB555

3072:PjvlYkRIPPm3eNCZmbpoahZhC0cixIiG0iIFLR8m9xe0VukmBj:rvlYkRIPPm3eNCZmbpoahZhC0cixIiGb

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Scans artifacts that could help determine the target

SUSPICIOUS

Executed via WMI

PowerShell script executed

Uses RUNDLL32.EXE to load library

Creates files in the user directory

Application launched itself

Reads Environment values

INFO

Reads the software policy settings

Reads settings of System Certificates

Creates files in the user directory

Manual execution by user

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings