File name:

21ebeed6ba59722314cde53bc78fe372898b33e6c39d131ef97b7bf0b65d1f37

Full analysis: https://app.any.run/tasks/3ed18bf6-fbe9-4d8f-85c6-930c9ac19081
Verdict: Malicious activity
Analysis date: December 13, 2024, 21:49:44
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
macros
macros-on-open
macros-on-close
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Test, Last Saved By: Test, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 18:17:20 2015, Last Saved Time/Date: Fri Oct 1 09:14:35 2021, Security: 0
MD5:

3152AF839F0FC5E681254A76920AB911

SHA1:

C41651010E2D52B3D25D86785824E9C59C9C473E

SHA256:

21EBEED6BA59722314CDE53BC78FE372898B33E6C39D131EF97B7BF0B65D1F37

SSDEEP:

3072:Nnkjck8ycfj6fCgkci+JPgtP4HRP89NwVrVzCKFwRa25xyO:Z8cNyMj6agkctItP4HRqNf3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • EXCEL.EXE (PID: 3700)

    • Calls Win API functions (MACROS)

      • EXCEL.EXE (PID: 3700)

    • Unusual execution from MS Office

      • EXCEL.EXE (PID: 3700)

  • SUSPICIOUS

    • Connects to the server without a host name

      • EXCEL.EXE (PID: 3700)

    • Sets XML DOM element text (SCRIPT)

      • splwow64.exe (PID: 2756)

  • INFO

    • Reads security settings of Internet Explorer

      • splwow64.exe (PID: 2756)

    • The process uses the downloaded file

      • EXCEL.EXE (PID: 3700)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

Author: Test
LastModifiedBy: Test
Software: Microsoft Excel
CreateDate: 2015:06:05 18:17:20
ModifyDate: 2021:10:01 09:14:35
Security: None
CodePage: Windows Cyrillic
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: Sheet1
HeadingPairs:
  • Worksheets
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Excel 2003 Worksheet
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs splwow64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3700"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" C:\Users\admin\Desktop\21ebeed6ba59722314cde53bc78fe372898b33e6c39d131ef97b7bf0b65d1f37.xlsC:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\excel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
6056regsvr32 -silent ..\Drezd.redC:\Windows\System32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4244regsvr32 -silent ..\Drezd.red1C:\Windows\System32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1140regsvr32 -silent ..\Drezd.red2C:\Windows\System32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2756C:\WINDOWS\splwow64.exe 8192C:\Windows\splwow64.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Print driver host for applications
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\splwow64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
10 352
Read events
10 096
Write events
236
Delete events
20

Modification events

(PID) Process:(3700) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:1
Value:
01D014000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:(3700) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\3700
Operation:writeName:0
Value:
0B0E10EC182616C18FB14BB9472DDD61F85E2523004687B3E3AB8FB5D3ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511F41CD2120965007800630065006C002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(3700) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(3700) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(3700) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(3700) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(3700) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(3700) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(3700) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(3700) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
Executable files
1
Suspicious files
14
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3700EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\44014C76-18FC-477E-811B-BA3AAC05161Cxml
MD5:93EE312DC3CD1AD816280D97D71C7A04
SHA256:7984B48A04C79D0A8898046ED75B20DC3F1D6CD869C373338D78A867CA926E92
3700EXCEL.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdbinary
MD5:FA9FE3C6B2F4291AD23F08DE2B91B005
SHA256:05FCC8CFAADD59EC2A3B4C816F600DF9EA9F9286B1207476E3D1ECD45043957D
3700EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStoreV3\Excel\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.Sbinary
MD5:BB18FB9640CCA8F2749C89383D044FC6
SHA256:BFD79623F944A800AF2F0320A95380618625ECABEEC8A0A1E22D6776D7702D2E
3700EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\SmartLookupCache\main_ssr.htmlhtml
MD5:2FCF1FBD292F0F851D0BAEB8C87B6DDA
SHA256:84538A6A2B12CCA88173021EFD244500F2AB10A03D7D6FC2ADC199003BC80360
3700EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:37B743A475595477173E6A7E29C7D986
SHA256:060CB61D8034633A38EABA88E9812E8768E47EEE01AC3E2C4C079B1D03EE5234
3700EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\21ebeed6ba59722314cde53bc78fe372898b33e6c39d131ef97b7bf0b65d1f37.xls.LNKbinary
MD5:973B06D1509B3E8249D9142DEDC60FE2
SHA256:F2CCC700944AFA2516002EA6593CF467677B06F17C7ADB8BF02CFCD57CC7B29B
3700EXCEL.EXEC:\Users\admin\AppData\Local\Temp\VBE\RefEdit.exdbinary
MD5:3A7BFA7A2D82C53C7582190E3D660578
SHA256:16BFB00F376198144D246227223C811A2DD19CF7F80840DE5270C49A8D6B36FD
3700EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF140d0e.TMPbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
3700EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:DC36D469E8B20DEE6C301EE553DD134E
SHA256:B7B7612C2D3400AAAB093515B5AB0F628D359DCFF698765A88D312EBFFAD68F2
3700EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:871403143B75E69BFAC372A91140C04B
SHA256:3BFBD012664A91C5890CE54DD1857ADFD3AA5262E3578C75ED0469B8B1999B74
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
29
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3700
EXCEL.EXE
GET
190.14.37.241:80
http://190.14.37.241/45639.9097501157.dat
unknown
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3700
EXCEL.EXE
GET
404
111.90.151.238:80
http://111.90.151.238/45639.9097501157.dat
unknown
3584
svchost.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3700
EXCEL.EXE
GET
404
84.32.188.11:80
http://84.32.188.11/45639.9097501157.dat
unknown
HEAD
200
23.32.100.39:443
https://uci.cdn.office.net/mirrored/smartlookup/current/version.json
unknown
GET
200
23.32.100.39:443
https://uci.cdn.office.net/mirrored/smartlookup/current/main_ssr.html
unknown
html
396 Kb
whitelisted
GET
200
52.109.89.18:443
https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3
unknown
xml
178 Kb
whitelisted
GET
200
52.111.236.7:443
https://messaging.lifecycle.office.com/getcustommessage16?app=1&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7B162618EC-8FC1-4BB1-B947-2DDD61F85E25%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%2Cofaa1msspvo2xw31%22%7D
unknown
text
542 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3584
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
92.123.104.38:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3584
svchost.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
www.bing.com
  • 92.123.104.38
  • 92.123.104.33
  • 92.123.104.63
  • 92.123.104.59
  • 92.123.104.62
  • 92.123.104.19
whitelisted
google.com
  • 172.217.16.142
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 69.192.161.161
whitelisted
officeclient.microsoft.com
  • 52.109.89.18
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
messaging.lifecycle.office.com
  • 52.111.236.7
whitelisted
self.events.data.microsoft.com
  • 20.42.65.88
  • 52.168.117.175
whitelisted
uci.cdn.office.net
  • 23.43.60.34
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
21ebeed6ba59722314cde53bc78fe372898b33e6c39d131ef97b7bf0b65d1f37