File name:

2628ad9be62db33bcc2dd982d80a7ec4ff840349a658795e13ef9611b784eefe

Full analysis: https://app.any.run/tasks/9a2e2630-3072-4b97-9a5c-8c0e66d6e8a4
Verdict: Malicious activity
Analysis date: November 29, 2024, 21:51:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
macros
macros-on-open
arch-exec
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Adler, Last Saved By: Adler, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Dec 19 06:27:34 2019, Last Saved Time/Date: Thu Dec 19 06:52:24 2019, Security: 0
MD5:

FA6A95DF0AF45FF6601696678AF711B6

SHA1:

C87653F543D7C9386B92732E02EE64DEAC0E0100

SHA256:

2628AD9BE62DB33BCC2DD982D80A7EC4FF840349A658795E13EF9611B784EEFE

SSDEEP:

1536:mgSWB3d4VeP4BaEQK5zG0NXpbkHd+kMUGsQzRQXUIQ9m6F+e50ReRjOiFjKKBzaU:H8VeP4BF5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 6436)

    • Unusual execution from MS Office

      • EXCEL.EXE (PID: 6436)

  • SUSPICIOUS

    • Creates a Folder object (SCRIPT)

      • EXCEL.EXE (PID: 6436)

    • Connects to unusual port

      • rlbwrarhsa.exe (PID: 7136)
      • rlbwrarhsa.exe (PID: 7048)

    • Runs shell command (SCRIPT)

      • EXCEL.EXE (PID: 6436)

  • INFO

    • The process uses the downloaded file

      • EXCEL.EXE (PID: 6436)

    • Reads mouse settings

      • EXCEL.EXE (PID: 6436)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • EXCEL.EXE (PID: 6436)

    • Reads the computer name

      • rlbwrarhsa.exe (PID: 7048)
      • rlbwrarhsa.exe (PID: 7136)

    • Creates files in the program directory

      • EXCEL.EXE (PID: 6436)

    • Manual execution by a user

      • rlbwrarhsa.exe (PID: 7136)

    • Checks supported languages

      • rlbwrarhsa.exe (PID: 7048)
      • rlbwrarhsa.exe (PID: 7136)

    • Reads Environment values

      • rlbwrarhsa.exe (PID: 7048)
      • rlbwrarhsa.exe (PID: 7136)

    • Reads the machine GUID from the registry

      • rlbwrarhsa.exe (PID: 7048)
      • rlbwrarhsa.exe (PID: 7136)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

Author: Adler
LastModifiedBy: Adler
Software: Microsoft Excel
CreateDate: 2019:12:19 06:27:34
ModifyDate: 2019:12:19 06:52:24
Security: None
CodePage: Windows Latin 1 (Western European)
AppVersion: 14
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
HeadingPairs:
  • Worksheets
  • 3
CompObjUserTypeLen: 31
CompObjUserType: Microsoft Excel 2003 Worksheet
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe rlbwrarhsa.exe rlbwrarhsa.exe

Process information

PID
CMD
Path
Indicators
Parent process
6436"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" C:\Users\admin\Desktop\2628ad9be62db33bcc2dd982d80a7ec4ff840349a658795e13ef9611b784eefe.xlsC:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\excel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
7048C:\ProgramData\Tdlawis\rlbwrarhsa.exeC:\ProgramData\Tdlawis\rlbwrarhsa.exe
EXCEL.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
rlbwrarhsa
Version:
1.0.0.0
Modules
Images
c:\programdata\tdlawis\rlbwrarhsa.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
7136"C:\Users\admin\Desktop\rlbwrarhsa.exe" C:\Users\admin\Desktop\rlbwrarhsa.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
rlbwrarhsa
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\rlbwrarhsa.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
12 451
Read events
12 197
Write events
230
Delete events
24

Modification events

(PID) Process:(6436) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common
Operation:writeName:SessionId
Value:
6C7973CC839C05488143F9C7877D0482
(PID) Process:(6436) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:1
Value:
01D014000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:(6436) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\6436
Operation:writeName:0
Value:
0B0E1042B766CE7E1DF44D8F276D92FB1B9AC6230046B0E89ECA8DD5D0ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C50E8908C91003783634C511A432D2120965007800630065006C002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(6436) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel
Operation:writeName:FontInfoCache
Value:
6000000060000000F5FFFFFF0000000000000000000000009001000000000000000000205400610068006F006D00610000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050000001B000000000000000D0000000B000000020000000200000000000000330000000000000000000000F5FFFFFF0000000000000000000000009001000000000000000000205300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000001C000000000000000D0000000B000000020000000200000000000000330000000000000000000000F5FFFFFF000000000000000000000000BC02000000000000000000205400610068006F006D006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000600000020000000000000000D0000000B000000020000000200000000000000330000000000000000000000F3FFFFFF0000000000000000000000009001000000000000000000005400610068006F006D00610000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000002000000000000000100000000D000000030000000300000000000000330000000000000000000000F3FFFFFF000000000000000000000000E803000000000000000000005400610068006F006D00610000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000070000002600000000000000100000000D000000030000000300000000000000330000000000000000000000F1FFFFFF000000000000000000000000900100000000000000000000430061006C0069006200720069000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000001A00000000000000120000000E000000040000000300000000000000330000000000000000000000F3FFFFFF0000000000000000000000009001000000000000000000005300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000070000002100000000000000110000000E000000030000000400000000000000330000000000000000000000F3FFFFFF000000000000000000000000BC02000000000000000000005300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000002100000000000000110000000E000000030000000400000000000000330000000000000000000000F3FFFFFF0000000000000000000000009001000000000000000000205300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000070000002100000000000000110000000E000000030000000400000000000000330000000000000000000000F3FFFFFF000000000000000000000000BC02000000000000000000205300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000002100000000000000110000000E000000030000000400000000000000330000000000000000000000F5FFFFFF0000000000000000000000009001000000000000000000205300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000001C000000000000000D0000000B000000020000000200000000000000330000000000000000000000F1FFFFFF000000000000000000000000900100000000000000000000430061006C0069006200720069000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000001A00000000000000120000000E000000040000000300000000000000330000000000000000000000F5FFFFFF0000000000000000000000009001000000000000000000205300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000001C000000000000000D0000000B000000020000000200000000000000330000000000000000000000F5FFFFFF0000000000000000000000009001000000000000000000205400610068006F006D00610000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050000001B000000000000000D0000000B000000020000000200000000000000330000000000000000000000F5FFFFFF000000000000000000000000BC02000000000000000000205300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000001C000000000000000D0000000B000000020000000200000000000000330000000000000000000000F1FFFFFF000000000000000000000000900100000000000000000000430061006C0069006200720069000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000001A00000000000000120000000E000000040000000300000000000000330000000000000000000000F3FFFFFF000000000000000000000000BC02000000000000000000005300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000002100000000000000110000000E000000030000000400000000000000330000000000000000000000
(PID) Process:(6436) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\13886E
Operation:writeName:13886E
Value:
04000000241900005B00000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0032003600320038006100640039006200650036003200640062003300330062006300630032006400640039003800320064003800300061003700650063003400660066003800340030003300340039006100360035003800370039003500650031003300650066003900360031003100620037003800340065006500660065002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000000000000608BA4D9A842DB016E8813006E88130000000000E0020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6436) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel
Operation:writeName:ExcelWorkbookOpenedCount
Value:
1
(PID) Process:(6436) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\13886E
Operation:delete valueName:13886E
Value:

(PID) Process:(6436) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\13886E
Operation:delete keyName:(default)
Value:
(PID) Process:(6436) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery
Operation:delete keyName:(default)
Value:
(PID) Process:(6436) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
Operation:delete valueName:m0,
Value:
ね,ᤤ
Executable files
2
Suspicious files
16
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
6436EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\2628ad9be62db33bcc2dd982d80a7ec4ff840349a658795e13ef9611b784eefe.xls.LNKbinary
MD5:FD5993AC4A5B18B38C05D8911A9A9865
SHA256:D1D0FC4741A8D2CD1B832B419050902214F57B390EAA45138E63E449A5239CA8
6436EXCEL.EXEC:\ProgramData\Tdlawis\rlbwrarhsa.exeexecutable
MD5:8A1F4A512FE9EDBCC62BA4B1C3E08F0A
SHA256:ECD7D7A27A2A043919A233BB91E3B009C05B7C81FF132A7C29228E1C45D2B6A6
6436EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-msbinary
MD5:4FCB2A3EE025E4A10D21E1B154873FE2
SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
6436EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF13c372.TMPbinary
MD5:4FCB2A3EE025E4A10D21E1B154873FE2
SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
6436EXCEL.EXEC:\Users\admin\Documents\VB989C.tmptext
MD5:967A03C2EEF50D0CC8F1A40116D0E06E
SHA256:0CF947D47AEBA73DB43096C6A6E6E778C67E9BCE22927275B136C8D50EC33CB5
6436EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\54998BDB-BE63-42E0-AD9A-7278060C3C02xml
MD5:6B5C3B2F9C787EBD20A617F7842EBFED
SHA256:E8D01B569CB0516DE65A7436D127656503B439D6E83C470607000BA813741CD5
6436EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LRH8FI3Y083F2DCWKAAY.tempbinary
MD5:4FCB2A3EE025E4A10D21E1B154873FE2
SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
6436EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:0B9BE5BFF9DA3354BB1652D50C60E647
SHA256:779F9ACC1C46EB88FC9C50FA94E4B2B1BA147C0506DAA3C06E0A5080FE1C79AE
6436EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\Wef\CustomFunctions\v1.7\hostproperties.jsonbinary
MD5:7A29F1E157244591277E3C25F29A8029
SHA256:05EEBA4D6CA7148DCD0A6317A45241A49A4C8D88D628B27D8B19889EF6E70771
6436EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStoreV3\Excel\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.Sbinary
MD5:81910F147F27E2BE5F4C345D9095F2A0
SHA256:CB6B85453CE24B2CD821BDD18CE6E1934E193499B3135071C11BC762264F416F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
30
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
HEAD
200
23.38.80.37:443
https://uci.cdn.office.net/mirrored/smartlookup/current/version.json
unknown
unknown
GET
200
52.109.32.97:443
https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3
unknown
xml
177 Kb
whitelisted
GET
200
23.38.80.37:443
https://uci.cdn.office.net/mirrored/smartlookup/current/version.json
unknown
binary
79 b
whitelisted
POST
200
13.89.179.13:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
whitelisted
POST
200
20.42.73.24:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
85 b
whitelisted
OPTIONS
400
23.38.80.37:443
https://uci.cdn.office.net/mirrored/smartlookup/current/
unknown
xml
297 b
whitelisted
GET
200
23.38.80.37:443
https://uci.cdn.office.net/mirrored/smartlookup/current/dictionary_words_bloom_filter.data
unknown
binary
117 Kb
whitelisted
GET
200
52.111.231.8:443
https://messaging.lifecycle.office.com/getcustommessage16?app=1&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7BCE66B742-1D7E-4DF4-8F27-6D92FB1B9AC6%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%2Cofaa1msspvo2xw31%22%7D
unknown
text
542 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
524
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.209.182:443
www.bing.com
Akamai International B.V.
GB
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
524
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.23.209.182
  • 2.23.209.133
  • 2.23.209.187
  • 2.23.209.130
  • 2.23.209.149
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
officeclient.microsoft.com
  • 52.109.32.97
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
messaging.lifecycle.office.com
  • 52.111.231.8
whitelisted
self.events.data.microsoft.com
  • 13.89.179.13
  • 20.42.65.93
whitelisted
uci.cdn.office.net
  • 23.38.80.37
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2628ad9be62db33bcc2dd982d80a7ec4ff840349a658795e13ef9611b784eefe