| File name: | RFQ# 10083059.xlsx |
| Full analysis: | https://app.any.run/tasks/8d63d880-78c4-422f-96eb-50e86bda9ada |
| Verdict: | Malicious activity |
| Analysis date: | May 08, 2019, 04:02:47 |
| OS: | Windows 10 Professional (build: 16299, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/encrypted |
| File info: | CDFV2 Encrypted |
| MD5: | 131A7DAE1AF14DB294F9C69F2586CF21 |
| SHA1: | B7309D7EFE79DD3DE0AFBC120251263622AF56ED |
| SHA256: | 3C87E88D7663311B9A56102509AFFE9E1C858DDBF09130A27D5B1CCB0236AD69 |
| SSDEEP: | 384:jVD/Uzp9F6kdItwTW8dzmpVB6/ez51a3uzYTcbZjljyNhFoJSovD4VvQKd7v:R/UzRdItSW8BOB6/ezOecTC58Fms |
MALICIOUS
Scans artifacts that could help determine the target
- EXCEL.EXE (PID: 156)
- EXCEL.EXE (PID: 2684)
- EXCEL.EXE (PID: 5524)
- EXCEL.EXE (PID: 1712)
- EXCEL.EXE (PID: 4516)
SUSPICIOUS
Reads Environment values
- EXCEL.EXE (PID: 156)
- EXCEL.EXE (PID: 5524)
- EXCEL.EXE (PID: 2684)
- EXCEL.EXE (PID: 1712)
- EXCEL.EXE (PID: 4516)
Reads the machine GUID from the registry
- SearchUI.exe (PID: 3052)
Checks supported languages
- ShellExperienceHost.exe (PID: 3560)
- SearchUI.exe (PID: 3052)
Creates COM task schedule object
- EXCEL.EXE (PID: 1712)
INFO
Creates files in the user directory
- EXCEL.EXE (PID: 156)
- EXCEL.EXE (PID: 2684)
- EXCEL.EXE (PID: 5524)
- EXCEL.EXE (PID: 4516)
Reads the machine GUID from the registry
- EXCEL.EXE (PID: 2684)
- EXCEL.EXE (PID: 1712)
- EXCEL.EXE (PID: 5524)
- EXCEL.EXE (PID: 156)
- EXCEL.EXE (PID: 4516)
Reads Microsoft Office registry keys
- EXCEL.EXE (PID: 2684)
- EXCEL.EXE (PID: 4516)
- EXCEL.EXE (PID: 5524)
- EXCEL.EXE (PID: 156)
- EXCEL.EXE (PID: 1712)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
115
Monitored processes
12
Malicious processes
1
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 156 | "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\RFQ# 10083059.xlsx" | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 16.0.11328.20158 Modules
| |||||||||||||||
| 1288 | C:\Windows\System32\SystemSettingsBroker.exe -Embedding | C:\Windows\System32\SystemSettingsBroker.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: System Settings Broker Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1544 | C:\WINDOWS\system32\DllHost.exe /Processid:{72A7994A-3092-4054-B6BE-08FF81AEEFFC} | C:\WINDOWS\system32\DllHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1712 | "C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE" | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Excel Exit code: 0 Version: 16.0.11328.20158 Modules
| |||||||||||||||
| 2396 | C:\WINDOWS\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251} | C:\WINDOWS\system32\DllHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2684 | "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\RFQ# 10083059.xlsx" | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 16.0.11328.20158 Modules
| |||||||||||||||
| 3052 | "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Search and Cortana application Exit code: 0 Version: 10.0.16299.251 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3560 | "C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca | C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Shell Experience Host Exit code: 0 Version: 10.0.16299.334 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4472 | C:\WINDOWS\System32\mobsync.exe -Embedding | C:\WINDOWS\System32\mobsync.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Sync Center Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4516 | "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\RFQ# 10083059.xlsx" | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 16.0.11328.20158 Modules
| |||||||||||||||
Total events
6 778
Read events
5 976
Write events
688
Delete events
114
Modification events
| (PID) Process: | (5524) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\Sampling |
| Operation: | write | Name: | 1 |
Value: 01D014000000001000BE4E402C03000000000000000300000000000000 | |||
| (PID) Process: | (5524) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | en-US |
Value: 2 | |||
| (PID) Process: | (5524) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | en-US |
Value: 1 | |||
| (PID) Process: | (5524) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems |
| Operation: | write | Name: | <.' |
Value: 3C2E27009415000001000000000000000DB31DF05205D50100000000 | |||
| (PID) Process: | (5524) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems |
| Operation: | write | Name: | =.' |
Value: 3D2E27009415000000000440010000009C1520F05205D501D20600006A20208819C9C3449D867A2597CC5ECD0DB31DF05205D5010000000000001000BE4E402C0000000006000000410044000200000000000000000000000000556E6B6E6F776E00000000000000000000000000000000000000000000000000000000000000000000000000000000000DF0ADDE0DF0ADDE0DF0ADDE0DF0ADDE440045004600410055004C00540000000000E1D60502000002000000FF7F00000000000000000000000000000000000048F3731973000000200000000000000030000000000000002BAB043BFF7F0000000000000000000030000000000000008013DCD60502000000000000000000000000DCD60502000070B0F6D8050200001000000000000000200000000000000040000000000000002BAB043BFF7F00004000000000000000C00CDCD6050200001C00000000000000400000000000000030B0F6D8050200000000000000000000C015DCD60502000000000000FF7F00000000DCD6050200009073F3D805020000400000000000000030000000000000000000E1D605020000D289025BFF7F00004000000000000000C00CDCD6050200003800000000000000700000000000000000F2731973000000000000000000000000000000000000002C0000000000000000000000000000000700000000000000700000000000000060000000000000000000E1D605020000D289025BFF7F00004000000000000000000000007300000060000000000000000000000073000000C015DCD60502000000000000000000000000DCD6050200009073F3D80502000030000000000000002BAB043BFF7F000030000000000000007668025BFF7F000010F2731973000000C00CDCD605020000280000000000000070000000000000003000000000000000440045004600410055004C0054000000020100000000000000000000000000000700000000000000700000000000000060000000000000000000E1D605020000D289025BFF7F000040000000000000000000000005020000600000000000000000000000000000000000E1D6050200009CBB025BFF7F0000F006000000000000020000000000000000000000000000009D29F53AFF7F00004000000000000000C00CDCD60502000000000000050200000000000000000000000000000000000001000000000000000000000000000000502DF5D8050200001000000000000000A8000000170100000000000000000000402DF5D805020000402DF5D805020000FF030000FF7F000080000000000000004005000000000000B900000000000000B900000000000000B900000000000000CFA2043BFF7F000060000000000000000000000000000000000000000000000000000000000000002864FFFF6D0000000000000091FFFFFF3000000000000000ACB0E1D6050200005001E1D605020000280100000000000009F47319730000000000000000000000B8B0E1D605020000B9000000000000007085F3D805020000FEFFFFFFFFFFFFFF6073F3D80502000000B7E7D6050200002C000000000000001081F3D8050200002C00000000000000F00600000000000038820B3BFF7F00007668025BFF7F0000B9000000000000001C00000000000000440045004600410055004C005400000009F473197300000002000002FF7F00000400000000000000D0F373197300000030B0F6D8050200009701089EFF7F00000400000000000000479C08D3FF7F000008F4731973000000020000027300000038820B3BFF7F0000E0F473197300000000000000000000007668025BFF7F0000D03FF5D8050200009701089E73000000D036ECD605020000149E043BFF7F000048F5731973000000E0F373197300000068E40B3BFF7F000040E40B3BFF7F000000000000000000000000000000000000020100000000000000000000000000006F00000000000000F0060000000000000000E1D605020000AB8E025BFF7F00000000E1D6050200000200000000000000E006000000000000F0060000000000008806E1D60502000008F4731973000000E0B9F5D80502000003000000FF7F0000FEFFFFFFFFFFFFFF0000000000000000D8F473197300000046F4F23AFF7F000020BAF5D805020000E658AC39FF7F00000000000000000000C0ABCFD8050200008013DCD605020000E658AC39FF7F00000100000000000000F0EE0F37FF7F0000020100000000000000000000000000000800000000000000C3482E39FF7F0000C02DF5D805020000E006000000000000B0F87319730000000000000000000000502DF5D805020000CB4B2E39FF7F0000602DF5D805020000B0F8731973000000DA5797172105D501000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000075006D00 | |||
| (PID) Process: | (5524) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (5524) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (5524) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (5524) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (5524) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} |
| Operation: | delete key | Name: | |
Value: | |||
Executable files
0
Suspicious files
2
Text files
21
Unknown types
12
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5524 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFF59EDBF29F70C236.TMP | — | |
MD5:— | SHA256:— | |||
| 5524 | EXCEL.EXE | C:\Users\admin\Desktop\~$RFQ# 10083059.xlsx | — | |
MD5:— | SHA256:— | |||
| 5524 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7DDC3C22.jpeg | — | |
MD5:— | SHA256:— | |||
| 156 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFE3C0AAF28677564F.TMP | — | |
MD5:— | SHA256:— | |||
| 156 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\84536CED.jpeg | — | |
MD5:— | SHA256:— | |||
| 156 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal | — | |
MD5:— | SHA256:— | |||
| 2684 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF6D12D4E05B2FA826.TMP | — | |
MD5:— | SHA256:— | |||
| 2684 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\89D99178.jpeg | — | |
MD5:— | SHA256:— | |||
| 2684 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-shm | — | |
MD5:— | SHA256:— | |||
| 2684 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
9
DNS requests
7
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1712 | EXCEL.EXE | 52.114.132.73:443 | self.events.data.microsoft.com | Microsoft Corporation | US | unknown |
4516 | EXCEL.EXE | 52.114.75.79:443 | self.events.data.microsoft.com | Microsoft Corporation | NL | suspicious |
5524 | EXCEL.EXE | 13.107.3.128:443 | config.edge.skype.com | Microsoft Corporation | US | whitelisted |
2684 | EXCEL.EXE | 52.114.77.34:443 | self.events.data.microsoft.com | Microsoft Corporation | IE | unknown |
5524 | EXCEL.EXE | 52.114.128.43:443 | self.events.data.microsoft.com | Microsoft Corporation | US | unknown |
156 | EXCEL.EXE | 52.114.128.43:443 | self.events.data.microsoft.com | Microsoft Corporation | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
config.edge.skype.com |
| malicious |
self.events.data.microsoft.com |
| whitelisted |
Threats
Process | Message |
|---|---|
EXCEL.EXE | 2019-05-08 04:03:51.529 T#5920 <E> [AriaSDK.PAL] PAL is already shutdown!
|
EXCEL.EXE | 2019-05-08 04:04:01.357 T#252 <E> [AriaSDK.PAL] PAL is already shutdown!
|
EXCEL.EXE | 2019-05-08 04:06:15.857 T#2352 <E> [AriaSDK.PAL] PAL is already shutdown!
|
EXCEL.EXE | 2019-05-08 04:09:29.138 T#5088 <E> [AriaSDK.PAL] PAL is already shutdown!
|
EXCEL.EXE | 2019-05-08 04:09:57.857 T#4068 <E> [AriaSDK.PAL] PAL is already shutdown!
|