File name: | invoice.xls |
Full analysis: | https://app.any.run/tasks/c2b2b87a-dbe6-43c0-9de3-b30c172e58b6 |
Verdict: | Malicious activity |
Analysis date: | November 30, 2020, 04:09:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: jjsV, Last Saved By: Administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Nov 27 13:35:21 2020, Last Saved Time/Date: Fri Nov 27 13:35:22 2020, Security: 0 |
MD5: | 222988B7A4A6E84B3AAB4DEE83F8D99D |
SHA1: | DDB10FD5AFB16BDC8DECCA695E545520DEF2B755 |
SHA256: | 4D0D330F1E2B24C3A404CC3C585AEB417D96E9749FA72A85FB615E79408DDF6F |
SSDEEP: | 768:dPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJVHKN5xE7lgGSWNrmpZSvv:Vok3hbdlylKsgqopeJBWhZFGkE+cL2NS |
.xls | | | Microsoft Excel sheet (78.9) |
---|
Author: | jjsV |
---|---|
LastModifiedBy: | Administrator |
Software: | Microsoft Excel |
CreateDate: | 2020:11:27 13:35:21 |
ModifyDate: | 2020:11:27 13:35:22 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: |
|
HeadingPairs: |
|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2584 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
1840 | "C:\Windows\system32\rundll32.exe" C:\Users\Public\Documents\SNGF7o.txt,DllRegisterServer | C:\Windows\system32\rundll32.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2584 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR3458.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2584 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\Cab6A0F.tmp | — | |
MD5:— | SHA256:— | |||
2584 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\Tar6A10.tmp | — | |
MD5:— | SHA256:— | |||
2584 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF0C746C630C62C010.TMP | — | |
MD5:— | SHA256:— | |||
2584 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_7C1C45A209E1552633930171FD75B297 | der | |
MD5:8CF610751B51A57A50DB5B565777EF3C | SHA256:D467D24E754EAC9D11BE07C431E0CB25C8AB42F4108DEEF251E1FEB0946C4B75 | |||
2584 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4 | binary | |
MD5:C2F010D45B6BFECCAEAA2A0118DF0197 | SHA256:618B166CABA332F3CE6453026E68B08CDC7D5688437058E1383749B697AAACA3 | |||
2584 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B | binary | |
MD5:F22FF2B5750F5171965B896A4FC89A58 | SHA256:C3EC09CAAB06BD263A6712BA621FB769B0CA6CB1B661CEFD3A12D1DF8FB1DA71 | |||
2584 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_7C1C45A209E1552633930171FD75B297 | binary | |
MD5:661E59247721952E0FE866F0571A9B08 | SHA256:F9B69C69CAD3AE38CDE2CF72E76D9B52ABF159D4445ACF8FD57159E56A330654 | |||
2584 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\RIO5ZQGM.txt | text | |
MD5:EB5577C25761E2960EF96FB4EED863AF | SHA256:2AC0A3780E078518889CB319B093EBADBA4588B95CFDB2F637649AA53EACA3C5 | |||
2584 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_00822B812F3071D0A5AB02FB7D4F1DF9 | binary | |
MD5:98B6175CEC6F72C7FDE0488F0E931CBB | SHA256:BDDEAD898ADC6398DDE560E9FF3DEA0E8CAFA42D895CFAE897DEE03F21813BF9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2584 | EXCEL.EXE | GET | 200 | 172.217.18.99:80 | http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQD76E8xQFZstgIAAAAAgFWS | US | der | 472 b | whitelisted |
2584 | EXCEL.EXE | GET | 200 | 172.217.18.99:80 | http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDliVAU%2F6ZWzwIAAAAAgFX%2B | US | der | 472 b | whitelisted |
2584 | EXCEL.EXE | GET | 200 | 172.217.18.99:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
2584 | EXCEL.EXE | GET | 200 | 192.35.177.64:80 | http://crl.identrust.com/DSTROOTCAX3CRL.crl | US | der | 1.16 Kb | whitelisted |
2584 | EXCEL.EXE | GET | 200 | 23.55.163.61:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | US | der | 1.37 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2584 | EXCEL.EXE | 23.55.163.71:80 | isrg.trustid.ocsp.identrust.com | Akamai International B.V. | US | suspicious |
2584 | EXCEL.EXE | 70.32.23.26:443 | corlatina.edu.co | A2 Hosting, Inc. | US | malicious |
2584 | EXCEL.EXE | 192.35.177.64:80 | crl.identrust.com | IdenTrust | US | malicious |
2584 | EXCEL.EXE | 172.217.12.142:443 | google.com | Google Inc. | US | whitelisted |
2584 | EXCEL.EXE | 172.217.18.99:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
2584 | EXCEL.EXE | 23.55.163.61:80 | isrg.trustid.ocsp.identrust.com | Akamai International B.V. | US | unknown |
2584 | EXCEL.EXE | 172.217.22.36:443 | www.google.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
corlatina.edu.co |
| unknown |
isrg.trustid.ocsp.identrust.com |
| whitelisted |
crl.identrust.com |
| whitelisted |
google.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
www.google.com |
| whitelisted |