File name: | invoice.xls |
Full analysis: | https://app.any.run/tasks/ebeffdbc-4190-4b2b-bfbc-dd7dc549a174 |
Verdict: | Malicious activity |
Analysis date: | November 30, 2020, 01:10:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: jjsV, Last Saved By: Administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Nov 27 13:35:21 2020, Last Saved Time/Date: Fri Nov 27 13:35:22 2020, Security: 0 |
MD5: | 222988B7A4A6E84B3AAB4DEE83F8D99D |
SHA1: | DDB10FD5AFB16BDC8DECCA695E545520DEF2B755 |
SHA256: | 4D0D330F1E2B24C3A404CC3C585AEB417D96E9749FA72A85FB615E79408DDF6F |
SSDEEP: | 768:dPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJVHKN5xE7lgGSWNrmpZSvv:Vok3hbdlylKsgqopeJBWhZFGkE+cL2NS |
.xls | | | Microsoft Excel sheet (78.9) |
---|
HeadingPairs: |
|
---|---|
TitleOfParts: |
|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
ModifyDate: | 2020:11:27 13:35:22 |
CreateDate: | 2020:11:27 13:35:21 |
Software: | Microsoft Excel |
LastModifiedBy: | Administrator |
Author: | jjsV |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2524 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
2988 | "C:\Windows\system32\rundll32.exe" C:\Users\Public\Documents\SNGF7o.txt,DllRegisterServer | C:\Windows\system32\rundll32.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2524 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRD23F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2524 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CabECAE.tmp | — | |
MD5:— | SHA256:— | |||
2524 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\TarECAF.tmp | — | |
MD5:— | SHA256:— | |||
2524 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF4952A31087BF248A.TMP | — | |
MD5:— | SHA256:— | |||
2524 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\FDYD3KQD.txt | text | |
MD5:8CACDA08BD9B87CE6B943B70A2EBD131 | SHA256:4ADC6AF1FA98C2D8B913570213D5709216B9D5DAFB0D992127CD242C94505F4A | |||
2524 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\UMM4GU8W.htm | html | |
MD5:BA3AFDA4A4DF5B80C0F3E49E2DAD71B3 | SHA256:4118EB3C1361BBE53EECBB2C1304975EA9AA7E5B60B3A6A434FE662BC61009C7 | |||
2524 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 | binary | |
MD5:1777DFC339AFA2855D609EF082C26740 | SHA256:273039E480756BFA73D63415CE7CFBFE907D40A71829F09B41D1D232FEA58635 | |||
2524 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_00822B812F3071D0A5AB02FB7D4F1DF9 | binary | |
MD5:1A4E2A66D70244F73F6FA52902C688B9 | SHA256:4D213C38CD9051F064653710A46B4F844F32D7043D376D3366A81CB96CF2F5F4 | |||
2524 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 | der | |
MD5:D9A7C71F2455317845563B02C39B84C8 | SHA256:C5B24A2E28E55081E315826ED0127557077434F24D5C3EFF803C45AA4EF1B827 | |||
2524 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_00822B812F3071D0A5AB02FB7D4F1DF9 | der | |
MD5:B3D3F7C1B582B91C5D622859BBC87728 | SHA256:653765AF61C4CEE631D122323AEF2348F12E58EF3066F797F98E15B636FFA36A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2524 | EXCEL.EXE | GET | 200 | 2.16.186.11:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | unknown | der | 1.37 Kb | whitelisted |
2524 | EXCEL.EXE | GET | 200 | 172.217.21.195:80 | http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQD76E8xQFZstgIAAAAAgFWS | US | der | 472 b | whitelisted |
2524 | EXCEL.EXE | GET | 200 | 172.217.21.195:80 | http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDliVAU%2F6ZWzwIAAAAAgFX%2B | US | der | 472 b | whitelisted |
2524 | EXCEL.EXE | GET | 200 | 172.217.21.195:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2524 | EXCEL.EXE | 172.217.23.100:443 | www.google.com | Google Inc. | US | whitelisted |
2524 | EXCEL.EXE | 172.217.21.195:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
2524 | EXCEL.EXE | 2.16.186.11:80 | isrg.trustid.ocsp.identrust.com | Akamai International B.V. | — | whitelisted |
2524 | EXCEL.EXE | 172.217.12.142:443 | google.com | Google Inc. | US | whitelisted |
2524 | EXCEL.EXE | 70.32.23.26:443 | corlatina.edu.co | A2 Hosting, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
corlatina.edu.co |
| unknown |
isrg.trustid.ocsp.identrust.com |
| whitelisted |
google.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
www.google.com |
| whitelisted |