File name: | notif144.xls |
Full analysis: | https://app.any.run/tasks/631fea80-81c4-40fd-9a78-9ee1faad054e |
Verdict: | Malicious activity |
Analysis date: | November 30, 2020, 02:41:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: IIN, Last Saved By: Administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Nov 27 10:29:15 2020, Last Saved Time/Date: Fri Nov 27 10:29:16 2020, Security: 0 |
MD5: | 6618DF3D647E0D9191AC1DE4D5B44AFE |
SHA1: | BE8E64C7281068FD20948FC6F1575F33073106CC |
SHA256: | 54DFD7C37002E776AAEC020611C1C81A2283D40852DF7A2C110B361E4D186AC7 |
SSDEEP: | 768:gPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJ4KRuwSyeIhhRC1QEN:sok3hbdlylKsgqopeJBWhZFGkE+cL2NF |
.xls | | | Microsoft Excel sheet (78.9) |
---|
Author: | IIN |
---|---|
LastModifiedBy: | Administrator |
Software: | Microsoft Excel |
CreateDate: | 2020:11:27 10:29:15 |
ModifyDate: | 2020:11:27 10:29:16 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: |
|
HeadingPairs: |
|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2308 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 Modules
| |||||||||||||||
3300 | "C:\Windows\system32\rundll32.exe" C:\Users\Public\Documents\ndggM.txt,DllRegisterServer | C:\Windows\system32\rundll32.exe | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2308 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR777A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2308 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CabAE4A.tmp | — | |
MD5:— | SHA256:— | |||
2308 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\TarAE4B.tmp | — | |
MD5:— | SHA256:— | |||
2308 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\L9B4NOHT.txt | — | |
MD5:— | SHA256:— | |||
2308 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFF0AF838107213B26.TMP | — | |
MD5:— | SHA256:— | |||
2308 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F | der | |
MD5:E336FE8293FFFF9B50152E897DAB2E1D | SHA256:E124A75D7ACC4941D129DFE38C77F7F73F7603622095423A30BCFD87153C5558 | |||
2308 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_DA1C5B5BE91A874E22473EBE4563D7DB | binary | |
MD5:4BDAA26FF2A3316BEE5A8C0533740F38 | SHA256:8CB77AFCB83D7F29BBEADCF16B85459CF0254D5EB9D8154C6C10075A3EDDB752 | |||
2308 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\7U2OY3MV.txt | text | |
MD5:F3D980AC869C620200B44C6435A01974 | SHA256:E29A3A4BFA349716DDCF7E22F283C88DF910BA7A571EB1279930FAA15B7FBF16 | |||
2308 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_DA1C5B5BE91A874E22473EBE4563D7DB | der | |
MD5:FD2C8B6F5E0479053D4AE950C30325F0 | SHA256:69E68C512EA4269FAAC960A6139FA4250764F46186FB2E5639ABCE2F97A03804 | |||
2308 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_00822B812F3071D0A5AB02FB7D4F1DF9 | binary | |
MD5:188BD23B0E8BB2A5CD83B167AF368A88 | SHA256:9CE30F413652464DA479774C648D5FF558FC460275D8DF99929149D7AF96FF9A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2308 | EXCEL.EXE | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/Omniroot2025.crl | US | der | 7.30 Kb | whitelisted |
2308 | EXCEL.EXE | GET | 200 | 172.217.18.3:80 | http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDliVAU%2F6ZWzwIAAAAAgFX%2B | US | der | 472 b | whitelisted |
2308 | EXCEL.EXE | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEAcex4mrpL%2FoZUo5uhzD27g%3D | US | der | 278 b | whitelisted |
2308 | EXCEL.EXE | GET | 200 | 172.217.18.3:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2308 | EXCEL.EXE | 172.217.21.196:443 | www.google.com | Google Inc. | US | whitelisted |
2308 | EXCEL.EXE | 172.67.222.45:443 | advertlyasia.com | — | US | unknown |
2308 | EXCEL.EXE | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2308 | EXCEL.EXE | 172.217.18.3:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
advertlyasia.com |
| unknown |
ocsp.digicert.com |
| whitelisted |
crl3.digicert.com |
| whitelisted |
www.google.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |