File name: | Non confirmé 38985.crdownload |
Full analysis: | https://app.any.run/tasks/d1077825-9834-4834-a9b3-73cbf9369348 |
Verdict: | Malicious activity |
Analysis date: | September 30, 2020, 08:07:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | 1D38C53B6A342D860201088E4BAA7076 |
SHA1: | B528DAD6A44989AEE0D3F65EBAA6FDE5410C1BE9 |
SHA256: | 5FB89556A960D00B2C7F6258A6357BD12F815F0FCAEF7C1C8CDEC44184F84216 |
SSDEEP: | 768:FkxTZ+ur078gErplTgzToclrU/xjG3VR936T:FkxTZ80T0zMchsxClR9i |
.xlsm | | | Excel Microsoft Office Open XML Format document (with Macro) (29.2) |
---|---|---|
.xlsx | | | Excel Microsoft Office Open XML Format document (17.3) |
.zip | | | Open Packaging Conventions container (8.9) |
.zip | | | ZIP compressed archive (2) |
AppVersion: | 16.03 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
Company: | - |
TitlesOfParts: | Billing and Payments |
HeadingPairs: |
|
ScaleCrop: | No |
DocSecurity: | None |
ModifyDate: | 2020:09:23 09:27:30Z |
CreateDate: | 2020:09:23 09:24:27Z |
LastModifiedBy: | - |
Creator: | - |
---|
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1867 |
ZipCompressedSize: | 482 |
ZipCRC: | 0x02a77f1b |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2520 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3944 | "C:\Windows\System32\regsvr32.exe" -s C:\bQRmAmpj\YsnVxs\xVmDcR. | C:\Windows\System32\regsvr32.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2520 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR7B74.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2520 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\Cab996D.tmp | — | |
MD5:— | SHA256:— | |||
2520 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\Tar996E.tmp | — | |
MD5:— | SHA256:— | |||
2520 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5C44E889.png | — | |
MD5:— | SHA256:— | |||
2520 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~$Non confirmé 38985.crdownload.xlsm | — | |
MD5:— | SHA256:— | |||
2520 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 | binary | |
MD5:9484393B4DEBFAEC8A0A04FCD333C17D | SHA256:2142DB02BEEFBE80600A47701045C46DDED349588513A1556913BD6DA76FD51A | |||
2520 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 | der | |
MD5:30142B9712DB3BF56074DDC675C257FD | SHA256:E097553550D5FC623C5EF334D0ED27BD29BEFEDD25927556D934364E56A22A69 | |||
2520 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\Excel8.0\MSForms.exd | tlb | |
MD5:12A6F7D80462FDCF222A713B896D81C9 | SHA256:EF33B64922B30A5962867232071B6269C6E1D8CA9D7F79CA7A8217FA5B39B9BD | |||
2520 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\17F5B0A8.emf | emf | |
MD5:16DAADF5B0930F219F0BBC84E8AA2EBE | SHA256:289F5A4AF0055AB9ABBE8CF110FE4E3827407560145DBA39AA21028B266662A2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2520 | EXCEL.EXE | GET | 200 | 72.247.178.16:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | NL | der | 1.37 Kb | whitelisted |
1052 | svchost.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
1052 | svchost.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEA7yTSbUNi7CXXtef0luXqk%3D | US | der | 279 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2520 | EXCEL.EXE | 173.236.158.155:443 | contactlessflights.com | New Dream Network, LLC | US | unknown |
2520 | EXCEL.EXE | 72.247.178.16:80 | isrg.trustid.ocsp.identrust.com | Akamai International B.V. | NL | whitelisted |
Domain | IP | Reputation |
---|---|---|
contactlessflights.com |
| malicious |
isrg.trustid.ocsp.identrust.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |