File name: | Payslip2.xlsx |
Full analysis: | https://app.any.run/tasks/fd693026-5f72-4162-a847-05b46278ab4c |
Verdict: | Malicious activity |
Analysis date: | January 23, 2019, 08:54:41 |
OS: | Windows 10 Professional (build: 16299, 64 bit) |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | DB3539E70754686200DCD5D462F43439 |
SHA1: | 60A7EBD3C3E0C1395005D0C1E1C4D84E9FAA886C |
SHA256: | 6FFE642E17FBF6D81837A98FE1A43C0549F9FBE3D8D14819874ABF63710473ED |
SSDEEP: | 96:FmzZ0lRLYi2mzE69pKr5JxGO1PND4JU1L1/l28kJQ408TViCE2:FC0lRLYi2mY692xGO9ND4e1Lhl2lJQ4N |
.xlsx | | | Excel Microsoft Office Open XML Format document (61.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (31.5) |
.zip | | | ZIP compressed archive (7.2) |
Creator: | openpyxl |
---|
LastModifiedBy: | Пользователь Microsoft Office |
---|---|
ModifyDate: | 2019:01:22 17:51:49Z |
CreateDate: | 2015:06:05 18:19:34Z |
AppVersion: | 2.5 |
Application: | Microsoft Excel |
ZipFileName: | _rels/.rels |
---|---|
ZipUncompressedSize: | 531 |
ZipCompressedSize: | 192 |
ZipCRC: | 0x03cf231f |
ZipModifyDate: | 2019:01:22 21:07:25 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2644 | "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\Payslip2.xlsx" | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 16.0.6741.2048 | ||||
1868 | CMD.EXE /c REM.&&@p^o^w^e^r^s^h^e^l^l^|^|c:/*/*2/?al?.?x?" | C:\WINDOWS\SYSTEM32\CMD.EXE | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
5548 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\WINDOWS\system32\conhost.exe | CMD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2644 | EXCEL.EXE | C:\Users\admin\Desktop\~$Payslip2.xlsx | — | |
MD5:— | SHA256:— | |||
2644 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4 | der | |
MD5:CCED2F374436C6F7942F3D303561B177 | SHA256:D19154C8EE3E18C98C2F3E1C38ADB03513C7BCA42D34A04D469283CF7302CE12 | |||
2644 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:9C08FEC36A4D52E03B8AE2CCCB23AD4B | SHA256:2D0DE006D6C4C651E057F53D9F2E6447C847AECF9C8D3A004051A259A4DF3FB3 | |||
2644 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\OTele\{85DB8E1E-3344-44A5-A3A4-051BFA11AB08} (0) - 2644 - excel.exe - OTele.dat | pgc | |
MD5:87D374A66312FC8FFBDDC70AC92CB131 | SHA256:A6A09A06D57D3874C9E569138C338344FB4353A6B4369562E0FB19984072A104 | |||
2644 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Payslip2.xlsx.LNK | lnk | |
MD5:82003972C1CF61A8D003B4A907B6FF0B | SHA256:E49E1E599C2D1BDE6C46910339D692252D44815F80EE6A3AE70AA35F9A8341F4 | |||
2644 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4 | binary | |
MD5:7DCB65F8409B85FF258CB99324806417 | SHA256:B15A32A7BE8A2059B52DEB75AF1369263931831669B145C23F87D8670F0CBF34 | |||
2644 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml | xml | |
MD5:8124E024C16F02A46FAB3B156031A5B6 | SHA256:13709C86B463C91550A32CD89AC30DD68016DFF379017181DC06337511AD18BB |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2644 | EXCEL.EXE | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D | US | der | 471 b | whitelisted |
2328 | svchost.exe | GET | 304 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?ec1013f96dba2e9b | US | — | — | whitelisted |
2328 | svchost.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 471 b | whitelisted |
2328 | svchost.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D | US | der | 471 b | whitelisted |
2328 | svchost.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D | US | der | 471 b | whitelisted |
2328 | svchost.exe | GET | 304 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?16f570c0217bf5f6 | US | — | — | whitelisted |
2328 | svchost.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?986b7c10856ac7b0 | US | compressed | 55.2 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2644 | EXCEL.EXE | 13.107.5.88:443 | ocos-office365-s2s.msedge.net | Microsoft Corporation | US | whitelisted |
2644 | EXCEL.EXE | 52.109.88.40:443 | nexus.officeapps.live.com | Microsoft Corporation | NL | whitelisted |
2644 | EXCEL.EXE | 52.109.8.19:443 | nexusrules.officeapps.live.com | Microsoft Corporation | US | whitelisted |
2644 | EXCEL.EXE | 52.109.32.23:443 | roaming.officeapps.live.com | Microsoft Corporation | GB | whitelisted |
2644 | EXCEL.EXE | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2644 | EXCEL.EXE | 52.109.76.5:443 | odc.officeapps.live.com | Microsoft Corporation | IE | whitelisted |
2328 | svchost.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2328 | svchost.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
— | — | 93.184.221.240:80 | ctldl.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
ocos-office365-s2s.msedge.net |
| whitelisted |
roaming.officeapps.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
odc.officeapps.live.com |
| whitelisted |
nexus.officeapps.live.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |