File name:

Solicitud de cotizaciòn..xlsx

Full analysis: https://app.any.run/tasks/a7ed4b30-3199-425f-a958-787c2b10a6c1
Verdict: Malicious activity
Analysis date: December 05, 2022, 18:15:51
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

CD9567E232B722B34985981E32633321

SHA1:

3B1FDB9DACD8A1F20FDC0F03D2088855924452A7

SHA256:

7AE8B3795F2EFFF6E153B1290633C327A5D3ADE19F40ECC0A891579ED5587C61

SSDEEP:

24576:Cmv7PSn7ViMIY4oSX6fM1lPH/VE+njnkLQp:CmMVHfSlPHJngEp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads settings of System Certificates

      • SLUI.exe (PID: 2496)
      • slui.exe (PID: 2416)
    • Process requests binary or script from the Internet

      • EXCEL.EXE (PID: 2888)
  • INFO

    • Checks proxy server information

      • EXCEL.EXE (PID: 2888)
      • slui.exe (PID: 2416)
    • Reads the software policy settings

      • SLUI.exe (PID: 2496)
      • slui.exe (PID: 2416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start excel.exe sppextcomobj.exe no specs slui.exe filecoauth.exe no specs filecoauth.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2888"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\Solicitud de cotizaciòn..xlsx"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
16.0.12026.20264
Modules
Images
c:\program files\microsoft office\root\office16\excel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
6096C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\WINDOWS\system32\SppExtComObj.exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.1202 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
2496"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\WINDOWS\System32\SLUI.exe
SppExtComObj.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
5604C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
4188C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2416C:\WINDOWS\System32\slui.exe -EmbeddingC:\WINDOWS\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
Total events
11 448
Read events
11 240
Write events
173
Delete events
35

Modification events

(PID) Process:(2888) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:1
Value:
01D014000000001000284FFA2E01000000000000000500000000000000
(PID) Process:(2888) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\2888
Operation:writeName:0
Value:
0B0E10F15CBAE7E3A3A742B5382BB4252A395A23004695ED88DEDA9AC2EC016A0410240044FA5D64A89E01008500A907556E6B6E6F776E00
(PID) Process:(2888) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(2888) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(2888) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(2888) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(2888) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(2888) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(2888) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(2888) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
Executable files
0
Suspicious files
9
Text files
3
Unknown types
2

Dropped files

PID
Process
Filename
Type
2888EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Solicitud de cotizaciòn..xlsx.LNKlnk
MD5:F0B77DDCF9B3DEC544184F523AA95240
SHA256:E7B1BF3B2E75B0EC19E4C9B0B4EE80D8084B7CDADC3065AE771F61DD93D64323
2888EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:A2CB95355DE5394796E2AF7C5CC7ECF4
SHA256:F8F5E9FDF4CB865161E6BB8864E67B6E73C5EB050880FC51783658C268AB496B
2888EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F9OGI6VYLGWI11T5LI8T.tempbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
2888EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-msbinary
MD5:4FCB2A3EE025E4A10D21E1B154873FE2
SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
2888EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4VA93XNAVBMIOECWAWBI.tempbinary
MD5:4FCB2A3EE025E4A10D21E1B154873FE2
SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
2888EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF10908a.TMPbinary
MD5:4FCB2A3EE025E4A10D21E1B154873FE2
SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
2888EXCEL.EXEC:\Users\admin\AppData\Local\Temp\.sestext
MD5:B53D0E2ABEB41FB3657AE78D88AABF8D
SHA256:C6C82E5E7DD9BC7871D6E5B0F188438250FB61A537252DD0C4769123F47F5A78
5604FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2022-12-05.1818.5604.1.aodlbinary
MD5:923BF0E545D9C37CA8874C8D6C4A30E6
SHA256:AB32C675D35DDBEBFCF8B11720C3E550024E8D0DF557838F17186377E3D0FE65
2888EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlxml
MD5:161DCED72C37510F353DEA6B6B729BAF
SHA256:CE76CA48160AAB291FBA97540C917F828ED0B6381DBA2F8F62E9F1E88FCD52B1
5604FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2022-12-05.1818.5604.1.odlbinary
MD5:C0005BFDE850EEEBCA7958CF20B24E36
SHA256:AD973165C34D551FB3618D0EE34DC6B32A876D1E45324ECA20CF8B54568EE9D7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
71
TCP/UDP connections
88
DNS requests
50
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1700
sihclient.exe
GET
304
40.125.122.176:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19044.1288/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1288&MK=DELL&MD=DELL
US
whitelisted
1700
sihclient.exe
GET
200
40.125.122.176:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19044.1288/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1288&MK=DELL&MD=DELL
US
compressed
23.9 Kb
whitelisted
1012
svchost.exe
POST
200
40.126.32.134:443
https://login.live.com/RST2.srf
US
xml
1.25 Kb
whitelisted
1700
sihclient.exe
GET
200
2.19.126.87:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
DE
der
824 b
whitelisted
1700
sihclient.exe
GET
200
2.19.126.97:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
der
1.11 Kb
whitelisted
2888
EXCEL.EXE
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v2/Office/excel/16.0.12026.20264/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=excel&Platform=win32&Version=16.0.12026.20264&MsoVersion=16.0.12026.20194&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7bE7BA5CF1-A3E3-42A7-B538-2BB4252A395A%7d&LabMachine=false
US
text
170 Kb
whitelisted
2888
EXCEL.EXE
GET
200
52.109.13.62:443
https://nexusrules.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.12026.20264&ClientId=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&OSEnvironment=10&MsoAppId=1&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12026.20264&
US
xml
202 Kb
whitelisted
2888
EXCEL.EXE
POST
200
13.69.239.72:443
https://self.events.data.microsoft.com/OneCollector/1.0/
IE
binary
10 b
whitelisted
2888
EXCEL.EXE
POST
200
13.69.239.72:443
https://self.events.data.microsoft.com/OneCollector/1.0/
IE
binary
9 b
whitelisted
2888
EXCEL.EXE
POST
200
13.69.239.72:443
https://self.events.data.microsoft.com/OneCollector/1.0/
IE
binary
84 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2724
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1012
svchost.exe
40.126.32.134:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
suspicious
2888
EXCEL.EXE
52.109.88.191:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1700
sihclient.exe
40.125.122.176:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
suspicious
2.19.126.87:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1700
sihclient.exe
2.19.126.87:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2888
EXCEL.EXE
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1700
sihclient.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
suspicious
1700
sihclient.exe
2.19.126.97:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2888
EXCEL.EXE
52.109.13.62:443
nexusrules.officeapps.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
suspicious

DNS requests

Domain
IP
Reputation
officeclient.microsoft.com
  • 52.109.88.191
whitelisted
slscr.update.microsoft.com
  • 40.125.122.176
  • 52.152.110.14
whitelisted
crl.microsoft.com
  • 2.19.126.87
  • 2.19.126.97
  • 23.216.77.6
  • 23.216.77.28
  • 95.101.54.122
  • 95.101.54.128
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 72.246.169.155
  • 23.3.109.244
  • 2.18.233.62
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
nexusrules.officeapps.live.com
  • 52.109.13.62
whitelisted
self.events.data.microsoft.com
  • 13.69.239.72
  • 20.189.173.11
whitelisted
client.wns.windows.com
  • 40.113.110.67
  • 40.113.103.199
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.77.2.164
  • 2603:1020:2:3::67
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 4.231.128.59
  • 20.73.194.208
whitelisted

Threats

PID
Process
Class
Message
3620
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
3620
svchost.exe
Misc activity
ET INFO Windows OS Submitting USB Metadata to Microsoft
3620
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
3620
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
3620
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
3620
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
3620
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
3620
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
3620
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
3620
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
No debug info