File name: | Solicitud de cotizaciòn..xlsx |
Full analysis: | https://app.any.run/tasks/a7ed4b30-3199-425f-a958-787c2b10a6c1 |
Verdict: | Malicious activity |
Analysis date: | December 05, 2022, 18:15:51 |
OS: | Windows 10 Professional (build: 19044, 64 bit) |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | CD9567E232B722B34985981E32633321 |
SHA1: | 3B1FDB9DACD8A1F20FDC0F03D2088855924452A7 |
SHA256: | 7AE8B3795F2EFFF6E153B1290633C327A5D3ADE19F40ECC0A891579ED5587C61 |
SSDEEP: | 24576:Cmv7PSn7ViMIY4oSX6fM1lPH/VE+njnkLQp:CmMVHfSlPHJngEp |
.xlsx | | | Excel Microsoft Office Open XML Format document (61.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (31.5) |
.zip | | | ZIP compressed archive (7.2) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2888 | "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\Solicitud de cotizaciòn..xlsx" | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 16.0.12026.20264 Modules
| |||||||||||||||
6096 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\WINDOWS\system32\SppExtComObj.exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Exit code: 0 Version: 10.0.19041.1202 (WinBuild.160101.0800) Modules
| |||||||||||||||
2496 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\WINDOWS\System32\SLUI.exe | SppExtComObj.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
5604 | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -Embedding | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft OneDriveFile Co-Authoring Executable Exit code: 0 Version: 19.043.0304.0013 Modules
| |||||||||||||||
4188 | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -Embedding | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft OneDriveFile Co-Authoring Executable Exit code: 0 Version: 19.043.0304.0013 Modules
| |||||||||||||||
2416 | C:\WINDOWS\System32\slui.exe -Embedding | C:\WINDOWS\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2888 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Solicitud de cotizaciòn..xlsx.LNK | lnk | |
MD5:F0B77DDCF9B3DEC544184F523AA95240 | SHA256:E7B1BF3B2E75B0EC19E4C9B0B4EE80D8084B7CDADC3065AE771F61DD93D64323 | |||
2888 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | ini | |
MD5:A2CB95355DE5394796E2AF7C5CC7ECF4 | SHA256:F8F5E9FDF4CB865161E6BB8864E67B6E73C5EB050880FC51783658C268AB496B | |||
2888 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\.ses | text | |
MD5:B53D0E2ABEB41FB3657AE78D88AABF8D | SHA256:C6C82E5E7DD9BC7871D6E5B0F188438250FB61A537252DD0C4769123F47F5A78 | |||
4188 | FileCoAuth.exe | C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2022-12-05.1818.4188.1.odl | binary | |
MD5:90BCB1099FD0E24AB8C78F51F1BE926A | SHA256:7B437457486B486A5E4BD4BFAEC352E5418A132DD20FFFBE03109879C25AF4C1 | |||
5604 | FileCoAuth.exe | C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2022-12-05.1818.5604.1.odl | binary | |
MD5:C0005BFDE850EEEBCA7958CF20B24E36 | SHA256:AD973165C34D551FB3618D0EE34DC6B32A876D1E45324ECA20CF8B54568EE9D7 | |||
2888 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4VA93XNAVBMIOECWAWBI.temp | binary | |
MD5:4FCB2A3EE025E4A10D21E1B154873FE2 | SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228 | |||
2888 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF10908a.TMP | binary | |
MD5:4FCB2A3EE025E4A10D21E1B154873FE2 | SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228 | |||
4188 | FileCoAuth.exe | C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2022-12-05.1818.4188.1.aodl | binary | |
MD5:923BF0E545D9C37CA8874C8D6C4A30E6 | SHA256:AB32C675D35DDBEBFCF8B11720C3E550024E8D0DF557838F17186377E3D0FE65 | |||
2888 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F9OGI6VYLGWI11T5LI8T.temp | binary | |
MD5:E4A1661C2C886EBB688DEC494532431C | SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5 | |||
5604 | FileCoAuth.exe | C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2022-12-05.1818.5604.1.aodl | binary | |
MD5:923BF0E545D9C37CA8874C8D6C4A30E6 | SHA256:AB32C675D35DDBEBFCF8B11720C3E550024E8D0DF557838F17186377E3D0FE65 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2888 | EXCEL.EXE | GET | 200 | 13.107.42.16:443 | https://config.edge.skype.com/config/v2/Office/excel/16.0.12026.20264/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=excel&Platform=win32&Version=16.0.12026.20264&MsoVersion=16.0.12026.20194&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7bE7BA5CF1-A3E3-42A7-B538-2BB4252A395A%7d&LabMachine=false | US | text | 170 Kb | whitelisted |
1700 | sihclient.exe | GET | 304 | 40.125.122.176:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19044.1288/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1288&MK=DELL&MD=DELL | US | — | — | whitelisted |
2916 | svchost.exe | GET | — | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | US | — | — | whitelisted |
1700 | sihclient.exe | GET | — | 72.246.169.155:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | NL | — | — | whitelisted |
1700 | sihclient.exe | GET | 200 | 2.19.126.97:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | DE | der | 1.11 Kb | whitelisted |
1700 | sihclient.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | US | der | 555 b | whitelisted |
1012 | svchost.exe | POST | 200 | 40.126.32.134:443 | https://login.live.com/RST2.srf | US | xml | 1.25 Kb | whitelisted |
1700 | sihclient.exe | GET | — | 72.246.169.155:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl | NL | — | — | whitelisted |
1012 | svchost.exe | POST | 200 | 40.126.32.134:443 | https://login.live.com/RST2.srf | US | xml | 1.25 Kb | whitelisted |
2916 | svchost.exe | GET | — | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2724 | svchost.exe | 40.113.103.199:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 2.19.126.87:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
1012 | svchost.exe | 40.126.32.134:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1700 | sihclient.exe | 40.125.122.176:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | suspicious |
2888 | EXCEL.EXE | 52.109.88.191:443 | officeclient.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2888 | EXCEL.EXE | 13.107.42.16:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
1700 | sihclient.exe | 2.19.126.97:80 | crl.microsoft.com | Akamai International B.V. | DE | suspicious |
1700 | sihclient.exe | 2.19.126.87:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
2888 | EXCEL.EXE | 52.109.13.62:443 | nexusrules.officeapps.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | suspicious |
1700 | sihclient.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
Domain | IP | Reputation |
---|---|---|
officeclient.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3620 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |
3620 | svchost.exe | Misc activity | ET INFO Windows OS Submitting USB Metadata to Microsoft |
3620 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |
3620 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |
3620 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |
3620 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |
3620 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |
3620 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |
3620 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |
3620 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |