File name: | PAGO_USD_SWIFT.xls |
Full analysis: | https://app.any.run/tasks/75c5aed1-bbb7-4062-8340-6d3cb28483ab |
Verdict: | Malicious activity |
Analysis date: | September 11, 2019, 08:52:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Windows User, Last Saved By: Windows User, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Sep 11 02:21:15 2019, Last Saved Time/Date: Wed Sep 11 02:27:30 2019, Security: 0 |
MD5: | ADB79F7585A51EC4C818043BA58ADB15 |
SHA1: | 1C6E542012379F22F90E85AC55BE4AE06DA7AD67 |
SHA256: | 8341F827B489995B89F7337050F430DFBB9367E7DE7DBA10877B594361785D22 |
SSDEEP: | 3072:w0xEtjPOtioVjDGUU1qfDlaGGx+cL2QnAw6iw7NDJd9EpL+fDPQXrOkq9Z7:HxEtjPOtioVjDGUU1qfDlavx+W2QnAw1 |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
CompObjUserType: | Microsoft Excel 2003 Worksheet |
---|---|
CompObjUserTypeLen: | 31 |
HeadingPairs: |
|
TitleOfParts: |
|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 14 |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
ModifyDate: | 2019:09:11 01:27:30 |
CreateDate: | 2019:09:11 01:21:15 |
Software: | Microsoft Excel |
LastModifiedBy: | Windows User |
Author: | Windows User |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3556 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3556 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR9B0C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3556 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\PAGO_USD_SWIFT.xls.LNK | lnk | |
MD5:E571F47BAE8D9827BF8D2BCD7AEC44C0 | SHA256:57820A582F59055A6C869229A68DB151C1F28BB1185C05DC97DF934F3FBF7A8B | |||
3556 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:62D0330A0577B661F6742F81F1D03E5C | SHA256:AAD98691594C66B0621B84DD94388EE8E9EA20EDDF154F3980EB7C9436F0092E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3556 | EXCEL.EXE | GET | — | 179.61.13.84:80 | http://rca-auditores.cl/Golkim/kuugkgyr.exe | CL | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3556 | EXCEL.EXE | 179.61.13.84:80 | rca-auditores.cl | HIVELOCITY VENTURES CORP | CL | suspicious |
Domain | IP | Reputation |
---|---|---|
rca-auditores.cl |
| suspicious |