analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Mitek Holdings Inc. Remittance 01.24.2022.xlsx

Full analysis: https://app.any.run/tasks/2bb8e3f5-d8a6-435b-b5d1-22f398d0cc58
Verdict: Malicious activity
Analysis date: January 24, 2022, 19:37:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

676296ECBEA7BBB92A9546A747250BB2

SHA1:

692382A0E5C679ACE20490251BCE5AAD6B4E8498

SHA256:

935A798D10D3C80307F0B14EEA13D5951878B9ED4E3F5E0EF7EA1C2A59F8BFA6

SSDEEP:

24576:CrQU57GpJk69mCNDPCBpY+bikHII5Bqn13dhWX:Ry7jClPsDJ55B67WX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Executed via COM

      • iexplore.exe (PID: 3632)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2712)
      • iexplore.exe (PID: 296)
  • INFO

    • Reads the computer name

      • EXCEL.EXE (PID: 3416)
      • iexplore.exe (PID: 3632)
      • iexplore.exe (PID: 2712)
      • iexplore.exe (PID: 296)
    • Checks supported languages

      • EXCEL.EXE (PID: 3416)
      • iexplore.exe (PID: 3632)
      • iexplore.exe (PID: 2712)
      • iexplore.exe (PID: 296)
    • Reads settings of System Certificates

      • EXCEL.EXE (PID: 3416)
      • iexplore.exe (PID: 2712)
      • iexplore.exe (PID: 3632)
    • Checks Windows Trust Settings

      • EXCEL.EXE (PID: 3416)
      • iexplore.exe (PID: 2712)
      • iexplore.exe (PID: 3632)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3416)
    • Reads internet explorer settings

      • EXCEL.EXE (PID: 3416)
      • iexplore.exe (PID: 296)
      • iexplore.exe (PID: 2712)
    • Reads Microsoft Outlook installation path

      • EXCEL.EXE (PID: 3416)
    • Application launched itself

      • iexplore.exe (PID: 3632)
    • Changes internet zones settings

      • iexplore.exe (PID: 3632)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3632)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3632)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

XML

AppVersion: 16.03
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
Company: -
TitlesOfParts:
  • 77941-PNC X339005 USD
  • '77941-PNC X339005 USD'!Print_Area
HeadingPairs:
  • Worksheets
  • 1
  • Named Ranges
  • 1
ScaleCrop: No
DocSecurity: None
Application: Microsoft Excel
ModifyDate: 2022:01:24 16:26:25Z
CreateDate: 2021:09:23 20:43:06Z
LastModifiedBy: a

XMP

Creator: overstreet

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1454
ZipCompressedSize: 392
ZipCRC: 0x7060271e
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe iexplore.exe iexplore.exe no specs iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3416"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3632"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
296"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3632 CREDAT:144385 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2712"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3632 CREDAT:333058 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
18 253
Read events
17 996
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
11
Text files
11
Unknown types
6

Dropped files

PID
Process
Filename
Type
3416EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR2883.tmp.cvr
MD5:
SHA256:
3416EXCEL.EXEC:\Users\admin\AppData\Local\Temp\Tar5DFC.tmpcat
MD5:D99661D0893A52A0700B8AE68457351A
SHA256:BDD5111162A6FA25682E18FA74E37E676D49CAFCB5B7207E98E5256D1EF0D003
3416EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5D3BC9F7577694979C47669D60300B2Fder
MD5:8EB4AC238B023E7B99EAB681A7E1F5D8
SHA256:AF30AA1AFCCACAA4429463732295B3FB19A239379F25A314D8A191D6B98C3204
2712iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACC5534CD405154E92FBBC117064F37Fder
MD5:F9AB7798A47962CD2B1C8105C85F6B68
SHA256:D7AE5B43A4C59A7104B67C6BF96D0192990D7741804F03425A39493125E33A21
3416EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:65F7A93844496BCE83B4920CA13D8A15
SHA256:C160AFAD3E04307F8C8AFE7B74D95A4625892400EBB2A45C0A4172F54DBA5DC0
2712iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:DC32D0F4AAF8AD2BCA8F2901FF9AAC8A
SHA256:8B225ADAD5C6BCD96F36B9731C2B5396E40D8F9131B06C14C0EB25747F6CDEE7
3416EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\index[1].htmhtml
MD5:C74AEA75B058476E0A6BD57296C161C3
SHA256:E2034FD06BC0B45994AE8C272840892F42F3944D7807B32274EE4F3B1B79D0E7
3416EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5D3BC9F7577694979C47669D60300B2Fbinary
MD5:4FED4BE6119B1931AC64A7658ACC5713
SHA256:9A5C3773006668783A498BA3CF90583765F24020C3609A025F5D0B150BAA4967
3416EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:E70B03B58A165CDAC555BDEFAFE0161E
SHA256:4075A1F2BC2DF2F3E69F1BA856507D486CA1579CEA9E8C7D1564A14CCC3D7023
3416EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751der
MD5:54E9306F95F32E50CCD58AF19753D929
SHA256:45F94DCEB18A8F738A26DA09CE4558995A4FE02B971882E8116FC9B59813BB72
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
29
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3416
EXCEL.EXE
GET
200
23.45.105.185:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
2712
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2712
iexplore.exe
GET
200
23.32.238.67:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgNK9XqJkc9zzC7jYsqw82hmag%3D%3D
US
der
503 b
shared
3416
EXCEL.EXE
GET
200
23.32.238.67:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgMOsj5Asv9mRxZmu%2B%2BCJB6XYA%3D%3D
US
der
503 b
shared
3416
EXCEL.EXE
GET
200
23.32.238.201:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0cffe917755ec3f1
US
compressed
59.9 Kb
whitelisted
3416
EXCEL.EXE
GET
200
23.32.238.201:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fd470d0cbbf0401c
US
compressed
4.70 Kb
whitelisted
3632
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2712
iexplore.exe
152.199.19.160:443
ajax.aspnetcdn.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3416
EXCEL.EXE
23.32.238.201:80
ctldl.windowsupdate.com
XO Communications
US
suspicious
3416
EXCEL.EXE
23.45.105.185:80
x1.c.lencr.org
Akamai International B.V.
NL
unknown
3416
EXCEL.EXE
45.11.36.16:443
f003.backblazeb2.com
unknown
2712
iexplore.exe
45.11.36.16:443
f003.backblazeb2.com
unknown
2712
iexplore.exe
188.114.97.7:443
minesmtp.com
Cloudflare Inc
US
malicious
23.32.238.67:80
r3.o.lencr.org
XO Communications
US
unknown
2712
iexplore.exe
23.32.238.67:80
r3.o.lencr.org
XO Communications
US
unknown
3632
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3632
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
f003.backblazeb2.com
  • 45.11.36.16
unknown
ctldl.windowsupdate.com
  • 23.32.238.201
  • 23.32.238.208
whitelisted
x1.c.lencr.org
  • 23.45.105.185
whitelisted
r3.o.lencr.org
  • 23.32.238.67
  • 23.32.238.51
shared
minesmtp.com
  • 188.114.97.7
  • 188.114.96.7
malicious
ajax.aspnetcdn.com
  • 152.199.19.160
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
api.bing.com
  • 13.107.13.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info