File name:

F.A.Q[2021.11.17_21-03].xlsb

Full analysis: https://app.any.run/tasks/bb152a3c-ead3-413d-8259-18229c536efa
Verdict: Malicious activity
Threats:

IcedID is a banking trojan-type malware which allows attackers to utilize it to steal banking credentials of the victims. IcedID aka BokBot mainly targets businesses and steals payment information, it also acts as a loader and can deliver another viruses or download additional modules.

Malware Trends Tracker     >>>
Analysis date: November 18, 2021, 17:28:41
OS: Windows 10 Professional (build: 16299, 64 bit)
Tags:
loader
trojan
icedid
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

33131357D897AA065D8220FD159733D4

SHA1:

7C5793AD1DCD2594C803C991F6CE0EF4A75E78D8

SHA256:

947A442E30A4A5BF3B19A691AE7198B3BBE2517BBF101E7820A16AF9F69287FE

SSDEEP:

6144:5mMkBPtds3GmMXoJbhbjcY/l+Q0CXYfLkZQyf1m0ZwzTDar7AhntI9:gns3GmMXIBZ/8QqLkJmjarUhn+9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • EXCEL.EXE (PID: 1224)

    • Loads dropped or rewritten executable

      • regsvr32.exe (PID: 5432)

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 1224)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 1224)

    • ICEDID was detected

      • regsvr32.exe (PID: 5432)

  • SUSPICIOUS

    • Executed via COM

      • rundll32.exe (PID: 5908)

    • Drops a file with a compile date too recent

      • EXCEL.EXE (PID: 1224)

    • Reads the date of Windows installation

      • EXCEL.EXE (PID: 1224)

  • INFO

    • Checks supported languages

      • EXCEL.EXE (PID: 1224)
      • regsvr32.exe (PID: 5432)

    • Reads settings of System Certificates

      • EXCEL.EXE (PID: 1224)
      • regsvr32.exe (PID: 5432)

    • Reads Environment values

      • EXCEL.EXE (PID: 1224)

    • Reads the software policy settings

      • EXCEL.EXE (PID: 1224)
      • regsvr32.exe (PID: 5432)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 1224)

    • Reads the computer name

      • EXCEL.EXE (PID: 1224)
      • regsvr32.exe (PID: 5432)

    • Checks Windows Trust Settings

      • EXCEL.EXE (PID: 1224)

    • Scans artifacts that could help determine the target

      • EXCEL.EXE (PID: 1224)

    • Reads CPU info

      • EXCEL.EXE (PID: 1224)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 1224)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x49c13349
ZipCompressedSize: 441
ZipUncompressedSize: 1506
ZipFileName: [Content_Types].xml

XMP

Creator: Андрей Елисеев

XML

LastModifiedBy: Mishel Brown
CreateDate: 2021:02:03 15:28:44Z
ModifyDate: 2021:11:18 10:01:44Z
Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Листы
  • 1
  • Макросы Excel 4.0
  • 1
TitlesOfParts:
  • Alt
  • SED EWIIEW IOFIOFOIR EWOIOIFOI
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16.03
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
101
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe #ICEDID regsvr32.exe rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1224"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Downloads\F.A.Q[2021.11.17_21-03].xlsb"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
16.0.12026.20264
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\root\office16\excel.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
5432regsvr32 -e -n -i:"Microsoft" C:\Users\Public\ofc.dllC:\WINDOWS\SYSTEM32\regsvr32.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\gdi32.dll
5908C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -EmbeddingC:\WINDOWS\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
Total events
9 270
Read events
9 071
Write events
181
Delete events
18

Modification events

(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:1
Value:
01D014000000001000284FFA2E01000000000000000500000000000000
(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\Common\CrashPersistence\EXCEL\1224
Operation:writeName:0
Value:
0B0E107A1A7528D719094895F87F41E9AACCD7230046FBFA94B39C94F7EB016A0410240044FA5D64A89E01008500A907556E6B6E6F776E00
(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
Executable files
2
Suspicious files
6
Text files
5
Unknown types
5

Dropped files

PID
Process
Filename
Type
1224EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\FontCache\4\CloudFonts\FangSong\29400494812.ttf
MD5:
SHA256:
1224EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\F.A.Q[2021.11.17_21-03].xlsb.LNKlnk
MD5:
SHA256:
1224EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6F7A9592-DCBD-469F-BA51-BAF1DCD6830Exml
MD5:
SHA256:
1224EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-msbinary
MD5:4FCB2A3EE025E4A10D21E1B154873FE2
SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
1224EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:
SHA256:
1224EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W481B3J3S5DIJY1S9VV0.tempbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
1224EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF16a175.TMPbinary
MD5:4FCB2A3EE025E4A10D21E1B154873FE2
SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
1224EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Excel\~ar5E9E.xardocument
MD5:
SHA256:
1224EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\FontCache\4\CloudFonts\Univers\27605362331.ttfodttf
MD5:04A1E93A61F71DA4AA62F50C4FE5EDF3
SHA256:7F5401A4CBE3B419DF381523E9EE6C75E0A553F4F7B566F1C5ACBEC936B4830E
1224EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\FontCache\4\CloudFonts\Univers\30013288172.ttfodttf
MD5:BB05E0645954872BF4A841BDCBF5AFA9
SHA256:0A47E59A2BB2B4F6AC566DCEA4E7D92DABB96EDAB040A997262E27D829FBBC24
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
51
DNS requests
19
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1224
EXCEL.EXE
GET
304
20.54.89.106:443
https://sls.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.16299.0/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.16299.98&MK=DELL&MD=DELL
US
whitelisted
1224
EXCEL.EXE
GET
200
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v2.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.16299.431.amd64fre.rs3_release_svc_escrow.180502-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&BranchReadinessLevel=CBB&ProcessorIdentifier=AMD64%20Family%206%20Model%2014%20Stepping%203&CurrentBranch=rs3_release_svc_escrow&OEMModel=DELL&FlightRing=Retail&AttrDataVer=43&InstallLanguage=en-US&OSUILocale=en-US&OEMModelBaseBoard=&FirmwareVersion=A.40&InstallationType=Client&FlightingBranchName=&ServicingBranch=CBB&OSSkuId=48&App=WaaSAssessment&InstallDate=1523361072&ProcessorManufacturer=AuthenticAMD&OEMName_Uncleaned=DELL&AppVer=10.0&OSArchitecture=AMD64&HonorWUfBDeferrals=1&UpdateManagementGroup=2&IsDeviceRetailDemo=0&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_55f7f576bf549669%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&IsFlightingEnabled=0&DeferQualityUpdatePeriodInDays=0&TelemetryLevel=1&DefaultUserRegion=244&DeferFeatureUpdatePeriodInDays=30&OSVersion=10.0.16299.431&DeviceFamily=Windows.Desktop
GB
binary
1.01 Kb
whitelisted
1224
EXCEL.EXE
GET
200
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v2.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.16299.431.amd64fre.rs3_release_svc_escrow.180502-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&BranchReadinessLevel=CBB&ProcessorIdentifier=AMD64%20Family%206%20Model%2014%20Stepping%203&CurrentBranch=rs3_release_svc_escrow&OEMModel=DELL&FlightRing=Retail&AttrDataVer=43&InstallLanguage=en-US&OSUILocale=en-US&OEMModelBaseBoard=&FirmwareVersion=A.40&InstallationType=Client&FlightingBranchName=&ServicingBranch=CBB&OSSkuId=48&App=WaaSAssessment&InstallDate=1523361072&ProcessorManufacturer=AuthenticAMD&OEMName_Uncleaned=DELL&AppVer=10.0&OSArchitecture=AMD64&HonorWUfBDeferrals=1&UpdateManagementGroup=2&IsDeviceRetailDemo=0&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_55f7f576bf549669%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&IsFlightingEnabled=0&DeferQualityUpdatePeriodInDays=0&TelemetryLevel=1&DefaultUserRegion=244&DeferFeatureUpdatePeriodInDays=30&OSVersion=10.0.16299.431&DeviceFamily=Windows.Desktop
GB
binary
1.01 Kb
whitelisted
5732
sihclient.exe
GET
200
2.21.143.74:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
der
813 b
whitelisted
1224
EXCEL.EXE
GET
200
162.241.224.176:443
https://yfo.yag.mybluehost.me/wp-content/uploads/2020/08/file1.cms
US
executable
375 Kb
malicious
1224
EXCEL.EXE
GET
200
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v2.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.16299.431.amd64fre.rs3_release_svc_escrow.180502-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&BranchReadinessLevel=CBB&ProcessorIdentifier=AMD64%20Family%206%20Model%2014%20Stepping%203&CurrentBranch=rs3_release_svc_escrow&OEMModel=DELL&FlightRing=Retail&AttrDataVer=43&InstallLanguage=en-US&OSUILocale=en-US&OEMModelBaseBoard=&FirmwareVersion=A.40&InstallationType=Client&FlightingBranchName=&ServicingBranch=CBB&OSSkuId=48&App=WaaSAssessment&InstallDate=1523361072&ProcessorManufacturer=AuthenticAMD&OEMName_Uncleaned=DELL&AppVer=10.0&OSArchitecture=AMD64&HonorWUfBDeferrals=1&UpdateManagementGroup=2&IsDeviceRetailDemo=0&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_55f7f576bf549669%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&IsFlightingEnabled=0&DeferQualityUpdatePeriodInDays=0&TelemetryLevel=1&DefaultUserRegion=244&DeferFeatureUpdatePeriodInDays=30&OSVersion=10.0.16299.431&DeviceFamily=Windows.Desktop
GB
binary
1.01 Kb
whitelisted
1224
EXCEL.EXE
POST
200
40.126.31.1:443
https://login.live.com/RST2.srf
US
xml
9.87 Kb
whitelisted
1224
EXCEL.EXE
POST
200
40.126.31.1:443
https://login.live.com/RST2.srf
US
xml
9.87 Kb
whitelisted
5732
sihclient.exe
GET
200
92.123.194.162:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
der
824 b
whitelisted
1224
EXCEL.EXE
GET
200
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v2.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.16299.431.amd64fre.rs3_release_svc_escrow.180502-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&BranchReadinessLevel=CBB&ProcessorIdentifier=AMD64%20Family%206%20Model%2014%20Stepping%203&CurrentBranch=rs3_release_svc_escrow&OEMModel=DELL&FlightRing=Retail&AttrDataVer=43&InstallLanguage=en-US&OSUILocale=en-US&OEMModelBaseBoard=&FirmwareVersion=A.40&InstallationType=Client&FlightingBranchName=&ServicingBranch=CBB&OSSkuId=48&App=WaaSAssessment&InstallDate=1523361072&ProcessorManufacturer=AuthenticAMD&OEMName_Uncleaned=DELL&AppVer=10.0&OSArchitecture=AMD64&HonorWUfBDeferrals=1&UpdateManagementGroup=2&IsDeviceRetailDemo=0&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_55f7f576bf549669%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&IsFlightingEnabled=0&DeferQualityUpdatePeriodInDays=0&TelemetryLevel=1&DefaultUserRegion=244&DeferFeatureUpdatePeriodInDays=30&OSVersion=10.0.16299.431&DeviceFamily=Windows.Desktop
GB
binary
1.01 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1224
EXCEL.EXE
13.107.42.16:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
628
WaaSMedic.exe
51.124.78.146:443
settings-win.data.microsoft.com
Microsoft Corporation
GB
whitelisted
1224
EXCEL.EXE
20.189.173.5:443
self.events.data.microsoft.com
Microsoft Corporation
US
suspicious
51.124.78.146:443
settings-win.data.microsoft.com
Microsoft Corporation
GB
whitelisted
3192
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
Microsoft Corporation
GB
whitelisted
5732
sihclient.exe
20.54.89.106:443
US
whitelisted
5732
sihclient.exe
2.21.143.74:80
www.microsoft.com
Telia Company AB
malicious
40.126.31.1:443
login.live.com
Microsoft Corporation
US
whitelisted
1224
EXCEL.EXE
52.109.32.63:443
officeclient.microsoft.com
Microsoft Corporation
GB
whitelisted
1224
EXCEL.EXE
52.109.76.78:443
messaging.office.com
Microsoft Corporation
IE
suspicious

DNS requests

Domain
IP
Reputation
config.edge.skype.com
  • 13.107.42.16
malicious
yfo.yag.mybluehost.me
  • 162.241.224.176
malicious
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
time.windows.com
  • 40.119.148.38
whitelisted
self.events.data.microsoft.com
  • 20.189.173.5
  • 13.89.179.10
whitelisted
insiderservice.microsoft.com
whitelisted
crl.microsoft.com
  • 92.123.194.162
  • 92.123.194.163
whitelisted
www.microsoft.com
  • 2.21.143.74
whitelisted
login.live.com
  • 40.126.31.1
  • 40.126.31.8
  • 40.126.31.4
  • 40.126.31.135
  • 20.190.159.136
  • 20.190.159.134
  • 40.126.31.139
  • 20.190.159.138
  • 20.190.160.132
  • 20.190.160.2
  • 20.190.160.4
  • 20.190.160.8
  • 20.190.160.75
  • 20.190.160.129
  • 20.190.160.6
  • 20.190.160.69
whitelisted
officeclient.microsoft.com
  • 52.109.32.63
whitelisted

Threats

PID
Process
Class
Message
5432
regsvr32.exe
A Network Trojan was detected
ET TROJAN Win32/IcedID Request Cookie
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
F.A.Q[2021.11.17_21-03].xlsb