| File name: | ac99150ba3f493b160772359c01389db0916880571259b73c65c7cdc0901e02c |
| Full analysis: | https://app.any.run/tasks/b8010756-9b8c-4d74-b2a6-6f69b401a42c |
| Verdict: | Malicious activity |
| Analysis date: | November 17, 2024, 09:15:22 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| MIME: | application/vnd.ms-excel |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Posik, Last Saved By: RHfdh, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 18:19:34 2015, Last Saved Time/Date: Fri Apr 29 14:16:33 2022, Security: 0 |
| MD5: | 256A0C9DD8DA700CF83DCF58D2688CBF |
| SHA1: | 2B76D5C75771C18779E6950407D79F692E5281DE |
| SHA256: | AC99150BA3F493B160772359C01389DB0916880571259B73C65C7CDC0901E02C |
| SSDEEP: | 768:WXwN+FvCQgxPcSbHwgbaKmQS6zH5zJw97J5orO8hHpbf17snictZFirdXN+7y:WX+KExPk4aL1611wzV8hHVtQVudt |
MALICIOUS
Calls Win API functions (MACROS)
- EXCEL.EXE (PID: 4208)
SUSPICIOUS
No suspicious indicators.INFO
The process uses the downloaded file
- EXCEL.EXE (PID: 4208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .xls | | | Microsoft Excel sheet (78.9) |
|---|
EXIF
FlashPix
| Author: | Posik |
|---|---|
| LastModifiedBy: | RHfdh |
| Software: | Microsoft Excel |
| CreateDate: | 2015:06:05 18:19:34 |
| ModifyDate: | 2022:04:29 14:16:33 |
| Security: | None |
| CodePage: | Windows Cyrillic |
| Company: | - |
| AppVersion: | 16 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: |
|
| HeadingPairs: |
|
Total processes
135
Monitored processes
1
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 4208 | "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" C:\Users\admin\Desktop\ac99150ba3f493b160772359c01389db0916880571259b73c65c7cdc0901e02c.xls | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 16.0.16026.20146 Modules
| |||||||||||||||
Total events
8 592
Read events
8 505
Write events
66
Delete events
21
Modification events
| (PID) Process: | (4208) EXCEL.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling |
| Operation: | write | Name: | 1 |
Value: 01D014000000001000B24E9A3E02000000000000000600000000000000 | |||
| (PID) Process: | (4208) EXCEL.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\4208 |
| Operation: | write | Name: | 0 |
Value: 0B0E108F271F2CA2EA634FAB2A34F256AB4B0B230046BC9CAE99949ACEED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511F020D2120965007800630065006C002E00650078006500C51620C517808004C91808323231322D44656300 | |||
| (PID) Process: | (4208) EXCEL.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | en-US |
Value: 2 | |||
| (PID) Process: | (4208) EXCEL.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | de-de |
Value: 2 | |||
| (PID) Process: | (4208) EXCEL.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | fr-fr |
Value: 2 | |||
| (PID) Process: | (4208) EXCEL.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | es-es |
Value: 2 | |||
| (PID) Process: | (4208) EXCEL.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | it-it |
Value: 2 | |||
| (PID) Process: | (4208) EXCEL.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | ja-jp |
Value: 2 | |||
| (PID) Process: | (4208) EXCEL.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | ko-kr |
Value: 2 | |||
| (PID) Process: | (4208) EXCEL.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | pt-br |
Value: 2 | |||
Executable files
1
Suspicious files
12
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4208 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms | binary | |
MD5:4FCB2A3EE025E4A10D21E1B154873FE2 | SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228 | |||
| 4208 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X5G1AGEUWYYZ83363A6L.temp | binary | |
MD5:E4A1661C2C886EBB688DEC494532431C | SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5 | |||
| 4208 | EXCEL.EXE | C:\Users\admin\Desktop\ac99150ba3f493b160772359c01389db0916880571259b73c65c7cdc0901e02c.xls | document | |
MD5:D508AC421382345CED73309E19542BAA | SHA256:6A6C15605EA88B29423F9D41FBE559EA3AD00140699C320A1B51359B1B53B1FE | |||
| 4208 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RFa5207.TMP | binary | |
MD5:4FCB2A3EE025E4A10D21E1B154873FE2 | SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228 | |||
| 4208 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:51E047F69C770490E7182E196B46EF0C | SHA256:6908AEDC37BF94A7853460092B2E9010C4483E78AD70463428E4626358BF0709 | |||
| 4208 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\ac99150ba3f493b160772359c01389db0916880571259b73c65c7cdc0901e02c.xls.LNK | binary | |
MD5:2919DB721D7B2150CE1F353C0C6B5F58 | SHA256:CF4C6B0DBF181DF69FC6E290036E5A5701EB8A0AE81308AC9E6CD3C8DBC56260 | |||
| 4208 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres | binary | |
MD5:56FE5E248D2725429DF0884532CEE51B | SHA256:62FEF4C2D3660CD7BFCE142569518BB91A7A82951AAD0E910E0CDE8B56C96D99 | |||
| 4208 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres | binary | |
MD5:C1F8E1903974813AFD954051957204E4 | SHA256:9770C0963F602CC5CCE527F6B310670D36DD8E395E11CF865F2AC88B67E072F0 | |||
| 4208 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStoreV3\Excel\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.S | binary | |
MD5:FA8E1CA2DB62CBA05D50BF52400D7A08 | SHA256:E5217CA0954F153C89F3B06C57114B9B8600583B89E24E221B8BEDE111E44EFB | |||
| 4208 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q2X0O7NFTVCLJ3LPHAIN.temp | binary | |
MD5:4FCB2A3EE025E4A10D21E1B154873FE2 | SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
31
DNS requests
17
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | — | 52.109.28.46:443 | https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3 | unknown | — | — | — |
— | — | GET | — | 52.113.194.132:443 | https://ecs.office.com/config/v2/Office/excel/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=excel&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=excel.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b2C1F278F-EAA2-4F63-AB2A-34F256AB4B0B%7d&LabMachine=false | unknown | — | — | — |
— | — | GET | — | 210.2.86.103:443 | https://galaxy-catering.com.vn/galxy/Fg1vvhlYJ/ | unknown | — | — | — |
— | — | GET | — | 52.111.231.13:443 | https://messaging.lifecycle.office.com/getcustommessage16?app=1&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7B2C1F278F-EAA2-4F63-AB2A-34F256AB4B0B%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofaa1msspvo2xw31%2Cofgg6vdq3anjh131%2Cof3ttwdwizkwt531%2Cofskuekmq22yki31%22%7D | unknown | — | — | — |
— | — | OPTIONS | — | 23.32.100.39:443 | https://uci.cdn.office.net/mirrored/smartlookup/current/ | unknown | — | — | — |
— | — | GET | — | 23.32.100.39:443 | https://uci.cdn.office.net/mirrored/smartlookup/current/version.json | unknown | — | — | — |
— | — | POST | — | 104.208.16.89:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | unknown | — | — | whitelisted |
— | — | POST | — | 20.42.65.94:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | unknown | — | — | whitelisted |
— | — | HEAD | — | 23.32.100.39:443 | https://uci.cdn.office.net/mirrored/smartlookup/current/version.json | unknown | — | — | — |
— | — | POST | — | 20.42.65.94:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
6944 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
7060 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5488 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6944 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4208 | EXCEL.EXE | 52.109.28.46:443 | officeclient.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | GB | whitelisted |
4208 | EXCEL.EXE | 52.113.194.132:443 | ecs.office.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4208 | EXCEL.EXE | 85.214.195.12:80 | farschid.de | Strato AG | DE | suspicious |
816 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
officeclient.microsoft.com |
| whitelisted |
ecs.office.com |
| whitelisted |
farschid.de |
| unknown |
77homolog.com.br |
| malicious |
geowf.ge |
| malicious |
h63402x4.beget.tech |
| whitelisted |
ecoarch.com.tw |
| unknown |
self.events.data.microsoft.com |
| whitelisted |
Threats
1 ETPRO signatures available at the full report