File name: | DC345230.xls |
Full analysis: | https://app.any.run/tasks/7edca36f-5d71-4eae-b59d-81eb4da60e54 |
Verdict: | Malicious activity |
Analysis date: | September 11, 2019, 11:34:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: kJYNUx, Subject: DvVkmF, Author: W, Last Saved By: Microsoft Office, Revision Number: 575, Name of Creating Application: Microsoft Excel, Total Editing Time: 1d+08:50:00, Create Time/Date: Fri Aug 30 10:14:50 2019, Last Saved Time/Date: Mon Sep 9 12:37:40 2019, Number of Pages: 2, Number of Words: 756, Number of Characters: 8021, Security: 0 |
MD5: | 724CF8EC0BAC89E4FE13E2B1FB24BD56 |
SHA1: | A0D0C44C5006E1185A7A43AB5EF16B6A063209D5 |
SHA256: | AFFC1AE268EF274602D8A4429BCBB9B08D08A6EAB7B5C7A4ACEA6E84DCE8DF4A |
SSDEEP: | 3072:b8KsaWCp3C2ENU59tF2wassbcIn5MvST1Irjgbsf52xt5fAuY5kJs/DcoWa1ScJz:b8nC1r9arbVnSvt4sf0xArkJIWa1Sc9 |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
HeadingPairs: |
|
---|---|
TitleOfParts: | 1 |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 11.9999 |
Paragraphs: | 48 |
Lines: | 700 |
Bytes: | 60161 |
Company: | - |
CodePage: | Windows Cyrillic |
Security: | None |
Characters: | 8021 |
Words: | 756 |
Pages: | 2 |
ModifyDate: | 2019:09:09 11:37:40 |
CreateDate: | 2019:08:30 09:14:50 |
TotalEditTime: | 1.4 days |
Software: | Microsoft Excel |
RevisionNumber: | 575 |
LastModifiedBy: | Microsoft Office |
Author: | W |
Subject: | DvVkmF |
Title: | kJYNUx |
CompObjUserType: | OLE Package |
CompObjUserTypeLen: | 12 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3368 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 3221225547 Version: 14.0.6024.1000 |
(PID) Process: | (3368) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | write | Name: | mf# |
Value: 6D662300280D0000010000000000000000000000 | |||
(PID) Process: | (3368) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (3368) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (3368) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel |
Operation: | write | Name: | MTTT |
Value: 280D0000F8A9F7F59468D50100000000 | |||
(PID) Process: | (3368) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | delete value | Name: | mf# |
Value: 6D662300280D0000010000000000000000000000 | |||
(PID) Process: | (3368) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (3368) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (3368) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3368) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3368) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\169F72 |
Operation: | write | Name: | 169F72 |
Value: 04000000280D00002E00000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C00440043003300340035003200330030002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000A03F13F79468D501729F1600729F160000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3368 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR9ADD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3368 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\VBA252.tmp | — | |
MD5:— | SHA256:— | |||
3368 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\VBA242.tmp | — | |
MD5:— | SHA256:— | |||
3368 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF9AA5AA0EBDEAFBB6.TMP | — | |
MD5:— | SHA256:— | |||
3368 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\B2A61000 | — | |
MD5:— | SHA256:— | |||
3368 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF791D8BB5B6C181E8.TMP | — | |
MD5:— | SHA256:— | |||
3368 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~$13.xlsx | — | |
MD5:— | SHA256:— | |||
3368 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFD7AB9A6C0AFDBC2C.TMP | — | |
MD5:— | SHA256:— | |||
3368 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF90B5447D0431DC27.TMP | — | |
MD5:— | SHA256:— | |||
3368 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFC3151B858C5DD696.TMP | — | |
MD5:— | SHA256:— |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3368 | EXCEL.EXE | 212.80.216.172:443 | update365-office-ens.com | — | — | unknown |
Domain | IP | Reputation |
---|---|---|
update365-office-ens.com |
| unknown |