File name: | d642109e621c6758027c2fc0e5ea3d1126963a001ab1858b95f82e09403943bd.xls |
Full analysis: | https://app.any.run/tasks/b6ba49c4-d8c1-4f96-9d74-7f2c03bef7b2 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2022, 16:55:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Posik, Last Saved By: Dream, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Thu May 19 10:49:31 2022, Security: 0 |
MD5: | 64D4AB18BBD8E191F74FC14198FDEC87 |
SHA1: | 0A13D417F779071B5263163AD7DA839E6B3C5738 |
SHA256: | D642109E621C6758027C2FC0E5EA3D1126963A001AB1858B95F82E09403943BD |
SSDEEP: | 1536:t5nKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgYAezwrMC1vJec/RtbEtfE:/Kpb8rGYrMPe3q7Q0XV5xtezEsi8/dgt |
.xls | | | Microsoft Excel sheet (78.9) |
---|
Author: | Posik |
---|---|
LastModifiedBy: | Dream |
Software: | Microsoft Excel |
CreateDate: | 2015:06:05 18:19:34 |
ModifyDate: | 2022:05:19 09:49:31 |
Security: | None |
CodePage: | Windows Cyrillic |
Company: | - |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: |
|
HeadingPairs: |
|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2920 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 Modules
| |||||||||||||||
1448 | C:\Windows\System32\regsvr32.exe /S ..\soam1.dll | C:\Windows\System32\regsvr32.exe | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3272 | C:\Windows\System32\regsvr32.exe /S ..\soam2.dll | C:\Windows\System32\regsvr32.exe | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2580 | C:\Windows\System32\regsvr32.exe /S ..\soam3.dll | C:\Windows\System32\regsvr32.exe | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2788 | C:\Windows\System32\regsvr32.exe /S ..\soam4.dll | C:\Windows\System32\regsvr32.exe | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (2920) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Operation: | write | Name: | 7h; |
Value: 37683B00680B0000010000000000000000000000 | |||
(PID) Process: | (2920) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2920) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (2920) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (2920) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (2920) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (2920) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (2920) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (2920) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off | |||
(PID) Process: | (2920) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: Off |
PID | Process | Filename | Type | |
---|---|---|---|---|
2920 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRD037.tmp.cvr | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2920 | EXCEL.EXE | GET | 404 | 173.231.245.32:80 | http://mybiscotto.com/images/BDcjQT/ | US | xml | 341 b | suspicious |
2920 | EXCEL.EXE | GET | 404 | 2.16.107.82:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?42d2bcaae5d72a26 | unknown | xml | 341 b | whitelisted |
2920 | EXCEL.EXE | GET | 404 | 50.31.160.160:80 | http://myramark.com/mail/rdhEPylXD8BuTA/ | US | xml | 341 b | suspicious |
1088 | svchost.exe | GET | 404 | 209.197.3.8:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?001d3f4afd4e8c70 | US | xml | 341 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2920 | EXCEL.EXE | 103.1.238.211:443 | myphamcuatui.com | SUPERDATA | VN | suspicious |
2920 | EXCEL.EXE | 50.31.160.160:80 | myramark.com | Server Central Network | US | suspicious |
2920 | EXCEL.EXE | 2.16.107.82:80 | ctldl.windowsupdate.com | Akamai International B.V. | — | suspicious |
1088 | svchost.exe | 209.197.3.8:80 | ctldl.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
2920 | EXCEL.EXE | 173.231.245.32:80 | mybiscotto.com | tzulo, inc. | US | suspicious |
2920 | EXCEL.EXE | 103.227.62.66:443 | myechoproject.com | Diadem Technologies Pvt. Ltd. | IN | suspicious |
Domain | IP | Reputation |
---|---|---|
myphamcuatui.com |
| suspicious |
ctldl.windowsupdate.com |
| whitelisted |
myramark.com |
| suspicious |
myechoproject.com |
| suspicious |
mybiscotto.com |
| suspicious |