File name: | documento1_410.xls |
Full analysis: | https://app.any.run/tasks/101080d0-d0a6-4dfe-b224-45cd3a9c251c |
Verdict: | Malicious activity |
Analysis date: | October 20, 2020, 04:20:31 |
OS: | Windows 10 Professional (build: 16299, 64 bit) |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: dppFJMEcrkUCFZCGUe, Last Saved By: administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Oct 20 00:28:19 2020, Last Saved Time/Date: Tue Oct 20 00:48:19 2020, Security: 1 |
MD5: | E2739B11FA9EF4DDEE5F9AB41B1A56FF |
SHA1: | A10B9A7D05F7E4F04983AED34BA3E52AAC0A8642 |
SHA256: | D9E458B03EAA69BB9CC9A3950D38C6CC78C4AAC8DF53E0048C7D562E88B61C5F |
SSDEEP: | 6144:uZKOXZdpjpVBrRWJ+Vl0T2q3T9UnoVEsOUqjLxjn:JOXZHpbrsJS03RUX6G |
.xls | | | Microsoft Excel sheet (78.9) |
---|
HeadingPairs: |
|
---|---|
TitleOfParts: |
|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | Password protected |
ModifyDate: | 2020:10:19 23:48:19 |
CreateDate: | 2020:10:19 23:28:19 |
Software: | Microsoft Excel |
LastModifiedBy: | administrator |
Author: | dppFJMEcrkUCFZCGUe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
576 | "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\documento1_410.xls" | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 16.0.12026.20264 | ||||
1656 | "C:\Windows\System32\rundll32.exe" IDgiPjo.dll,DllRegisterServer | C:\Windows\System32\rundll32.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) |
PID | Process | Filename | Type | |
---|---|---|---|---|
576 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ETZCV79GBIXBYWJXWVTF.temp | — | |
MD5:— | SHA256:— | |||
576 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YLIW83SDGQCVDFMGFKSK.temp | — | |
MD5:— | SHA256:— | |||
576 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\0DBEA502-8EB6-4649-9A15-5F586D6273F2 | xml | |
MD5:31353D5A9F11278FA1A5F27456043ECA | SHA256:6AA2151009649D265A1F38F026A139622EFBE34456A0F0A8113AC37CA3DF760F | |||
576 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\.ses | text | |
MD5:8CE247CEABE7C4F6F6BE908C3961286D | SHA256:44A0C86CB4FA0C210FEEBD80CA148C501AA86AE4A93A2B82392E8498CA6A80C3 | |||
576 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442 | der | |
MD5:BC94D23C9480A35FACB5E50F2AB187EF | SHA256:69E4BD5ED06087FBF1FAAA02A868325DE2DA88A33516E285389DE9ECFDB2543A | |||
576 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_9.ttf | pi2 | |
MD5:A0A989F2E6A7B7EDBE7CC64EC77E3829 | SHA256:F0338A27D7CE3A39EE72A3333BFBC656517010A4FA8E526CCB89E47C71451F37 | |||
576 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:3B496E51785F4D8F56913B235D6B1EA8 | SHA256:E3396B120AF646B10126BE4826003093644AFCAEE4467F51A451F40447DBE97D | |||
576 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442 | binary | |
MD5:CFD7F0B65B69327EE2DEB06599596818 | SHA256:6E1BF731E4124838131391538DE05280500B73574841F88120A2669ABAB4BD30 | |||
576 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\documento1_410.xls.LNK | lnk | |
MD5:CB1FBBE40FB042CD3F5B6124BB9D564E | SHA256:26F299F6A35C0EA98702A113174D3C8F0BA12AC67100E174F201355097361BA5 | |||
576 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml | xml | |
MD5:3DEDDAE118B4165F1E0E1A43A9C1F044 | SHA256:87A44355D04C1C8BC2CAAB42D722C2A0E3BCFA2CF4CE3A023631699A541FA6BE |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
576 | EXCEL.EXE | GET | — | 109.248.203.236:80 | http://linksystems.casa/installa.dll | RU | — | — | suspicious |
1076 | svchost.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
576 | EXCEL.EXE | 52.109.76.124:443 | roaming.officeapps.live.com | Microsoft Corporation | IE | whitelisted |
576 | EXCEL.EXE | 13.107.42.23:443 | config.edge.skype.com | Microsoft Corporation | US | suspicious |
576 | EXCEL.EXE | 52.109.88.8:443 | officeclient.microsoft.com | Microsoft Corporation | NL | whitelisted |
1076 | svchost.exe | 40.90.23.153:443 | login.live.com | Microsoft Corporation | US | unknown |
576 | EXCEL.EXE | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
576 | EXCEL.EXE | 104.111.214.95:443 | fs.microsoft.com | Akamai International B.V. | NL | whitelisted |
1076 | svchost.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
576 | EXCEL.EXE | 52.109.52.36:443 | messaging.office.com | Microsoft Corporation | JP | unknown |
576 | EXCEL.EXE | 52.109.8.19:443 | nexusrules.officeapps.live.com | Microsoft Corporation | US | whitelisted |
— | — | 109.248.203.236:80 | linksystems.casa | Business Consulting LLC | RU | suspicious |
Domain | IP | Reputation |
---|---|---|
officeclient.microsoft.com |
| whitelisted |
roaming.officeapps.live.com |
| whitelisted |
fs.microsoft.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
login.live.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
linksystems.casa |
| suspicious |
messaging.office.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |