File name: | RefQ06P2121.xlsx |
Full analysis: | https://app.any.run/tasks/e61fa1f3-fbe7-4dce-ab8f-f4d94af51d5b |
Verdict: | Malicious activity |
Analysis date: | November 16, 2019, 04:18:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | C77B5254602F89AA46BEBB5F364DADB2 |
SHA1: | 348821D9E7C620203B3FDFF1DA6A12D6A323D8CC |
SHA256: | E24725E16E22067438D207F7C9B760C67180F02931303E9F107FC39AA7474A3A |
SSDEEP: | 3072:Ytm92pRgj0OuGSS3NuurKiw7rj3EWKp8r+z5BqoCiqFo7Uuid:jwgjp3SYuyReEWK2IBuiqFcUJd |
.xlsx | | | Excel Microsoft Office Open XML Format document (61.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (31.5) |
.zip | | | ZIP compressed archive (7.2) |
AppVersion: | 16.03 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
TitlesOfParts: |
|
HeadingPairs: |
|
ScaleCrop: | No |
DocSecurity: | None |
Application: | Microsoft Macintosh Excel |
ModifyDate: | 2018:06:21 06:47:40Z |
CreateDate: | 2014:07:08 19:37:28Z |
LastModifiedBy: | KB4 |
Creator: | brian |
---|
ZipFileName: | xl/drawings/drawing1.xml |
---|---|
ZipUncompressedSize: | 5407 |
ZipCompressedSize: | 1437 |
ZipCRC: | 0xa3a65bab |
ZipModifyDate: | 2019:11:15 20:17:17 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2176 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3308 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | EXCEL.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3972 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3308 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2176 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRA8DD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3308 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3308 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3972 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WMQ5YO00\XYWNw0aW9uPWgNsaWNrJnnVybD1omudHRwlczovL3NluY3hVyZWQtbG9naW4ubmV0kL3BhZ2VzLzViNmUyZDg3OTYxYiZyZWNpcGllbnRfaWQ9NTMxODY3Mzk0JmNhbXBhaWduX3J1bl9pZD0yNTUwMjI2[1].txt | — | |
MD5:— | SHA256:— | |||
3972 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\CabD452.tmp | — | |
MD5:— | SHA256:— | |||
3972 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\TarD453.tmp | — | |
MD5:— | SHA256:— | |||
3972 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\CabD463.tmp | — | |
MD5:— | SHA256:— | |||
3972 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\TarD464.tmp | — | |
MD5:— | SHA256:— | |||
3972 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\CabD4F2.tmp | — | |
MD5:— | SHA256:— | |||
3972 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\TarD4F3.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2176 | EXCEL.EXE | GET | 200 | 52.6.33.155:80 | http://messaging-security.comano.us/XYWNx0aW9uPWwF0dGFjaGm1lbnQmlhcmVjpaXBpZW50qX2flkPTUzMTg2NzM5NCZjkYW1wYWlnbl9ydW5faWQ9MjU1MDIyNg== | US | — | — | suspicious |
3972 | iexplore.exe | GET | 200 | 52.6.33.155:80 | http://messaging-security.comano.us/XYWNw0aW9uPWgNsaWNrJnnVybD1omudHRwlczovL3NluY3hVyZWQtbG9naW4ubmV0kL3BhZ2VzLzViNmUyZDg3OTYxYiZyZWNpcGllbnRfaWQ9NTMxODY3Mzk0JmNhbXBhaWduX3J1bl9pZD0yNTUwMjI2 | US | html | 334 b | suspicious |
2176 | EXCEL.EXE | GET | 200 | 52.6.33.155:80 | http://messaging-security.comano.us/XYWNw0aW9uPWgNsaWNrJnnVybD1omudHRwlczovL3NluY3hVyZWQtbG9naW4ubmV0kL3BhZ2VzLzViNmUyZDg3OTYxYiZyZWNpcGllbnRfaWQ9NTMxODY3Mzk0JmNhbXBhaWduX3J1bl9pZD0yNTUwMjI2 | US | html | 334 b | suspicious |
3308 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
3972 | iexplore.exe | GET | 200 | 67.27.159.126:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 57.4 Kb | whitelisted |
3972 | iexplore.exe | GET | 200 | 13.35.254.82:80 | http://x.ss2.us/x.cer | US | der | 1.27 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3308 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3972 | iexplore.exe | 52.6.33.155:80 | messaging-security.comano.us | Amazon.com, Inc. | US | malicious |
3972 | iexplore.exe | 34.194.103.109:443 | messaging-security.comano.us | Amazon.com, Inc. | US | malicious |
2176 | EXCEL.EXE | 52.6.33.155:80 | messaging-security.comano.us | Amazon.com, Inc. | US | malicious |
— | — | 67.27.159.126:80 | www.download.windowsupdate.com | Level 3 Communications, Inc. | US | suspicious |
3972 | iexplore.exe | 13.35.254.82:80 | x.ss2.us | — | US | suspicious |
Domain | IP | Reputation |
---|---|---|
messaging-security.comano.us |
| suspicious |
www.bing.com |
| whitelisted |
secured-login.net |
| whitelisted |
x.ss2.us |
| whitelisted |
www.download.windowsupdate.com |
| whitelisted |