| File name: | copy.xlsx |
| Full analysis: | https://app.any.run/tasks/cb63f3df-a1c4-4224-bfde-3f6f509e3969 |
| Verdict: | No threats detected |
| Analysis date: | April 23, 2019, 04:19:28 |
| OS: | Windows 10 Professional (build: 16299, 32 bit) |
| Indicators: | |
| MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
| File info: | Microsoft Excel 2007+ |
| MD5: | EFF221B114BCDFCB033B5FFA14232043 |
| SHA1: | 2A5938CC8F5BD311713A85DB3E90B95B795784CA |
| SHA256: | E84F0F70B9E7EC672FEA13713A83C8A268776A127452CF78B668B994F4415030 |
| SSDEEP: | 768:nrUZhyYBvycV9+H+//BFNOuvSOGwxqmtnYMtf686VP0:nrV4tVcHQFnA2YMQTs |
MALICIOUS
Scans artifacts that could help determine the target
- EXCEL.EXE (PID: 3572)
SUSPICIOUS
No suspicious indicators.INFO
Reads the software policy settings
- EXCEL.EXE (PID: 3572)
Reads settings of System Certificates
- EXCEL.EXE (PID: 3572)
Creates files in the user directory
- EXCEL.EXE (PID: 3572)
Reads Microsoft Office registry keys
- EXCEL.EXE (PID: 3572)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .xlsx | | | Excel Microsoft Office Open XML Format document (61.2) |
|---|---|---|
| .zip | | | Open Packaging Conventions container (31.5) |
| .zip | | | ZIP compressed archive (7.2) |
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0002 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2019:04:22 15:21:20 |
| ZipCRC: | 0x7782a3b5 |
| ZipCompressedSize: | 425 |
| ZipUncompressedSize: | 2041 |
| ZipFileName: | [Content_Types].xml |
XMP
| Creator: | COMPAQ |
|---|
XML
| LastModifiedBy: | COMPAQ |
|---|---|
| LastPrinted: | 2017:04:29 14:02:28Z |
| CreateDate: | 2010:02:14 08:32:05Z |
| ModifyDate: | 2018:09:22 03:48:48Z |
| Application: | Microsoft Excel |
| DocSecurity: | None |
| ScaleCrop: | No |
| HeadingPairs: |
|
| TitlesOfParts: |
|
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| AppVersion: | 12 |
Total processes
51
Monitored processes
1
Malicious processes
0
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3572 | "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\copy.xlsx" | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 16.0.11328.20158 Modules
| |||||||||||||||
Total events
821
Read events
695
Write events
101
Delete events
25
Modification events
| (PID) Process: | (3572) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\Sampling |
| Operation: | write | Name: | 1 |
Value: 01E009000000001000BE4E402C02000000000000000400000000000000 | |||
| (PID) Process: | (3572) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | en-US |
Value: 2 | |||
| (PID) Process: | (3572) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | en-US |
Value: 1 | |||
| (PID) Process: | (3572) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems |
| Operation: | write | Name: | 'a" |
Value: 27612200F40D0000010000000000000046B625D88BF9D40100000000 | |||
| (PID) Process: | (3572) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems |
| Operation: | write | Name: | 6a" |
Value: 36612200F40D00000000044001000000761828D88BF9D401BE06000062AFE8B10EC6CA4AA1DD6A913D70B5E8761828D88BF9D4010000000000001000BE4E402C000000000600000002000000000000000000556E6B6E6F776E0000000000000000000000000000000000000000000000000000000000000000000DF0ADDE0DF0ADDE0DF0ADDE0DF0ADDE440045004600410055004C00540000005E00000000002E0398F22703A01EBF045000000000002E03A8F22703D0075F002000000068000000DC0B5F00D0075F0000000000580000003082B50400005F0000000000501EBF04D003BF048F505F00E4015F00110000002000000000005F00EC03BF040B00000020000000EC03BF04AC0C5F0000000000A80C5F00D0075F00A0F22703A90DE07750000000000000002700000000002E035000000000002E0330F32703000000000D00000000005F00FC5DAF04000000000B0000000200000000000000E21113A658433203040000001708615D50F52703C807BF04D607E07707000000D607E07700000000C9D1DE77500000001870AF040400000024F32703D4F22703ECF227038D2A6F5D30000000B8F5270374F3270300000000F8FFFFFF80F5270394F5270300296F5D88F5270308000000B8F5270374F327030000000040F6270340000000B1296F5D280000002A1113A62400000000000000A82D300378323003D820300301433203B0F32703E020300300000000070000000000000000000000000000000000000000000000000000000700000000000000B8F527030000008008000000FFFFFFFF0800000030F6270300000000000000004EDA735DE0F3270350635D5DC807BF0480D6DF7750F52703FCF4270380F42703FCF4270328FDB704D85DAF045200000038FDB704EC00520030085F00440045004600410055004C00540000009CF3270354F42703E857705DF0F32703EE426E5D00002E03000000001870AF042000000000002E034000000000002E03C8F42703FCF42703C5FC605DD0075F0000000000D0075F0000000000480000000000000000005F000000000020FCB7040860B904A5505F00DC015F0000005F00E407B30400005F004860B90413000000200000002460B9046C095F000000000068095F00A90DE077C0F42703A90DE07740000000000000000000000000002E037818705DFFFFFFFFB8F4270372EB5E5D010000000000000005000000000000000900000002000000000000004000000000002E034800000000000000D607E077E4F42703D607E07730000000D607E0770000000000000000400000004000000000002E0304F52703234F6E5D00002E0300000000400000002000000000002E03C8F5270320F52703FE466E5D4000000022000000D0075F0028F527032800000070F7270300005F0000000000A01EBF045E00000000002E0300F62703A01EBF045000000000002E0310F62703D0075F002000000068000000DC0B5F00D0075F0000000000580000003082B50400005F0000000000501EBF04D003BF04AB505F00E4015F00070000002000000000005F00EC03BF041700000020000000EC03BF04AC0C5F0000000000A80C5F00D0075F0008F62703A90DE07750000000000000002700000000002E03440045004600410055004C00540000000D00000000005F00FC5DAF04000000000B0000000200000000000000B72AE077B5107064C806000000002E0308F82703E80BBF04D607E07707000000D607E0770200000200000000708008F88072AF04010800094CF62703234F6E5D00002E030200000250000000708008F80700000018F7270368F62703FE466E5D500000007CF62703D607E07707000000D607E07774F6270360000000F27FFFFF620000003BF9FFFF18C5BD04D21413A6D80000006A80FFFF80F72703A4892E0380D6DF7700002E0318F72703E8F72703ECF62703401EBF04D003BF046200000028982E030000AF04A80C5F0064000000C0002E0338982E0301000000FF07000000000000000000003C010000EE426E5D320000000000000000000000B20000B2D8413C03BC000000D0060000B8F8270301000000E8F727038000000028FDB704D85DB2005D000000DA0000003C0100000F000000010000000000000010C5BD0410C5BD0404010F0102000002E857705D00000000EE426E5D6200000018C5BD0402000000C8F727039100015D8072AF04FEFFFFFF6200000064F8270260022E030000000000000000020000006200000062000000C8253B03483F3B0364F827039073E577FDCFBB10FEFFFFFF00F82703070EE077C8060000D00600007C9A2E03E4F7270398F8270300002E0300002E0300000000D8403B03F0F727030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003 | |||
| (PID) Process: | (3572) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3572) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3572) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3572) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3572) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} |
| Operation: | delete key | Name: | |
Value: | |||
Executable files
0
Suspicious files
0
Text files
5
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3572 | EXCEL.EXE | C:\Users\admin\Desktop\~$copy.xlsx | — | |
MD5:— | SHA256:— | |||
| 3572 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-shm | — | |
MD5:— | SHA256:— | |||
| 3572 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal | — | |
MD5:— | SHA256:— | |||
| 3572 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db | sqlite | |
MD5:— | SHA256:— | |||
| 3572 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\63500721-95B8-4A59-B1FE-1AD76B0C784E | xml | |
MD5:— | SHA256:— | |||
| 3572 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\copy.xlsx.LNK | lnk | |
MD5:— | SHA256:— | |||
| 3572 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:— | SHA256:— | |||
| 3572 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\aria-debug-3572.log | text | |
MD5:— | SHA256:— | |||
| 3572 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml | xml | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
6
DNS requests
5
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3572 | EXCEL.EXE | GET | 200 | 52.109.32.27:443 | https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.11328&crev=3 | GB | xml | 100 Kb | whitelisted |
3572 | EXCEL.EXE | GET | 200 | 52.109.12.20:443 | https://nexusrules.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.11328.20158&ClientId=%7b082078A9-BB8F-421B-9363-C2C17BA0E563%7d&OSEnvironment=10&MsoAppId=1&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.11328.20158& | US | xml | 298 Kb | whitelisted |
3572 | EXCEL.EXE | GET | 200 | 13.107.3.128:443 | https://config.edge.skype.com/config/v1/Office/16.0.11328.20158?&Clientid=%7b082078A9-BB8F-421B-9363-C2C17BA0E563%7d&Application=excel&Platform=win32&Version=16.0.11328.20158&MsoVersion=16.0.11328.20156&Audience=Production&Build=ship&Architecture=x86&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7bB1E8AF62-C60E-4ACA-A1DD-6A913D70B5E8%7d&LabMachine=false | US | text | 56.4 Kb | malicious |
— | — | POST | 200 | 157.55.134.142:443 | https://login.live.com/RST2.srf | US | xml | 9.85 Kb | whitelisted |
3572 | EXCEL.EXE | POST | 200 | 52.114.76.37:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | IE | text | 10 b | whitelisted |
3572 | EXCEL.EXE | POST | 200 | 52.114.76.37:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | IE | text | 57 b | whitelisted |
3572 | EXCEL.EXE | POST | 200 | 52.114.76.37:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | IE | text | 10 b | whitelisted |
— | — | HEAD | 200 | 2.18.232.120:443 | https://fs.microsoft.com/fs/windows/config.json | unknown | — | — | whitelisted |
— | — | POST | 200 | 157.55.134.142:443 | https://login.live.com/RST2.srf | US | xml | 9.85 Kb | whitelisted |
— | — | GET | 200 | 2.18.232.120:443 | https://fs.microsoft.com/fs/windows/config.json | unknown | text | 55 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3572 | EXCEL.EXE | 13.107.3.128:443 | config.edge.skype.com | Microsoft Corporation | US | whitelisted |
— | — | 157.55.134.142:443 | — | Microsoft Corporation | US | whitelisted |
3572 | EXCEL.EXE | 52.114.76.37:443 | self.events.data.microsoft.com | Microsoft Corporation | IE | unknown |
3572 | EXCEL.EXE | 52.109.32.27:443 | officeclient.microsoft.com | Microsoft Corporation | GB | whitelisted |
— | — | 2.18.232.120:443 | — | Akamai International B.V. | — | whitelisted |
3572 | EXCEL.EXE | 52.109.12.20:443 | nexusrules.officeapps.live.com | Microsoft Corporation | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
nexusrules.officeapps.live.com |
| whitelisted |
config.edge.skype.com |
| malicious |
self.events.data.microsoft.com |
| whitelisted |
officeclient.microsoft.com |
| whitelisted |
Threats
Process | Message |
|---|---|
EXCEL.EXE | 2019-04-23 04:21:21.726 T#1516 <E> [AriaSDK.PAL] PAL is already shutdown!
|