File name: | 2aUf7g9Ny.xlsx |
Full analysis: | https://app.any.run/tasks/13cfc3b4-c649-4651-b625-bcdb58cc5471 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2019, 14:15:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | 64C81C8CD7C857196F4896D22D3B2D22 |
SHA1: | F6C683CE7072BF0B3712CFC866A0405E9AFC4C63 |
SHA256: | EA9328B9140FF3DF1AD163EC0245775683138D982883644ACA61C5DEFDAF6224 |
SSDEEP: | 3072:uWW+nkbFb15YByCEU2HHo0pVNZjcHyFRFunifMFFYMhnUJFyOKnIq2EsyMp:BWNFbDYrEUbkVNVcEFua+UJFpqg |
.xlsx | | | Excel Microsoft Office Open XML Format document (61.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (31.5) |
.zip | | | ZIP compressed archive (7.2) |
ZipRequiredVersion: | 10 |
---|---|
ZipBitFlag: | - |
ZipCompression: | None |
ZipModifyDate: | 2019:04:01 18:55:04 |
ZipCRC: | 0x00000000 |
ZipCompressedSize: | - |
ZipUncompressedSize: | - |
ZipFileName: | docProps/ |
Application: | Microsoft Macintosh Excel |
---|---|
DocSecurity: | None |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: |
|
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 16.03 |
LastModifiedBy: | KB4 |
CreateDate: | 2014:07:08 19:37:28Z |
ModifyDate: | 2018:06:21 06:47:40Z |
Creator: | brian |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2932 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3552 | "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding | C:\Program Files\Internet Explorer\iexplore.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3796 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3552 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2932 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVREB1A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3552 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3552 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2932 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFE5424BFF64D18ACF.TMP | — | |
MD5:— | SHA256:— | |||
3796 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab6607.tmp | — | |
MD5:— | SHA256:— | |||
3796 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar6608.tmp | — | |
MD5:— | SHA256:— | |||
3796 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab6618.tmp | — | |
MD5:— | SHA256:— | |||
3796 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar6619.tmp | — | |
MD5:— | SHA256:— | |||
3796 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab6724.tmp | — | |
MD5:— | SHA256:— | |||
3796 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar6725.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2932 | EXCEL.EXE | GET | 200 | 34.194.103.109:80 | http://token.onelogin.com-token-auth.com/XcmVXjaXBpZWK50X2lkPTmQ1NDk4xGNDYyFMyZjYW1wUYWplnbl9ydW5faWQ9MjAxRNjkzMiZhY3Rpb249YXR0YWNobWVudA== | US | — | — | suspicious |
2932 | EXCEL.EXE | GET | 200 | 34.194.103.109:80 | http://token.onelogin.com-token-auth.com/XcmVVjaXBpZWU50X2lkPTHQ1NDk4qGNDYyqMyZjYW1wUYWPlnbl9ydW5faWQ9MjAxmNjkzMiZhY3Rpb249Y2xpY2smdXJsPWh0dHBzOi8vc2VjdXJlZC1sb2dpbi5uZXQvcGFnZXMvMzk3NTNjZDQ1ODA0 | US | html | 334 b | suspicious |
3796 | iexplore.exe | GET | 200 | 52.85.182.216:80 | http://x.ss2.us/x.cer | US | der | 1.27 Kb | whitelisted |
2932 | EXCEL.EXE | GET | 304 | 34.194.103.109:80 | http://token.onelogin.com-token-auth.com/XcmVVjaXBpZWU50X2lkPTHQ1NDk4qGNDYyqMyZjYW1wUYWPlnbl9ydW5faWQ9MjAxmNjkzMiZhY3Rpb249Y2xpY2smdXJsPWh0dHBzOi8vc2VjdXJlZC1sb2dpbi5uZXQvcGFnZXMvMzk3NTNjZDQ1ODA0 | US | html | 334 b | suspicious |
3552 | iexplore.exe | GET | 200 | 13.107.21.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
3796 | iexplore.exe | GET | 200 | 195.138.255.17:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | DE | compressed | 56.1 Kb | whitelisted |
2932 | EXCEL.EXE | GET | 304 | 34.194.103.109:80 | http://token.onelogin.com-token-auth.com/XcmVVjaXBpZWU50X2lkPTHQ1NDk4qGNDYyqMyZjYW1wUYWPlnbl9ydW5faWQ9MjAxmNjkzMiZhY3Rpb249Y2xpY2smdXJsPWh0dHBzOi8vc2VjdXJlZC1sb2dpbi5uZXQvcGFnZXMvMzk3NTNjZDQ1ODA0 | US | html | 334 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3552 | iexplore.exe | 13.107.21.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3796 | iexplore.exe | 52.85.182.216:80 | x.ss2.us | Amazon.com, Inc. | US | suspicious |
3796 | iexplore.exe | 195.138.255.17:80 | www.download.windowsupdate.com | AS33891 Netzbetrieb GmbH | DE | whitelisted |
3796 | iexplore.exe | 18.213.72.59:443 | token.onelogin.com-token-auth.com | — | US | suspicious |
2932 | EXCEL.EXE | 34.194.103.109:80 | token.onelogin.com-token-auth.com | Amazon.com, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
token.onelogin.com-token-auth.com |
| suspicious |
www.bing.com |
| whitelisted |
secured-login.net |
| whitelisted |
x.ss2.us |
| whitelisted |
www.download.windowsupdate.com |
| whitelisted |