Windows
Analysis Report
Riko Ekos d.o.o. RFQ #PO51842018.xlsx
Overview
General Information
Detection
Score: | 64 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w11x64_office
EXCEL.EXE (PID: 7936 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Root\ Office16\E XCEL.EXE" /automatio n -Embeddi ng MD5: F9F7B6C42211B06E7AC3E4B60AA8FB77) splwow64.exe (PID: 7476 cmdline:
C:\Windows \splwow64. exe 12288 MD5: AF4A7EBF6114EE9E6FBCC910EC3C96E6)
appidpolicyconverter.exe (PID: 1376 cmdline:
"C:\Window s\system32 \appidpoli cyconverte r.exe" MD5: 6567D9CF2545FAAC60974D9D682700D4) conhost.exe (PID: 4812 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 9698384842DA735D80D278A427A229AB)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_XML_LegacyDrawing_AutoLoad_Document | detects AutoLoad documents using LegacyDrawing | ditekSHen |
|
System Summary |
---|
Source: | Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: |
Source: | Author: X__Junior (Nextron Systems): |
- • AV Detection
- • Compliance
- • Software Vulnerabilities
- • Networking
- • System Summary
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Directory created: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | DNS query: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Matched rule: |
Source: | Matched rule: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | OLE indicator, Workbook stream: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | Directory created: | Jump to behavior |
Source: | Static file information: |
Source: | File opened: | Jump to behavior |
Source: | Initial sample: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Window / User API: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Process information queried: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 3 Exploitation for Client Execution | 1 DLL Side-Loading | 1 Process Injection | 3 Masquerading | OS Credential Dumping | 1 Process Discovery | Remote Services | Data from Local System | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Process Injection | Security Account Manager | 1 Application Window Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | 3 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 2 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
62% | Virustotal | Browse | ||
72% | ReversingLabs | Document-Office.Exploit.CVE-2017-11882 | ||
100% | Avira | EXP/CVE-2017-11882.Gen |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
s-part-0012.t-0009.t-msedge.net | 13.107.246.40 | true | false | high | |
bg.microsoft.map.fastly.net | 151.101.46.172 | true | false | high | |
a726.dscd.akamai.net | 23.209.72.170 | true | false | high | |
s-0005.dual-s-msedge.net | 52.123.129.14 | true | false | high | |
otelrules.svc.static.microsoft | unknown | unknown | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
13.107.246.40 | s-part-0012.t-0009.t-msedge.net | United States | 8068 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1651032 |
Start date and time: | 2025-03-28 11:27:44 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 15s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09 |
Run name: | Potential for more IOCs and behavior |
Number of analysed new started processes analysed: | 20 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | Riko Ekos d.o.o. RFQ #PO51842018.xlsx |
Detection: | MAL |
Classification: | mal64.winXLSX@5/6@1/1 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, d llhost.exe, sppsvc.exe, SIHCli ent.exe, conhost.exe, appidcer tstorecheck.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 52.109.0.91, 52.10 9.8.36, 52.111.227.28, 151.101 .46.172, 20.42.72.131, 52.123. 129.14, 23.209.72.170, 20.190. 151.132, 4.175.87.197, 23.204. 23.20 - Excluded domains from analysis
(whitelisted): us1.odcsm1.liv e.com.akadns.net, odc.officeap ps.live.com, slscr.update.micr osoft.com, res-1.cdn.office.ne t, mobile.events.data.microsof t.com, roaming.officeapps.live .com, osiprod-cus-buff-azsc-00 0.centralus.cloudapp.azure.com , dual-s-0005-office.config.sk ype.com, login.live.com, wus-a zsc-config.officeapps.live.com , officeclient.microsoft.com, c.pki.goog, osiprod-cus-bronze -azsc-000.centralus.cloudapp.a zure.com, wu-b-net.trafficmana ger.net, assets.msn.com, ecs.o ffice.com, fs.microsoft.com, c tldl.windowsupdate.com.deliver y.microsoft.com, prod.configsv c1.live.com.akadns.net, ctldl. windowsupdate.com, prod.roamin g1.live.com.akadns.net, cus-az sc-000.odc.officeapps.live.com , res-stls-prod.edgesuite.net, cus-azsc-000.roaming.officeap ps.live.com, fe3cr.delivery.mp .microsoft.com, us1.roaming1.l ive.com.akadns.net, res-prod.t rafficmanager.net, config.offi ceapps.live.com, us.configsvc1 .live.com.akadns.net, onedscol prdeus00.eastus.cloudapp.azure .com, ecs.office.trafficmanage r.ne - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtCreateKey calls foun d. - Report size getting too big, t
oo many NtQueryValueKey calls found. - Report size getting too big, t
oo many NtReadVirtualMemory ca lls found. - Report size getting too big, t
oo many NtSetValueKey calls fo und.
Time | Type | Description |
---|---|---|
06:29:49 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
13.107.246.40 | Get hash | malicious | HTMLPhisher | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
s-0005.dual-s-msedge.net | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
a726.dscd.akamai.net | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Invisible JS, Tycoon2FA | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher, Invisible JS, Tycoon2FA | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
bg.microsoft.map.fastly.net | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
Get hash | malicious | AsyncRAT, DcRat | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | HTMLPhisher, Invisible JS, Tycoon2FA | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | ScreenConnect Tool | Browse |
| ||
Get hash | malicious | ScreenConnect Tool | Browse |
| ||
Get hash | malicious | Orcus | Browse |
| ||
s-part-0012.t-0009.t-msedge.net | Get hash | malicious | HTMLPhisher | Browse |
| |
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | CAPTCHA Scam ClickFix | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
MICROSOFT-CORP-MSN-AS-BLOCKUS | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
258a5a1e95b8a911872bae9081526644 | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Process: | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 118 |
Entropy (8bit): | 3.5700810731231707 |
Encrypted: | false |
SSDEEP: | 3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq |
MD5: | 573220372DA4ED487441611079B623CD |
SHA1: | 8F9D967AC6EF34640F1F0845214FBC6994C0CB80 |
SHA-256: | BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D |
SHA-512: | F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 20971520 |
Entropy (8bit): | 8.112143835430977E-5 |
Encrypted: | false |
SSDEEP: | 3:Tuekk9NJtHFfs1XsExe/t:qeVJ8 |
MD5: | AFDEAC461EEC32D754D8E6017E845D21 |
SHA1: | 5D0874C19B70638A0737696AEEE55BFCC80D7ED8 |
SHA-256: | 3A96B02F6A09F6A6FAC2A44A5842FF9AEB17EB4D633E48ABF6ADDF6FB447C7E2 |
SHA-512: | CAB6B8F9FFDBD80210F42219BAC8F1124D6C0B6995C5128995F7F48CED8EF0F2159EA06A2CD09B1FDCD409719F94A7DB437C708D3B1FDA01FDC80141A4595FC7 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 20971520 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | 8F4E33F3DC3E414FF94E5FB6905CBA8C |
SHA1: | 9674344C90C2F0646F0B78026E127C9B86E3AD77 |
SHA-256: | CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC |
SHA-512: | 7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 20971520 |
Entropy (8bit): | 0.20883754476343325 |
Encrypted: | false |
SSDEEP: | 1536:46k5AHWfOKmhYciDfywbOfoqLjNXCF5SZmTuGMYZWr/Pd8N3fTz1SbEtKwJl5Gux:pIAsqXiDCfoqKJS05pWAAxBCgA |
MD5: | 2DBC8D3AA65952767A11927E039F3927 |
SHA1: | 3A19DF43F609C70550A7B235DC0117710820E01D |
SHA-256: | 2D2762A4D3A611DADECBF2C6EC086CE57F0611F4FA0AD7807E9687A27890C0DC |
SHA-512: | 704EE1080E8C12B3CE85791D977BC6C310C36B0E9AC6E8B0C6AABA27DC817F938C1780EAE8F1B7BB274AB9B73468D89A93E243CE7287271B54C6476B48D6137C |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 20971520 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | 8F4E33F3DC3E414FF94E5FB6905CBA8C |
SHA1: | 9674344C90C2F0646F0B78026E127C9B86E3AD77 |
SHA-256: | CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC |
SHA-512: | 7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 165 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | |
MD5: | 359140EB88A757E2BBEF2F7D32DCC4E5 |
SHA1: | FD16035441ADF907BBFC594A96470C202E265067 |
SHA-256: | 42CDE461F058A0C6F6C5A69BD1D21114CD55929011C77BCB9A025B9CA43ED71F |
SHA-512: | 9ADF6AC24E55AA161D2FFA1AC3BBBF03A7028DEFD8E1722FA52CAF7C730F7CF8AAE2073A50FD8AA004AF46E9A578A3B8088DD89415368E64E1916367CE126741 |
Malicious: | true |
Preview: |
File type: | |
Entropy (8bit): | 7.998371707667736 |
TrID: |
|
File name: | Riko Ekos d.o.o. RFQ #PO51842018.xlsx |
File size: | 1'103'568 bytes |
MD5: | 2c265f3f5136de58896ec5bd9d814a5d |
SHA1: | 5930e285662ab9b3ae5228acb16802a9c1eb1bdd |
SHA256: | b6daa340200ee967ef4a7c2a2378014c978aa553ca4d6aa5cb6317ed049378b7 |
SHA512: | d2dd2208ee985527d29c101d6328c139d6cde1f847f18b4cb66c4631e510a9a9c114ea66c2aec543adf0b7c3e886bf4959eb4d7eede4c0079cbbfa8e05463cac |
SSDEEP: | 24576:R66CVMUqOytEFmXT0X7JvyTih0SinIEC7sKZA1r1r1si:lCVMxOytEFsTAJvyuaSECwwA1hr1si |
TLSH: | 623533C5E9BBB0B5CC0F823040E715754BBF6A6D43B13E92DF786848E67B99E8053258 |
File Content Preview: | PK.........YzZ.9......f.......[Content_Types].xmlUT......g...g...g.UKK.1.....%W..U..n{...A....d...&!.k...l.......lX..1..1..j.-!D.l..y.e`.S.....t..dYDa.0.B....xt|4|Z{...m,X...8...Z..y.43s..H.a....1.~.._p.,...&.6......d."...I...Gb..w....&.`.....h)....U?T{n6 |
Icon Hash: | 35e58a8c0c8a85b9 |
Document Type: | OpenXML |
Number of OLE Files: | 1 |
Has Summary Info: | |
Application Name: | |
Encrypted Document: | False |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | True |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | False |
Author: | |
Last Saved By: | |
Create Time: | 2022-11-18T02:05:27Z |
Last Saved Time: | 2022-11-18T02:07:12Z |
Creating Application: | |
Security: | 0 |
Thumbnail Scaling Desired: | false |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 12.0000 |
General | |
Stream Path: | \x1ole10nAtIVe |
CLSID: | |
File Type: | data |
Stream Size: | 1316230 |
Entropy: | 7.120941598223329 |
Base64 Encoded: | True |
Data ASCII: | < . . Z " / . . . . 7 S . . . . } w 3 w l ; R . . 7 G - 0 G + . E . \\ 7 " . h W . } . p S O . 9 . ^ + [ b ^ q . . a = O _ n S " . . \\ . o . a . H % | ? . \\ . . H . O ) . : . ` i 7 { Y ? . S c h . [ ) 6 x x . ] . s ` R / 9 - : $ . 9 . K . . . { . . . 6 . . P . : . L . . . V . g B W . L ( Z x q % 3 z E . 8 O . k . . w } X t l c 0 . . c . . - q s . q . 0 . ] . | . > g E P . . . " _ x A . ) . K v H R B . + B W . l . V 4 . . . 4 t j ` 6 m G = . _ u . . T z 4 x n + \\ . . * . . . . . G . C a . . Z ' K X ] u V . |
Data Raw: | fa f2 3c 01 02 5a 22 2f 06 e0 01 08 af c5 be f1 37 53 f7 81 f6 cd 8a 16 f7 8b 06 8b 10 bb 7d f0 77 93 81 c3 33 77 ce 6c 8b 3b 52 ff d7 05 af 1d 37 47 2d 95 f3 30 47 ff e0 2b c9 0d 45 00 5c 37 22 b6 19 ff e2 68 57 c7 f3 a4 1a 7d 1a be c3 c1 70 dd e2 53 4f bd 2e e9 39 b1 f5 da 88 5e 2b 5b 62 bb 5e d6 71 de 09 a8 99 09 61 3d 9e fa 4f 5f 6e ba 53 22 8b 0d 07 cc 20 5c d6 aa 83 6f e2 a7 |
General | |
Stream Path: | QFsLkMXbXUscZMY3 |
CLSID: | |
File Type: | empty |
Stream Size: | 0 |
Entropy: | 0.0 |
Base64 Encoded: | False |
Data ASCII: | |
Data Raw: |
Download Network PCAP: filtered – full
- Total Packets: 20
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 28, 2025 11:29:55.922677994 CET | 49698 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 28, 2025 11:29:55.922714949 CET | 443 | 49698 | 13.107.246.40 | 192.168.2.25 |
Mar 28, 2025 11:29:55.922800064 CET | 49698 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 28, 2025 11:29:55.922821999 CET | 49699 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 28, 2025 11:29:55.922858000 CET | 443 | 49699 | 13.107.246.40 | 192.168.2.25 |
Mar 28, 2025 11:29:55.922908068 CET | 49699 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 28, 2025 11:29:55.923894882 CET | 49698 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 28, 2025 11:29:55.923918962 CET | 443 | 49698 | 13.107.246.40 | 192.168.2.25 |
Mar 28, 2025 11:29:55.924446106 CET | 49699 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 28, 2025 11:29:55.924463987 CET | 443 | 49699 | 13.107.246.40 | 192.168.2.25 |
Mar 28, 2025 11:29:56.203963995 CET | 443 | 49699 | 13.107.246.40 | 192.168.2.25 |
Mar 28, 2025 11:29:56.204058886 CET | 49699 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 28, 2025 11:29:56.204153061 CET | 443 | 49698 | 13.107.246.40 | 192.168.2.25 |
Mar 28, 2025 11:29:56.204216003 CET | 49698 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 28, 2025 11:29:56.216430902 CET | 49699 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 28, 2025 11:29:56.216448069 CET | 443 | 49699 | 13.107.246.40 | 192.168.2.25 |
Mar 28, 2025 11:29:56.217464924 CET | 443 | 49699 | 13.107.246.40 | 192.168.2.25 |
Mar 28, 2025 11:29:56.232717037 CET | 49699 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 28, 2025 11:29:56.233947992 CET | 49698 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 28, 2025 11:29:56.233963013 CET | 443 | 49698 | 13.107.246.40 | 192.168.2.25 |
Mar 28, 2025 11:29:56.234934092 CET | 443 | 49698 | 13.107.246.40 | 192.168.2.25 |
Mar 28, 2025 11:29:56.235690117 CET | 49698 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 28, 2025 11:29:56.276278973 CET | 443 | 49699 | 13.107.246.40 | 192.168.2.25 |
Mar 28, 2025 11:29:56.280276060 CET | 443 | 49698 | 13.107.246.40 | 192.168.2.25 |
Mar 28, 2025 11:29:56.372895956 CET | 443 | 49698 | 13.107.246.40 | 192.168.2.25 |
Mar 28, 2025 11:29:56.372981071 CET | 443 | 49698 | 13.107.246.40 | 192.168.2.25 |
Mar 28, 2025 11:29:56.373233080 CET | 443 | 49698 | 13.107.246.40 | 192.168.2.25 |
Mar 28, 2025 11:29:56.373243093 CET | 49698 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 28, 2025 11:29:56.373297930 CET | 49698 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 28, 2025 11:29:56.374265909 CET | 49698 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 28, 2025 11:29:56.374278069 CET | 443 | 49698 | 13.107.246.40 | 192.168.2.25 |
Mar 28, 2025 11:29:56.374289036 CET | 49698 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 28, 2025 11:29:56.374294996 CET | 443 | 49698 | 13.107.246.40 | 192.168.2.25 |
Mar 28, 2025 11:29:56.491883039 CET | 443 | 49699 | 13.107.246.40 | 192.168.2.25 |
Mar 28, 2025 11:29:56.492425919 CET | 443 | 49699 | 13.107.246.40 | 192.168.2.25 |
Mar 28, 2025 11:29:56.492500067 CET | 49699 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 28, 2025 11:29:56.492553949 CET | 49699 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 28, 2025 11:29:56.492573023 CET | 443 | 49699 | 13.107.246.40 | 192.168.2.25 |
Mar 28, 2025 11:29:56.492587090 CET | 49699 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 28, 2025 11:29:56.492598057 CET | 443 | 49699 | 13.107.246.40 | 192.168.2.25 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 28, 2025 11:29:20.711349964 CET | 53 | 64246 | 162.159.36.2 | 192.168.2.25 |
Mar 28, 2025 11:29:55.464842081 CET | 54531 | 53 | 192.168.2.25 | 1.1.1.1 |
Mar 28, 2025 11:29:55.549851894 CET | 53 | 54531 | 1.1.1.1 | 192.168.2.25 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 28, 2025 11:29:55.464842081 CET | 192.168.2.25 | 1.1.1.1 | 0x3ba6 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 28, 2025 11:28:50.729454041 CET | 1.1.1.1 | 192.168.2.25 | 0x1306 | No error (0) | s-0005.dual-s-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 28, 2025 11:28:50.729454041 CET | 1.1.1.1 | 192.168.2.25 | 0x1306 | No error (0) | 52.123.129.14 | A (IP address) | IN (0x0001) | false | ||
Mar 28, 2025 11:28:50.729454041 CET | 1.1.1.1 | 192.168.2.25 | 0x1306 | No error (0) | 52.123.128.14 | A (IP address) | IN (0x0001) | false | ||
Mar 28, 2025 11:28:51.383227110 CET | 1.1.1.1 | 192.168.2.25 | 0x7159 | No error (0) | a726.dscd.akamai.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 28, 2025 11:28:51.383227110 CET | 1.1.1.1 | 192.168.2.25 | 0x7159 | No error (0) | 23.209.72.170 | A (IP address) | IN (0x0001) | false | ||
Mar 28, 2025 11:28:51.383227110 CET | 1.1.1.1 | 192.168.2.25 | 0x7159 | No error (0) | 23.209.72.172 | A (IP address) | IN (0x0001) | false | ||
Mar 28, 2025 11:28:51.482228041 CET | 1.1.1.1 | 192.168.2.25 | 0x8bac | No error (0) | 151.101.46.172 | A (IP address) | IN (0x0001) | false | ||
Mar 28, 2025 11:29:55.549851894 CET | 1.1.1.1 | 192.168.2.25 | 0x3ba6 | No error (0) | otelrules-bzhndjfje8dvh5fd.z01.azurefd.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 28, 2025 11:29:55.549851894 CET | 1.1.1.1 | 192.168.2.25 | 0x3ba6 | No error (0) | star-azurefd-prod.trafficmanager.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 28, 2025 11:29:55.549851894 CET | 1.1.1.1 | 192.168.2.25 | 0x3ba6 | No error (0) | shed.dual-low.s-part-0012.t-0009.t-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 28, 2025 11:29:55.549851894 CET | 1.1.1.1 | 192.168.2.25 | 0x3ba6 | No error (0) | s-part-0012.t-0009.t-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 28, 2025 11:29:55.549851894 CET | 1.1.1.1 | 192.168.2.25 | 0x3ba6 | No error (0) | 13.107.246.40 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.25 | 49699 | 13.107.246.40 | 443 | 7936 | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-03-28 10:29:56 UTC | 214 | OUT | |
2025-03-28 10:29:56 UTC | 498 | IN | |
2025-03-28 10:29:56 UTC | 461 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.25 | 49698 | 13.107.246.40 | 443 | 7936 | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-03-28 10:29:56 UTC | 215 | OUT | |
2025-03-28 10:29:56 UTC | 515 | IN | |
2025-03-28 10:29:56 UTC | 2781 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 06:28:45 |
Start date: | 28/03/2025 |
Path: | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6f8cf0000 |
File size: | 70'082'712 bytes |
MD5 hash: | F9F7B6C42211B06E7AC3E4B60AA8FB77 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | false |
Target ID: | 6 |
Start time: | 06:28:57 |
Start date: | 28/03/2025 |
Path: | C:\Windows\System32\appidpolicyconverter.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff73ab40000 |
File size: | 155'648 bytes |
MD5 hash: | 6567D9CF2545FAAC60974D9D682700D4 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 7 |
Start time: | 06:28:57 |
Start date: | 28/03/2025 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff729690000 |
File size: | 1'040'384 bytes |
MD5 hash: | 9698384842DA735D80D278A427A229AB |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 12 |
Start time: | 06:29:49 |
Start date: | 28/03/2025 |
Path: | C:\Windows\splwow64.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7a4610000 |
File size: | 192'512 bytes |
MD5 hash: | AF4A7EBF6114EE9E6FBCC910EC3C96E6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | false |