2d480c7b696975ed15cabc3709953ff3368ac88cdfcf66abd1841b1e8adbdceb

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 06:40 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d480c7b696975ed15cabc3709953ff3368ac88cdfcf66abd1841b1e8adbdceb.xls
Size

1.0MB
MD5

8c545dd587fa71f85835f947e6d85b14
SHA1

995f48353255ab855f43fa73cfac360a5e88fedf
SHA256

2d480c7b696975ed15cabc3709953ff3368ac88cdfcf66abd1841b1e8adbdceb
SHA512

1f1dd436b8432f1f6b839eaa260ad724bbc21478680d094fc000af9794e3b0f606c9250c1d94f77c684d89be1d82cd204c5c488ccca703eb9ddb86c178795b6f
SSDEEP

12288:nDMduhqCSBkbYJ3KeJ5ZSbJMo4iW9HA5BuXvKB/FU/9v4RQ3l16WGZHHv7iMnCdn:DMm+sYJ3KaT8IiBO1vIQVoWGVYD

Score

1^/10

Malware Config

Signatures

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DCB86CD4-9C99-4254-9BAA-D0A7D2A1847A}\2.0\0\win32	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TypeLib	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DCB86CD4-9C99-4254-9BAA-D0A7D2A1847A}\2.0	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TypeLib\{DCB86CD4-9C99-4254-9BAA-D0A7D2A1847A}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Excel8.0\\MSForms.exd"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TypeLib\{DCB86CD4-9C99-4254-9BAA-D0A7D2A1847A}\2.0\0\win32	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2080	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2080	EXCEL.EXE
2080	EXCEL.EXE
2080	EXCEL.EXE

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\2d480c7b696975ed15cabc3709953ff3368ac88cdfcf66abd1841b1e8adbdceb.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2080

Network

DNS

encrypted-tbn2.gstatic.com

EXCEL.EXE

Remote address:

8.8.8.8:53

Request

encrypted-tbn2.gstatic.com

IN A

Response

encrypted-tbn2.gstatic.com

IN A

142.250.187.206
OPTIONS

https://encrypted-tbn2.gstatic.com/

EXCEL.EXE

Remote address:

142.250.187.206:443

Request

OPTIONS / HTTP/1.1
User-Agent: Microsoft Office Protocol Discovery
Host: encrypted-tbn2.gstatic.com
Content-Length: 0
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Cross-Origin-Resource-Policy: cross-origin
Content-Type: image/gif
X-Content-Type-Options: nosniff
Date: Tue, 21 May 2024 06:41:15 GMT
Server: sffe
Content-Length: 43
X-XSS-Protection: 0
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
OPTIONS

https://encrypted-tbn2.gstatic.com/

EXCEL.EXE

Remote address:

142.250.187.206:443

Request

OPTIONS / HTTP/1.1
User-Agent: Microsoft Office Protocol Discovery
Host: encrypted-tbn2.gstatic.com
Content-Length: 0
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Cross-Origin-Resource-Policy: cross-origin
Content-Type: image/gif
X-Content-Type-Options: nosniff
Date: Tue, 21 May 2024 06:41:15 GMT
Server: sffe
Content-Length: 43
X-XSS-Protection: 0
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://encrypted-tbn2.gstatic.com/images?q=tbn:ANd9GcSLb0hk3pfHl1hfwfL2z6iavRsydEsHMbkjNvHsI6YKBJHsnE8y

EXCEL.EXE

Remote address:

142.250.187.206:443

Request

GET /images?q=tbn:ANd9GcSLb0hk3pfHl1hfwfL2z6iavRsydEsHMbkjNvHsI6YKBJHsnE8y HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; ms-office; MSOffice 14)
Accept-Encoding: gzip, deflate
Host: encrypted-tbn2.gstatic.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Type: image/jpeg
Access-Control-Allow-Origin: *
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/images-tbn
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="images-tbn"
Report-To: {"group":"images-tbn","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/images-tbn"}]}
Content-Length: 13194
Date: Tue, 21 May 2024 06:41:15 GMT
Expires: Wed, 21 May 2025 06:41:15 GMT
Cache-Control: public, max-age=31536000
Last-Modified: Sun, 27 Aug 2017 00:58:54 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

support.content.office.net

EXCEL.EXE

Remote address:

8.8.8.8:53

Request

support.content.office.net

IN A

Response

support.content.office.net

IN CNAME

support.content.office.net.edgekey.net

support.content.office.net.edgekey.net

IN CNAME

e12627.g.akamaiedge.net

e12627.g.akamaiedge.net

IN A

23.38.21.64
OPTIONS

https://support.content.office.net/en-US/media/

EXCEL.EXE

Remote address:

23.38.21.64:443

Request

OPTIONS /en-US/media/ HTTP/1.1
User-Agent: Microsoft Office Protocol Discovery
Host: support.content.office.net
Content-Length: 0
Connection: Keep-Alive

Response

HTTP/1.1 400 Bad Request

Content-Length: 293
Content-Type: application/xml
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: bb48ec62-b01e-0048-4a49-ab7857000000
x-ms-version: 2015-02-21
Expires: Tue, 21 May 2024 06:41:27 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Tue, 21 May 2024 06:41:27 GMT
Connection: keep-alive
OPTIONS

https://support.content.office.net/en-US/media/

EXCEL.EXE

Remote address:

23.38.21.64:443

Request

OPTIONS /en-US/media/ HTTP/1.1
User-Agent: Microsoft Office Protocol Discovery
Host: support.content.office.net
Content-Length: 0
Connection: Keep-Alive

Response

HTTP/1.1 400 Bad Request

Content-Length: 227
Content-Type: application/xml
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 559e12de-101e-006e-1749-ab3c01000000
Expires: Tue, 21 May 2024 06:41:28 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Tue, 21 May 2024 06:41:28 GMT
Connection: keep-alive
GET

https://support.content.office.net/en-US/media/b292941f-fc16-4817-9f29-7435509028db.jpg

EXCEL.EXE

Remote address:

23.38.21.64:443

Request

GET /en-US/media/b292941f-fc16-4817-9f29-7435509028db.jpg HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; ms-office; MSOffice 14)
Accept-Encoding: gzip, deflate
Host: support.content.office.net
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Cache-Control: public, max-age=86400
Content-Length: 18946
Content-Type: image/jpeg
Content-MD5: NKnIUw6Wh6RttGoP5WFwqQ==
Last-Modified: Tue, 23 Jan 2018 16:39:11 GMT
ETag: 0x8D5627FD5144AF2
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 66f553b6-101e-0041-129f-703d84000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 21 May 2024 06:41:28 GMT
Connection: keep-alive

142.250.187.206:443

https://encrypted-tbn2.gstatic.com/images?q=tbn:ANd9GcSLb0hk3pfHl1hfwfL2z6iavRsydEsHMbkjNvHsI6YKBJHsnE8y

tls, http

EXCEL.EXE

2.0kB
20.4kB
19
25

HTTP Request

OPTIONS https://encrypted-tbn2.gstatic.com/

HTTP Response

404

HTTP Request

OPTIONS https://encrypted-tbn2.gstatic.com/

HTTP Response

404

HTTP Request

GET https://encrypted-tbn2.gstatic.com/images?q=tbn:ANd9GcSLb0hk3pfHl1hfwfL2z6iavRsydEsHMbkjNvHsI6YKBJHsnE8y

HTTP Response

200
23.38.21.64:443

support.content.office.net

tls

EXCEL.EXE

809 B
5.1kB
11
11
23.38.21.64:443

support.content.office.net

tls

EXCEL.EXE

789 B
5.0kB
10
10
23.38.21.64:443

https://support.content.office.net/en-US/media/b292941f-fc16-4817-9f29-7435509028db.jpg

tls, http

EXCEL.EXE

2.1kB
26.7kB
22
31

HTTP Request

OPTIONS https://support.content.office.net/en-US/media/

HTTP Response

400

HTTP Request

OPTIONS https://support.content.office.net/en-US/media/

HTTP Response

400

HTTP Request

GET https://support.content.office.net/en-US/media/b292941f-fc16-4817-9f29-7435509028db.jpg

HTTP Response

200

8.8.8.8:53

encrypted-tbn2.gstatic.com

dns

EXCEL.EXE

72 B
88 B
1
1

DNS Request

encrypted-tbn2.gstatic.com

DNS Response

142.250.187.206
8.8.8.8:53

support.content.office.net

dns

EXCEL.EXE

72 B
171 B
1
1

DNS Request

support.content.office.net

DNS Response

23.38.21.64

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{9C367D1D-FCBF-4CA2-843D-B9ED34506AF6}.FSD

Filesize
128KB

MD5
14b06db19b096851e0df4484f254b159

SHA1
d5e9190f247ec79986f63b3722f23efa54c76321

SHA256
f27bf019ab81b3cabf9a789d91fc37943d4ce7be1e49e4a979f41dbf45c5eff9

SHA512
92efcfa86b882bfd36f13b8937a0bfe6b73c438931282ee57ab94a8a02239a56c5671225dc2b0b8a14fcb4bc08965c7d18ed1cf5249389ee46c19bc3ee197e94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
0ffa019164e7257c810c1c0c1b810d97

SHA1
c61be119cd65c86c1a7a00a0e5f98aaf720f5bb5

SHA256
6e60adad75fe3bbde074bfcee92cd79db302e860f25cdbf78bcd9648072253c1

SHA512
b2fc12f9b004390a5a335866dcfff9f9aeeaf85dd479755e5347697cd8a3cd550c3c2cacbab8e22ca83dbe7af0456705c4ebd7725454df60e507598c076b1ccd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{769C1BAE-FA5C-4515-97C4-1FEB9AAF108A}.FSD

Filesize
128KB

MD5
0d12b8df2904c551bf80fd6c9a6fc650

SHA1
744badcbd7049a23168662133096d5928e54e23a

SHA256
55e33816aaa1622e92db92612d72391f18a1eff0d1d0c2197b6541efe9f98fec

SHA512
e9c39d276c8f3e6733ec4887710d1294f1a49848a058bd4fe77a502386ca51ec363f336d3fffe375cd368127541013e30a2e638d0a9b634a0697619601e4647a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2E92.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2FB2.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4FD0C279-3DAA-4151-9408-232CC7CB5A13}

Filesize
128KB

MD5
3dbfe3e48deefd281f0e2fddbad5f461

SHA1
734b743f03f15c48f4926466216bf8fe6ff216b7

SHA256
818fbab204d018f3787565f085633e8f405fc9a29ddead84b3ff8735830ee36b

SHA512
7040a2d3ff1bcdff254aa0e822d235d835d872b6a42ea9265b45bb21fa1c106cfee77f1f84d0acca8f39f4d805c52b857ed4cb2c942701ae973afa2af6d1d102

Download Submit
memory/2080-516-0x0000000007D20000-0x0000000007F20000-memory.dmp

Filesize
2.0MB

Download
memory/2080-528-0x0000000007D20000-0x0000000007F20000-memory.dmp

Filesize
2.0MB

Download
memory/2080-513-0x0000000008B00000-0x0000000008C00000-memory.dmp

Filesize
1024KB

Download
memory/2080-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2080-518-0x0000000007D20000-0x0000000007F20000-memory.dmp

Filesize
2.0MB

Download
memory/2080-527-0x0000000007D20000-0x0000000007F20000-memory.dmp

Filesize
2.0MB

Download
memory/2080-529-0x0000000007D20000-0x0000000007F20000-memory.dmp

Filesize
2.0MB

Download
memory/2080-1-0x00000000721BD000-0x00000000721C8000-memory.dmp

Filesize
44KB

Download
memory/2080-523-0x0000000007D20000-0x0000000007F20000-memory.dmp

Filesize
2.0MB

Download
memory/2080-515-0x0000000007D20000-0x0000000007F20000-memory.dmp

Filesize
2.0MB

Download
memory/2080-517-0x0000000007D20000-0x0000000007F20000-memory.dmp

Filesize
2.0MB

Download
memory/2080-530-0x00000000721BD000-0x00000000721C8000-memory.dmp

Filesize
44KB

Download
memory/2080-531-0x0000000007D20000-0x0000000007F20000-memory.dmp

Filesize
2.0MB

Download
memory/2080-532-0x0000000007D20000-0x0000000007F20000-memory.dmp

Filesize
2.0MB

Download
memory/2080-533-0x0000000007D20000-0x0000000007F20000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.