Windows Analysis Report
ACH-6573-15March.xlsx

Overview

General Information

Sample name:	ACH-6573-15March.xlsx
Analysis ID:	1411152
MD5:	fde60a11d2d5ab4723e863053b434337
SHA1:	7afbbc76fde0162904ad9665863a439de8c7a650
SHA256:	afacfa9dddc8e1170e6e30352be71bb8d7484ea9ceec0671aa9877805c456420
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected suspicious Microsoft Office reference URL

Document Viewer accesses SMB path (likely to steal NTLM hashes or to download payload)

Opens network shares

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries information about the installed CPU (vendor, model number etc)

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Classification

Signatures

Exploits

Detected suspicious Microsoft Office reference URL

Source: drawing1.xml.rels

Extracted files from sample: file:///\\147.182.156.154\share\excel_document_open.xlsx.vbs...

Source: unknown	HTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49722 version: TLS 1.2

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727

Source: excel.exe

Memory has grown: Private usage: 1MB later: 103MB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49722 version: TLS 1.2

Source: classification engine

Classification label: mal52.spyw.expl.evad.winXLSX@1/4@0/61

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\Desktop\~$ACH-6573-15March.xlsx

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{FEB54690-7C4C-4992-964C-DCAE224BF44F} - OProcSessId.dat

Source: ACH-6573-15March.xlsx

OLE indicator, Workbook stream: true

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79eac9d0-baf9-11ce-8c82-00aa004ba90b}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: ACH-6573-15March.xlsx	Initial sample: OLE zip file path = xl/media/image1.gif
Source: ACH-6573-15March.xlsx	Initial sample: OLE zip file path = xl/media/image2.png

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Source: ACH-6573-15March.xlsx

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Stealing of Sensitive Information

Document Viewer accesses SMB path (likely to steal NTLM hashes or to download payload)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	File opened: \\147.182.156.154\share\EXCEL_DOCUMENT_OPEN.XLSX.vbs
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	File opened: \\147.182.156.154\share\EXCEL_DOCUMENT_OPEN.XLSX.vbs
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	File opened: \\147.182.156.154\share\EXCEL_DOCUMENT_OPEN.XLSX.vbs

Opens network shares

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	File opened: \\147.182.156.154\share\EXCEL_DOCUMENT_OPEN.XLSX.vbs
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	File opened: \\147.182.156.154\share\EXCEL_DOCUMENT_OPEN.XLSX.vbs
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	File opened: \\147.182.156.154\share\EXCEL_DOCUMENT_OPEN.XLSX.vbs

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.109.56.128	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.113.194.132	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.109.8.36	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.107.213.40	part-0012.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.182.143.213	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.51.58.94	unknown	United States	4788	TMNET-AS-APTMNetInternetServiceProviderMY	false

Contacted Domains

Name	IP	Active
part-0012.t-0009.t-msedge.net	13.107.213.40	true

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\619E9856.gif	GIF image data, version 89a, 1400 x 670	B773548C7FA1854304AE080971947E1C	B5E01F7DAE4528CB94FD1841BC5535944E7CC470	5176578CB0C3B1F3C0BFD9B631FAEE74B23D042BE2C46AEEC604E2598E830CD0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\626005F.png	PNG image data, 300 x 153, 8-bit/color RGBA, non-interlaced	7AE6C09CD9888576D5765E64E745D91B	59904FA9CEC2A7A9B97AF64861637E0BCD27A7E6	B74C5D9802C54DF1CBAB193BF469850BABFA8740879F82B9ACE43B274D171AF0
C:\Users\user\AppData\Local\Temp\~DF645802A6CB8EDC27.TMP	Composite Document File V2 Document, Cannot read section info	BDF96FDF55A032DDD595190F12D7FB81	DEDAAB72836AC5D245086BE6C1E57B0980A3E3E5	A8598C4535C6A1F85D1E547028E91A2CC007FB0192625FE47D85115BAF95D4C8
C:\Users\user\Desktop\~$ACH-6573-15March.xlsx	data	34863D0C5EDC5217BFE8F28000149692	B997A6CB01178B27D14131F0B3C99068378F2959	AA5DEED2AFD386A6CE02460403D856BAD3C6E0969C73294FE33A76B2B1F60B4D

Exploits

Detected suspicious Microsoft Office reference URL

Source: drawing1.xml.rels

Extracted files from sample: file:///\\147.182.156.154\share\excel_document_open.xlsx.vbs...

Source: unknown	HTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49722 version: TLS 1.2

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global traffic	TCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global traffic	TCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global traffic	TCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global traffic	TCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global traffic	TCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global traffic	TCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global traffic	TCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global traffic	TCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global traffic	TCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global traffic	TCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727

Source: excel.exe

Memory has grown: Private usage: 1MB later: 103MB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49722 version: TLS 1.2

Source: classification engine

Classification label: mal52.spyw.expl.evad.winXLSX@1/4@0/61

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\Desktop\~$ACH-6573-15March.xlsx

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{FEB54690-7C4C-4992-964C-DCAE224BF44F} - OProcSessId.dat

Source: ACH-6573-15March.xlsx

OLE indicator, Workbook stream: true

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79eac9d0-baf9-11ce-8c82-00aa004ba90b}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: ACH-6573-15March.xlsx	Initial sample: OLE zip file path = xl/media/image1.gif
Source: ACH-6573-15March.xlsx	Initial sample: OLE zip file path = xl/media/image2.png

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Source: ACH-6573-15March.xlsx

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Stealing of Sensitive Information

Document Viewer accesses SMB path (likely to steal NTLM hashes or to download payload)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	File opened: \\147.182.156.154\share\EXCEL_DOCUMENT_OPEN.XLSX.vbs
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	File opened: \\147.182.156.154\share\EXCEL_DOCUMENT_OPEN.XLSX.vbs
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	File opened: \\147.182.156.154\share\EXCEL_DOCUMENT_OPEN.XLSX.vbs

Opens network shares

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	File opened: \\147.182.156.154\share\EXCEL_DOCUMENT_OPEN.XLSX.vbs
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	File opened: \\147.182.156.154\share\EXCEL_DOCUMENT_OPEN.XLSX.vbs
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	File opened: \\147.182.156.154\share\EXCEL_DOCUMENT_OPEN.XLSX.vbs

ID:	1411152
Product:	CloudBasic
Start time:	17:02:36
Start date:	18.03.2024
Sample:	ACH-6573-15March.xlsx
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	fde60a11d2d5ab4723e863053b434337
SHA1:	7afbbc76fde0162904ad9665863a439de8c7a650
SHA256:	afacfa9dddc8e1170e6e30352be71bb8d7484ea9ceec0671aa9877805c456420
Filetype:	Excel Microsoft Office Open XML Format document (40004/1) 83.33%

Windows Analysis Report
ACH-6573-15March.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report ACH-6573-15March.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
ACH-6573-15March.xlsx