Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ACH-6573-15March.xlsx

Overview

General Information

Sample name:ACH-6573-15March.xlsx
Analysis ID:1411152
MD5:fde60a11d2d5ab4723e863053b434337
SHA1:7afbbc76fde0162904ad9665863a439de8c7a650
SHA256:afacfa9dddc8e1170e6e30352be71bb8d7484ea9ceec0671aa9877805c456420
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected suspicious Microsoft Office reference URL
Document Viewer accesses SMB path (likely to steal NTLM hashes or to download payload)
Opens network shares
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries information about the installed CPU (vendor, model number etc)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections

Classification

Process Tree

  • System is w10x64_ra
  • EXCEL.EXE (PID: 5832 cmdline: C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\ACH-6573-15March.xlsx MD5: 4A871771235598812032C822E6F68F19)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Excel Network Connections
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.213.40, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 5832, Protocol: tcp, SourceIp: 192.168.2.17, SourceIsIpv6: false, SourcePort: 49718
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.17, DestinationIsIpv6: false, DestinationPort: 49718, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 5832, Protocol: tcp, SourceIp: 13.107.213.40, SourceIsIpv6: false, SourcePort: 443

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Exploits

barindex
Detected suspicious Microsoft Office reference URL
Source: drawing1.xml.relsExtracted files from sample: file:///\\147.182.156.154\share\excel_document_open.xlsx.vbs...
Source: unknownHTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49718 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49719 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49721 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49720 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49722 version: TLS 1.2
Source: global trafficTCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global trafficTCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global trafficTCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global trafficTCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global trafficTCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global trafficTCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global trafficTCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global trafficTCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global trafficTCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global trafficTCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global trafficTCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global trafficTCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global trafficTCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global trafficTCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global trafficTCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global trafficTCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global trafficTCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global trafficTCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global trafficTCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global trafficTCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global trafficTCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global trafficTCP traffic: 192.168.2.17:49718 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49718
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global trafficTCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global trafficTCP traffic: 192.168.2.17:49720 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49720
Source: global trafficTCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global trafficTCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global trafficTCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global trafficTCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global trafficTCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global trafficTCP traffic: 192.168.2.17:49721 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49721
Source: global trafficTCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global trafficTCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global trafficTCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global trafficTCP traffic: 192.168.2.17:49722 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49722
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global trafficTCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global trafficTCP traffic: 192.168.2.17:49719 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49719
Source: global trafficTCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global trafficTCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global trafficTCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global trafficTCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global trafficTCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global trafficTCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global trafficTCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global trafficTCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global trafficTCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global trafficTCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global trafficTCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global trafficTCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global trafficTCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global trafficTCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global trafficTCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global trafficTCP traffic: 192.168.2.17:49723 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49723
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global trafficTCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global trafficTCP traffic: 192.168.2.17:49724 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49724
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global trafficTCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global trafficTCP traffic: 192.168.2.17:49725 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49725
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global trafficTCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global trafficTCP traffic: 192.168.2.17:49726 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49726
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global trafficTCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global trafficTCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: global trafficTCP traffic: 192.168.2.17:49727 -> 13.107.213.40:443
Source: global trafficTCP traffic: 13.107.213.40:443 -> 192.168.2.17:49727
Source: excel.exeMemory has grown: Private usage: 1MB later: 103MB
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownHTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49718 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49719 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49721 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49720 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.213.40:443 -> 192.168.2.17:49722 version: TLS 1.2
Source: classification engineClassification label: mal52.spyw.expl.evad.winXLSX@1/4@0/61
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$ACH-6573-15March.xlsx
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{FEB54690-7C4C-4992-964C-DCAE224BF44F} - OProcSessId.dat
Source: ACH-6573-15March.xlsxOLE indicator, Workbook stream: true
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.ini
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79eac9d0-baf9-11ce-8c82-00aa004ba90b}\InprocServer32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: ACH-6573-15March.xlsxInitial sample: OLE zip file path = xl/media/image1.gif
Source: ACH-6573-15March.xlsxInitial sample: OLE zip file path = xl/media/image2.png
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
Source: ACH-6573-15March.xlsxInitial sample: OLE indicators vbamacros = False
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformation
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXERegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXERegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Stealing of Sensitive Information

barindex
Document Viewer accesses SMB path (likely to steal NTLM hashes or to download payload)
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: \\147.182.156.154\share\EXCEL_DOCUMENT_OPEN.XLSX.vbs
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: \\147.182.156.154\share\EXCEL_DOCUMENT_OPEN.XLSX.vbs
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: \\147.182.156.154\share\EXCEL_DOCUMENT_OPEN.XLSX.vbs
Opens network shares
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: \\147.182.156.154\share\EXCEL_DOCUMENT_OPEN.XLSX.vbs
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: \\147.182.156.154\share\EXCEL_DOCUMENT_OPEN.XLSX.vbs
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: \\147.182.156.154\share\EXCEL_DOCUMENT_OPEN.XLSX.vbs

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
Exploitation for Client Execution		Path Interception1
Extra Window Memory Injection		1
Masquerading		OS Credential Dumping2
Network Share Discovery		Remote ServicesData from Local System2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Extra Window Memory Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS11
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
part-0012.t-0009.t-msedge.net
13.107.213.40
truefalse
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    52.109.56.128
    		unknownUnited States
    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    52.113.194.132
    		unknownUnited States
    		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    52.109.8.36
    		unknownUnited States
    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    13.107.213.40
    		part-0012.t-0009.t-msedge.netUnited States
    		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    52.182.143.213
    		unknownUnited States
    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    23.51.58.94
    		unknownUnited States
    		4788TMNET-AS-APTMNetInternetServiceProviderMYfalse

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1411152
    Start date and time:2024-03-18 17:02:36 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsinteractivecookbook.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:18
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    Analysis Mode:stream
    Analysis stop reason:Timeout
    Sample name:ACH-6573-15March.xlsx
    Detection:MAL
    Classification:mal52.spyw.expl.evad.winXLSX@1/4@0/61
    Cookbook Comments:
    • Found application associated with file extension: .xlsx

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe
    • Excluded IPs from analysis (whitelisted): 52.109.56.128
    • Excluded domains from analysis (whitelisted): config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, officeclient.microsoft.com, inc-azsc-config.officeapps.live.com, asia.configsvc1.live.com.akadns.net
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtCreateKey calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • VT rate limit hit for: ACH-6573-15March.xlsx

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\619E9856.gif

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
    File Type:GIF image data, version 89a, 1400 x 670
    Category:dropped
    Size (bytes):32479
    Entropy (8bit):7.978277383272288
    Encrypted:false
    SSDEEP:
    MD5:B773548C7FA1854304AE080971947E1C
    SHA1:B5E01F7DAE4528CB94FD1841BC5535944E7CC470
    SHA-256:5176578CB0C3B1F3C0BFD9B631FAEE74B23D042BE2C46AEEC604E2598E830CD0
    SHA-512:73F3C1AAFBC525DA7CC5067855CC323DA80D606216BB61FA3A2299CDC9330760C6FF4E1DE9D439B9762940202E47DAD695ED6BC361DD38CE0B92FF7C50A709D1
    Malicious:false
    Reputation:unknown
    Preview:GIF89ax..............=.......xS..i.........~..~..}..|..{..z..s..i..f..e..\..Y..U..e..d..c..b..a.._..`..`..^..Y..W.]6..i..`.~G.s@.b8.Z2.Y2.P...I..H.^2.\1.\2.Z1.Y1.X0.N*.............E..G..F..D..D.j8.j7.a3.T,.Q+.L(.J&.H%.H&.E$..K.......D..B..@..C..B..A..?..>.y=.m5.E#.B!.@ .>...U@.oL.x_..f..m..v....................................I..A..?..=..<.~<.~;.}:.{:.y:.y8.u7.\+.4..1..'...>..?..@..B..E..H..M).\4.eW..~............<..;.}7.|9.z7.z8.x7.w6.v5.u4.s3.r4.q2.o3.m2.m1.,..".....|?........;.z4.x4.t2.p1.o0.n..m/.l-.k-.T#.H..}:&.Q.x1.u/.o,.i+.f*.>..;.B.cX.s....r,k..}............p&............k".g........b..\..P........................................................................................................................}}}zzzwwwkkkfff[[[XXXTTTIIIBBB>>>&&&$$$......!.......,....x..........H......*\....#J.H....3j.... C..I...(S.\...0c.I.fE.6s.....@...J...H.*]...P.J.J...X.j....`..K...h.]...p..K...x..........L.....+^....#K.L....3k.....C..M....S.^....

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\626005F.png

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
    File Type:PNG image data, 300 x 153, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):7177
    Entropy (8bit):7.932768962029169
    Encrypted:false
    SSDEEP:
    MD5:7AE6C09CD9888576D5765E64E745D91B
    SHA1:59904FA9CEC2A7A9B97AF64861637E0BCD27A7E6
    SHA-256:B74C5D9802C54DF1CBAB193BF469850BABFA8740879F82B9ACE43B274D171AF0
    SHA-512:D148A102B388C0D11BCC051F51F235C729AD322F5AE180DA62F19CB3AE8D501D31100F2C5D5FAACE331C64E8FBB20EB43369E46EDB8693EE579D7B294B1341E7
    Malicious:false
    Reputation:unknown
    Preview:.PNG........IHDR...,.................pHYs.................IDATx...pV..?o.......c.- ,..IJZ......H\W..T.-X...dv...nZ.qhKt...U..E......G..JZ5P.p-m..D..F.$..qs...s..}..&o..3s......{.....<.9...q.M..$...+.... .M.w5^Y.v.Z...#.2AH?..B.E,%..R.D..!s.,......+.H... .}.....7.1".JZ.|.J-.}.k....!..D.}W.r..].I.WR.e.+.R..s?...?. ....=."HqM...NF......J.>..e%.. ..6.J....5.S*\... V.P.V.n..7..vN..h.YN.cU.t{.p...P...+.P.s....A..lB....v.9.Z_(..,X.X..UAr7.y.z[.. ...HAO.......,Z...G..b..S.r....m..z..+.B.$V]2.......].t".=..3X.. ..+X...k-.... ...?..R`.p)...S.@.,A.].t....G.............`...7..... .hY.+@7...x...K.Nu..i..........5L..>C.p.....x.....?.....cu....6....s.S.t./.c.h....`W.(...ZX.......Xu...>.+@.... d.o...?.W..U.\.q.....Z[&.K..a....I.....e..........Y...|..+A.o\...6.K..+..........x6U'l.OV....+....7....+.O.K....(...A...U...o.K..|....r.U..=.v.{...+.s...].Jq.jL....!..).M.m..#Z...X.....5...s.=...`@....XuI1....LA..._...n..At]A.5.z.,pt.....N.......E.v.U..R...A.... ^Y....@.|Z&_

    C:\Users\user\AppData\Local\Temp\~DF645802A6CB8EDC27.TMP

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):16384
    Entropy (8bit):0.5248092504851318
    Encrypted:false
    SSDEEP:
    MD5:BDF96FDF55A032DDD595190F12D7FB81
    SHA1:DEDAAB72836AC5D245086BE6C1E57B0980A3E3E5
    SHA-256:A8598C4535C6A1F85D1E547028E91A2CC007FB0192625FE47D85115BAF95D4C8
    SHA-512:6B856F28794018B8BE9562705E67C1412F7C5D09C1784DC9A8BF6F8CAA26EC83200108C7E849F11DAAB17027164F5CBA5B498D61AB5C4D1300BCFF8ABC9BDF72
    Malicious:false
    Reputation:unknown
    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\Desktop\~$ACH-6573-15March.xlsx

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):165
    Entropy (8bit):1.4988604911361962
    Encrypted:false
    SSDEEP:
    MD5:34863D0C5EDC5217BFE8F28000149692
    SHA1:B997A6CB01178B27D14131F0B3C99068378F2959
    SHA-256:AA5DEED2AFD386A6CE02460403D856BAD3C6E0969C73294FE33A76B2B1F60B4D
    SHA-512:74A541E58F69DCA407BF95CC9141D93968DB858F680B4A4CD1ECF96C4B4DF6E44A2912F2A364B423E464078739CA616815C2FCE69479B102856989F71B364BB1
    Malicious:false
    Reputation:unknown
    Preview:.user ..t.o.r.r.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

    Static File Info

    General

    File type:Microsoft Excel 2007+
    Entropy (8bit):7.860351025490348
    TrID:
    • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
    • ZIP compressed archive (8000/1) 16.67%
    File name:ACH-6573-15March.xlsx
    File size:49'374 bytes
    MD5:fde60a11d2d5ab4723e863053b434337
    SHA1:7afbbc76fde0162904ad9665863a439de8c7a650
    SHA256:afacfa9dddc8e1170e6e30352be71bb8d7484ea9ceec0671aa9877805c456420
    SHA512:234c6149eba890e22da7ef1d46a38f83cd2aab274cfe22d3e2d332e58dd6a85c52066c6af2fb866d49abd5d24a0208fa01685a6bd1c2bf7beb45f7952714c05b
    SSDEEP:768:ZFlppbq6i4Y/TJC4xJMxXcvFLwAPq4Sxv9PvEgzegYN1T/f:tLq94YV7JMxXyd4x+gzexTn
    TLSH:E623F13AE3292940C8F4983C126D1793B985149C8743FA772AC9791D5186EFB33AFD8D
    File Content Preview:PK..........!.\.f.r...........[Content_Types].xml ...(.........................................................................................................................................................................................................

    File Icon

    Icon Hash:35e58a8c0c8a85b9

    Static OLE Info

    General

    Document Type:OpenXML
    Number of OLE Files:1

    OLE File "ACH-6573-15March.xlsx"

    Indicators
    Has Summary Info:
    Application Name:
    Encrypted Document:False
    Contains Word Document Stream:False
    Contains Workbook/Book Stream:True
    Contains PowerPoint Document Stream:False
    Contains Visio Document Stream:False
    Contains ObjectPool Stream:False
    Flash Objects Count:0
    Contains VBA Macros:False