Windows Analysis Report
KZ429 FEB17 BSRec_InvNet.xlsx

Overview

General Information

Sample Name:	KZ429 FEB17 BSRec_InvNet.xlsx
Analysis ID:	562531
MD5:	31b67f4aa8dccb4ed683563dbc104bd0
SHA1:	ed39326058a73ab569efa22534f79ac9ee9953e7
SHA256:	4137a3675db12038c970e56f94ce7bee7a0d920e2514eabefd9a2b28348fc9eb

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

No high impact signatures.

Classification

Signatures

There are no high impact signatures.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AE0576B3.emf

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDE0E.tmp

Jump to behavior

Source: classification engine

Classification label: clean0.winXLSX@1/5@0/0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$KZ429 FEB17 BSRec_InvNet.xlsx

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image5.emf
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing4.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing5.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing6.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image6.png
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/embeddings/oleObject1.bin
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/vmlDrawing2.vml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing3.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image1.png
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image2.emf
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image3.emf
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing2.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/vmlDrawing2.vml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/drawing4.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/drawing5.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/drawing6.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet19.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet9.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet15.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet18.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet12.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet18.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet17.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet16.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet15.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet14.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet19.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet5.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet6.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet7.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet8.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet9.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet10.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet11.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet13.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/ctrlProps/ctrlProp1.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink5.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink2.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink7.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink6.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink1.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink4.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink3.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink1.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/ctrlProps/ctrlProp2.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink7.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink6.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings4.bin
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/calcChain.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink2.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink3.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings6.bin
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink4.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings5.bin
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink5.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = docProps/custom.xml

Source: KZ429 FEB17 BSRec_InvNet.xlsx

Static file information: File size 1358015 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: KZ429 FEB17 BSRec_InvNet.xlsx

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
windowsupdate.s.llnwi.net	41.63.96.0	true

ID:	562531
Product:	CloudBasic
Start time:	00:57:54
Start date:	29.01.2022
Sample:	KZ429 FEB17 BSRec_InvNet.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	31b67f4aa8dccb4ed683563dbc104bd0
SHA1:	ed39326058a73ab569efa22534f79ac9ee9953e7
SHA256:	4137a3675db12038c970e56f94ce7bee7a0d920e2514eabefd9a2b28348fc9eb
Filetype:	Excel Microsoft Office Open XML Format document (40004/1) 83.33%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\98E6EBE4.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 660x137, frames 3	B5BB6A7EF0B322467A20AB38ABC07B97	47B724835E4C7B3DDB0FA32BE2D00CBFD43BADBC	9CB8D86A1195C6A0C7E2B3FAE92C988BFFB85E24CD245872C543BB3B8295DCBE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9B0D5918.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	99A4EF14AF0ED7CC47AED67CDF9C1B6F	76CCECCAA04689B49FEFC31E285287A79E3C8114	E8504FF99C633ADA90BC68E60C438D6A725B9EE7DDA5CA867E6D11BD47EB6412
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AE0576B3.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	4ACCB58B65F8BF9DB41724A8DFADFD6C	60B13D43FE7B6A371ABCAD15764142685851AED8	C43A9B6A567B16EC1A9EA2A2D2F9A451BB279422CA00D52F4A1F191499036E8F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4851639.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	4195D6D8FBCE413B298166FFDAB9F5C1	3B0AA8B2E29511492ADD852F0BE1EB48AE669EFB	904460518FC5ED57981E4DABCB417DC5DBC7F155C0B76EA20D5F8DC8540F4872
C:\Users\user\Desktop\~$KZ429 FEB17 BSRec_InvNet.xlsx	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185

Windows Analysis Report
KZ429 FEB17 BSRec_InvNet.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report KZ429 FEB17 BSRec_InvNet.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report
KZ429 FEB17 BSRec_InvNet.xlsx