Windows Analysis Report
RU419 FEB17 BSRec_InvNet.xlsx

Overview

General Information

Sample Name:	RU419 FEB17 BSRec_InvNet.xlsx
Analysis ID:	562532
MD5:	bb2bdf2659b515eee1f56c0382847fd7
SHA1:	72405dd23abe1d3f97b75e3eb50bcecbf51669f8
SHA256:	a36ec67f835cb7968270d43f151df7b0b3cbd501b5eeb4688b8676758deadb0e

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

No high impact signatures.

Classification

Signatures

There are no high impact signatures.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\923BA48A.emf

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR2480.tmp

Jump to behavior

Source: classification engine

Classification label: clean0.winXLSX@1/9@0/0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$RU419 FEB17 BSRec_InvNet.xlsx

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/embeddings/oleObject4.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing4.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/embeddings/oleObject3.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing3.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/vmlDrawing2.vml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/embeddings/oleObject1.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/embeddings/oleObject2.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing5.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing6.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image10.png
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/vmlDrawing2.vml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/drawing4.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/drawing5.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/drawing6.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet19.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet15.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet9.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet4.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing2.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image5.emf
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet13.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet19.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet18.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet17.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet16.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet15.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet14.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet11.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet10.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet9.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet5.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image3.emf
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image2.emf
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet6.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image1.png
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet7.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet8.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet12.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink1.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink2.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink7.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink6.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink5.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink4.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink3.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink1.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink2.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink7.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/ctrlProps/ctrlProp1.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/ctrlProps/ctrlProp2.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink6.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings4.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings5.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/calcChain.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink3.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink4.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings6.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink5.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = docProps/custom.xml

Source: RU419 FEB17 BSRec_InvNet.xlsx

Static file information: File size 4768919 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: RU419 FEB17 BSRec_InvNet.xlsx

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	562532
Product:	CloudBasic
Start time:	01:08:09
Start date:	29.01.2022
Sample:	RU419 FEB17 BSRec_InvNet.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	bb2bdf2659b515eee1f56c0382847fd7
SHA1:	72405dd23abe1d3f97b75e3eb50bcecbf51669f8
SHA256:	a36ec67f835cb7968270d43f151df7b0b3cbd501b5eeb4688b8676758deadb0e
Filetype:	Excel Microsoft Office Open XML Format document (40004/1) 83.33%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2BCACAFF.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	914B8A0FCDE8E024E1614BC59CF4CEF0	121F6CF39B1341AA8AF2EDC312DCAA3B58701A80	FB25589D52AC2015251A56299D5DBF0A164B8CB78086F76BCE990DC717838804
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\42105703.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	FA14D04AC7BE94D9470D68B5B05326B9	4C15B8938037773793BC22A9008B83935419D8E0	CEE5C6209A2D15A2E6EA6DE993B547C375E5716A90D472B55789E4553A212FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5CCA9D28.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	E630F750E3440205E6695E75AE1179EB	78DA9D8DF55169C1072618BB97DE5C56517E1329	E1AAD6F483DEDF11E1156DF09545495BA928CFCF93140B40850420940E6EF11A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B2AE0BB.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 660x137, frames 3	B5BB6A7EF0B322467A20AB38ABC07B97	47B724835E4C7B3DDB0FA32BE2D00CBFD43BADBC	9CB8D86A1195C6A0C7E2B3FAE92C988BFFB85E24CD245872C543BB3B8295DCBE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\923BA48A.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	10CC58B3B22AD2D5A9BE889181790552	75D40D411B3A3D288E735A4C628DA44C4C39FA3C	4A2DDC7AE24E1F9277476B6ACD369F53D0250FC329C9BD3B93B6AE64A17B15F5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B158576.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	2A31FF37D8F06AB63C08A874B00F78A5	A216FB97942EE30E82D13F8D308F3D34FB0A3451	9E941032F88F698814AEC1D444A3541591928A804CCDE5769F535C1590B2907F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C9CFEB09.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	CFC2EB922357AFC2E08B818DF59D2DB4	8123513647762ABFC4460CEFB958BD4A64ECF759	CCE3BE7E4559A991BA398CBC436519D5B25B07AC458A454D62288A3C31BD35A0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D914E8F4.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	72FEAFCA807874E6742DFBD011C2B2CD	845FFB7468E2B0932848D356D8127CEE249EB712	F95F6C5360B90FCECB95608C8364FE5BA2D9372166B7F32766C8A9255AA9CDEE
C:\Users\user\Desktop\~$RU419 FEB17 BSRec_InvNet.xlsx	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185

Windows Analysis Report
RU419 FEB17 BSRec_InvNet.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report RU419 FEB17 BSRec_InvNet.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
RU419 FEB17 BSRec_InvNet.xlsx