'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2017-02-07 03:05:06.511552 2017-02-07 03:07:20.148982 133 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2017-02-07 03:05:06 2017-02-07 03:07:19

File Details

File name bca6c5d347d3381de8ac7725412dff46c94bc9f5.xlsx
File size 850543 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 8ACBB81B
MD5 e661bcfd0d95f10bdb2a4cd57671b8f9
SHA1 bca6c5d347d3381de8ac7725412dff46c94bc9f5
SHA256 1beff2c4dfd683422f2421589c582f7b032f9a265bdfe0e1fcf19c990c4823ae
SHA512 2b0e51ce1466e3cd03e380558c50babba1b1e13d861cde7b2a8b80d12acfe769473296ef3982ef1c167bc505f176a8f0182fa70500ae3f5a3fb88b75aca33e31
Ssdeep 24576:y2LUE5/GpZTNzjpXhAHKtsV1V61+NQA0GY:Tg5Jt9xA8sb41v
PEiD None matched
Yara None matched
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=50, Anomalies=0, PEiD=0, Yara=0, VT[1486436848]=0): Snort Events=0, AV Events=0
Total Score=50

Zipped File Yara Signatures:
xl/sharedStrings.xml: vmdetect

Signatures

creates_doc details

Screenshots

No screenshots available.

Static Analysis

Strings

Dropped Files

ba8dc2e276837885_57c8edb95df3f0ad4ee2dc2b8cfd4157

0596b76a2a088e81_535ec1a5-bc9c-4795-b3eb-44f8b4d6d5f1

16863f2fafa4b2cb_heartbeatcache.xml

70c883195be5fbbd_57c8edb95df3f0ad4ee2dc2b8cfd4157

337387a307834fd1_b912b2c6928a18b8cd7d50cf08bea95b_d584270ce0a6fc97cb7df30639ab4938

baa3f5650e2b48bc_1daf2884ec4dfa96ba4a58d4dbc9c406

dcf799d93360cf5d_b912b2c6928a18b8cd7d50cf08bea95b_d584270ce0a6fc97cb7df30639ab4938

5190c70426fe9638_1daf2884ec4dfa96ba4a58d4dbc9c406

cf66f45002f9a918_excel.exe_rules.xml

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Written
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\535EC1A5-BC9C-4795-B3EB-44F8B4D6D5F1
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
  • C:\Users\Harry Dresden\AppData\Local\Temp\~$bca6c5d347d3381de8ac7725412dff46c94bc9f5.xlsx
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B912B2C6928A18B8CD7D50CF08BEA95B_D584270CE0A6FC97CB7DF30639AB4938
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B912B2C6928A18B8CD7D50CF08BEA95B_D584270CE0A6FC97CB7DF30639AB4938
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DAF2884EC4DFA96BA4A58D4DBC9C406
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
  • C:\ProgramData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DAF2884EC4DFA96BA4A58D4DBC9C406
File-Opened
  • C:\Users\Harry Dresden\AppData\Local\Temp
  • C:\
  • C:\Windows\System32\mscoree.dll
  • C:\Windows\SysWOW64\en-US\CRYPT32.dll.mui
  • C:\Windows\Fonts\tahoma.ttf
  • C:\Users\Harry Dresden\Favorites\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\2B482C5D-3A63-457D-BC30-53A361F3C4C2
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\C642E3AC-C787-461C-8130-49BC8B3B8E54
  • C:\Users\Harry Dresden\
  • C:\Users\Harry Dresden\AppData\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Excel\XLSTART\
  • C:\Windows\WindowsShell.Manifest
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO40UIRES.DLL
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\1033\msointl30.dll
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\OTele\{B873B1AD-6171-49BF-89FE-C4666F2C8444} (0) - 3872 - winword.exe - OTeleMediumCost.dat
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\83917C1B-CFCF-4F12-BA76-7138123D93FC
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\
  • C:\Users\Harry Dresden\Links\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\51792303-9B41-4132-AD62-E72F4D1C08D6
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache
  • C:\Windows\SysWOW64\en-US\USER32.dll.mui
  • C:\Users\Harry Dresden\Videos\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\1430F911-5AD3-4749-AFAC-24A34E4FD4A9
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\68CF3A26-FE19-459A-A97F-7DAFCB3AD924
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\
  • C:\Program Files (x86)\Common Files\Microsoft Shared\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso20win32client.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\60B61A8B-72E6-431D-B56F-E4939E48D96C
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\7611C3D4-0673-442E-850F-6C64C041E91E
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\OTele\{B873B1AD-6171-49BF-89FE-C4666F2C8444} (0) - 3872 - winword.exe - OTele.dat
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSORES.DLL
  • C:\Users\Harry Dresden\AppData\LocalLow
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\B146098F-4064-49C1-985D-AEC3D779A81B
  • C:\Windows\AppPatch\sysmain.sdb
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\F3721A83-BE42-474E-A0FE-86C399B43BD1
  • C:\Windows\System32\en-US\d2d1.dll.mui
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\459A34E0-3D69-4909-8E7B-40D4C989545E
  • C:\Users\Harry Dresden\Pictures\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\54235051-D104-456C-B62E-7BBA73FA48DC
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF
  • C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHEV.DLL
  • C:\Users\Harry Dresden\Contacts\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\27AE1074-21E3-40FA-AE57-4027C89A1728
  • C:\Program Files (x86)\Microsoft Office\root\Office16\1033\excel_whatsnew.xml
  • C:\Users\Harry Dresden\Searches\desktop.ini
  • C:\Windows\SysWOW64\shell32.dll
  • C:\Users\Harry Dresden\Downloads\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Temp\bca6c5d347d3381de8ac7725412dff46c94bc9f5.xlsx
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\D5CA04B0-F36E-4671-9B61-C281C22245A8
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B912B2C6928A18B8CD7D50CF08BEA95B_D584270CE0A6FC97CB7DF30639AB4938
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\BEE1372A-C6B0-45A5-B2DF-946BCF71815A
  • C:\Program Files (x86)\Microsoft Office\root\Office16\XLSTART\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\2B6C7C22-BAAE-4D80-8E6A-3176CC4E5946
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\88DDE652-0345-4105-81DB-355519848C29
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
  • C:\Windows\SysWOW64\en-US\setupapi.dll.mui
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\5DD973A5-6B8F-40E7-93DC-F099B3954B65
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
  • C:\Users\Harry Dresden
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\0136C3E2-C15B-4825-B21D-FD8681596A3A
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO.DLL
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\7DF8FCF3-C8C9-4CF7-8416-171D71D0C04A
  • C:\Windows\System32\en-US\shdocvw.dll.mui
  • C:\Users\Harry Dresden\Documents\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\41998CBE-23F6-4A35-9D07-30563B2494C7
  • C:\Windows\Fonts\SEGOEUISL.TTF
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\ECB4A42C-1CD2-416B-A8EE-28711F2E4748
  • C:\Windows\Fonts\
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso40uiwin32client.dll
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\71FD5FF9-FB04-4B94-95CF-F362AB85F4C7
  • C:\Program Files (x86)\Microsoft Office\root\Office16\1033\XLINTL32.DLL
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO99LRES.DLL
  • C:\Users\Harry Dresden\AppData\Local
  • C:\Windows\SysWOW64\en-US\SETUPAPI.dll.mui
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\
  • C:\ProgramData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\D8906D2F-B5FB-47A7-A48C-64280468337B
  • C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO.DLL
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso99Lwin32client.dll
  • C:\Users\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\C88FD7A6-07CC-42CE-ABF8-77F23D1FCFAC
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\DC7D18FE-1987-4CC1-A220-8C2AB3F89FE4
  • C:\Users\Harry Dresden\Music\desktop.ini
  • C:\Users
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\
  • C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
  • C:\Users\Harry Dresden\Saved Games\desktop.ini
  • C:\Windows\Microsoft.NET\Framework\
  • C:\Users\desktop.ini
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\1033\MSOINTL.DLL
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\141E62F4-A1F6-4895-AAD3-8A2A95D4A1E2
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\80B9ABAF-5777-40C6-9BCA-7FF88408BA18
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\A42028F2-CFF8-48B7-B283-04ADC903CA42
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\02F53DDF-4F31-4BA0-97DE-29F451F29819
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\218BD889-250F-4009-AC70-37A89D831B8B
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\
  • C:\Windows\Fonts\staticcache.dat
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\166A7C48-F18B-4F49-AD05-CA648AF56FB1
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\12E38A7D-EDAC-40BC-8980-4A83DF7AAB2E
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso30win32client.dll
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\3F7A38BA-8B2B-4C7D-817A-A29170E7C939
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso98win32client.dll
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\6E4E86D9-CE48-4E5A-BDC2-529EA93CE6D2
  • C:\Users\Harry Dresden\AppData\Local\
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\4A1D1BE3-CA4C-4C42-AE17-C9AD7D0BDD26
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
  • C:\Windows\System32\shdocvw.dll
  • C:\Users\Harry Dresden\Desktop\desktop.ini
  • C:\Windows\System32
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\B3F75FA2-5E0D-426B-BC60-74C92AEBECEB
  • C:\Windows\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\FEE4C9D3-C3C3-4DD8-9A8A-E5EE2FB996B2
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\D5741299-7A7A-4BE1-86B6-ADB88C449156
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DAF2884EC4DFA96BA4A58D4DBC9C406
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\OTele\
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DAF2884EC4DFA96BA4A58D4DBC9C406
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\398C73D5-F266-4B67-A792-8EFC910B2A68
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B912B2C6928A18B8CD7D50CF08BEA95B_D584270CE0A6FC97CB7DF30639AB4938
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\SystemCertificates\My
  • C:\Program Files (x86)\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\D81F3CE6-A0F2-4E05-91A2-9A4B8276F8BE
  • C:\Program Files (x86)\Microsoft Office\root\Office16\CHART.DLL
  • C:\Windows\Fonts\segoeui.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\
  • C:\Program Files (x86)\Microsoft Office\root\Office16\MSPUB.EXE
  • C:\Users\Harry Dresden\Documents\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\62CA747E-A81B-485E-B093-BF90DBBAE9EC
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\49196BB5-66DD-4A41-B334-5325D2D5E6C5
  • C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
  • C:\Users\Harry Dresden\AppData\Local\Temp\~$bca6c5d347d3381de8ac7725412dff46c94bc9f5.xlsx
  • C:\Windows\System32\
  • C:\Program Files (x86)\Microsoft Office\root\Office16
  • C:\Users\Harry Dresden\AppData\Local\Temp\
  • C:\Users\Harry Dresden\AppData

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 456, Parent PID: 352

"C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE" C:\Users\HARRYD~1\AppData\Local\Temp\bca6c5d347d3381de8ac7725412dff46c94bc9f5.xlsx PID: 2340, Parent PID: 1864

Volatility

Nothing to display.