'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2017-03-18 12:05:04.713635 2017-03-18 12:07:11.832081 127 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo2 win7 Clone 2 VirtualBox 2017-03-18 12:05:05 2017-03-18 12:07:11

File Details

File name 125f17f63050aee4f5500b4afef9a889afd91102.xlsx
File size 42465 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 620B91ED
MD5 25dda9e8a870aae5092178f891069be1
SHA1 125f17f63050aee4f5500b4afef9a889afd91102
SHA256 a299fca027ef4fd5a631815ea9848996d6fa876d7fb2454c4b15299f5b394b8c
SHA512 65e8de253b88faf4fff73a1640ed8db4b5b789c731c64bc271bbcc3afe9c8aed9c4d01f01072a53acfbbeb0577d4f3f67afff4d2cca953504f5eec650b085c9d
Ssdeep 768:Fe/BfJSZGv8nxpSzhX0ePsnyoOSrztdZZB9ToI12ceAQ6L8xHkaIW50l:Fe/BsZ6eUN9syohPheDwrIxEiul
PEiD None matched
Yara None matched
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=50, Anomalies=0, PEiD=0, Yara=0, VT[1489838841]=0): Snort Events=0, AV Events=0
Total Score=50

Zipped File Yara Signatures:
xl/sharedStrings.xml: vmdetect

Signatures

creates_doc details

Screenshots

No screenshots available.

Static Analysis

Strings

Dropped Files

ba8dc2e276837885_57c8edb95df3f0ad4ee2dc2b8cfd4157

95e6e1fab2c3ac73_57c8edb95df3f0ad4ee2dc2b8cfd4157

d1f40bf1009c748a_b912b2c6928a18b8cd7d50cf08bea95b_d584270ce0a6fc97cb7df30639ab4938

7743fefaae7d7049_excel.exe_rules.xml

274329825cb86f7e_77965b04-4dc5-418f-896a-82f07d10a900

e607cddb0a9d52da_1daf2884ec4dfa96ba4a58d4dbc9c406

760fbb63545abea7_b912b2c6928a18b8cd7d50cf08bea95b_d584270ce0a6fc97cb7df30639ab4938

3e743a0f53acf66a_heartbeatcache.xml

1c7155206dcc5b49_1daf2884ec4dfa96ba4a58d4dbc9c406

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Written
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DAF2884EC4DFA96BA4A58D4DBC9C406
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B912B2C6928A18B8CD7D50CF08BEA95B_D584270CE0A6FC97CB7DF30639AB4938
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B912B2C6928A18B8CD7D50CF08BEA95B_D584270CE0A6FC97CB7DF30639AB4938
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
  • C:\ProgramData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\~$125f17f63050aee4f5500b4afef9a889afd91102.xlsx
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DAF2884EC4DFA96BA4A58D4DBC9C406
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\77965B04-4DC5-418F-896A-82F07D10A900
File-Opened
  • C:\Users\Harry Dresden\AppData\Local\Temp
  • C:\
  • C:\Windows\System32\mscoree.dll
  • C:\Windows\SysWOW64\en-US\CRYPT32.dll.mui
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\E8B3C435-E17C-4CCB-8DB6-5AACAF748743
  • C:\Windows\Fonts\tahoma.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\9084C59D-9246-49F9-88F6-C954DA270C35
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\3AFAFE24-69DE-4F09-8039-6624E1B84A07
  • C:\Users\Harry Dresden\AppData\Local\Temp\~$125f17f63050aee4f5500b4afef9a889afd91102.xlsx
  • C:\Users\Harry Dresden\AppData\Local\Microsoft
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DAF2884EC4DFA96BA4A58D4DBC9C406
  • C:\Users\Harry Dresden\
  • C:\Users\Harry Dresden\AppData\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\E3BF1906-3D7A-4AED-8FDA-0B6F0F68BE82
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\OTele\{03C3DF71-B951-499E-BCF8-ACB16F85DFA3} (0) - 6024 - winword.exe - OTeleMediumCost.dat
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Excel\XLSTART\
  • C:\Windows\WindowsShell.Manifest
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO40UIRES.DLL
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\
  • C:\Users\Harry Dresden\Links\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache
  • C:\Windows\SysWOW64\en-US\USER32.dll.mui
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\OTele\{03C3DF71-B951-499E-BCF8-ACB16F85DFA3} (0) - 6024 - winword.exe - OTele.dat
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\AE589941-0A82-46F0-8BC4-0A6655B6816B
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\72BFCD73-B7A5-45FE-8EBE-EA4D1094AF29
  • C:\Users\Harry Dresden\Videos\desktop.ini
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\1033\msointl30.dll
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\205052E1-FEB6-4D39-A0BC-EA2E8964292F
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\
  • C:\Program Files (x86)\Common Files\Microsoft Shared\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\C89690C3-8962-41A3-ABF8-F795E1AF19C4
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso20win32client.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSORES.DLL
  • C:\Users\Harry Dresden\AppData\LocalLow
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\5E79394E-2AD0-4291-BB8C-C2FD5E6D2BB7
  • C:\Users\Harry Dresden\Favorites\desktop.ini
  • C:\Windows\AppPatch\sysmain.sdb
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers
  • C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
  • C:\Windows\System32\en-US\d2d1.dll.mui
  • C:\Users\Harry Dresden\Pictures\desktop.ini
  • C:\ProgramData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\16E5A1A8-4E9C-4FAF-AE8A-52342C7E9A8C
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\4E4E6B91-AA29-4234-B7E8-641B2CA2D8A1
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\57F499CE-A887-4F45-BC6C-A35858B366C6
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\69F2D413-CE6E-49BD-8449-4540509DA5D2
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\08B70C46-E7B1-441B-AAE8-5C870062221D
  • C:\Users\Harry Dresden\Contacts\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\5F01BBF7-C726-4F16-AE48-52A3949283F1
  • C:\Program Files (x86)\Microsoft Office\root\Office16\1033\excel_whatsnew.xml
  • C:\Users\Harry Dresden\Searches\desktop.ini
  • C:\Windows\SysWOW64\shell32.dll
  • C:\Users\Harry Dresden\Downloads\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\CA983C33-3586-43AF-9B56-EB0313207AF3
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\E9AE0B44-37CF-47BB-9571-DDF96D423964
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\
  • C:\Users\Harry Dresden\AppData\Local\Temp\125f17f63050aee4f5500b4afef9a889afd91102.xlsx
  • C:\Program Files (x86)\Microsoft Office\root\Office16\XLSTART\
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
  • C:\Windows\SysWOW64\en-US\setupapi.dll.mui
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\E16EFF37-5861-4A7F-BA7B-82DB56F0C8E7
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
  • C:\Users\Harry Dresden
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO.DLL
  • C:\Windows\System32\en-US\shdocvw.dll.mui
  • C:\Users\Harry Dresden\Documents\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms
  • C:\Windows\Fonts\SEGOEUISL.TTF
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\61AEEE98-B230-4916-B322-12DFB21A2BA6
  • C:\Windows\Fonts\
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso40uiwin32client.dll
  • C:\Program Files (x86)\Microsoft Office\root\Office16\1033\XLINTL32.DLL
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO99LRES.DLL
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\15D22D8E-BD06-4697-B591-FAD05DC2A1BE
  • C:\Users\Harry Dresden\AppData\Local
  • C:\Windows\SysWOW64\en-US\SETUPAPI.dll.mui
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\768566A2-8B21-4FD3-A78B-BC75ABCDD53A
  • C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO.DLL
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso99Lwin32client.dll
  • C:\Users\
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B912B2C6928A18B8CD7D50CF08BEA95B_D584270CE0A6FC97CB7DF30639AB4938
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\3B6903EB-3E8F-44DC-8219-6AA637886504
  • C:\Users\Harry Dresden\Music\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\D2441C18-5BD7-434D-9AE6-8819A90CC901
  • C:\Users
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\D972956A-19C6-4137-A7BB-6415AB80BB28
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\08E38A02-2995-49A6-B950-07F4940DCDFC
  • C:\Users\Harry Dresden\Saved Games\desktop.ini
  • C:\Windows\Microsoft.NET\Framework\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\1B0419EB-C7FA-4DFD-8725-BA740D698881
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\ocsa.office.microsoft.com\
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\SystemCertificates\My
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\1033\MSOINTL.DLL
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\2660F9B0-7AB9-4A7D-8D5A-ED3D729F9FA2
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\01BAC165-671D-40B9-A322-39B900ECC251
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\2E780867-593E-4412-AED9-9DD8D471278F
  • C:\Windows\Fonts\staticcache.dat
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso30win32client.dll
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\FB9E1781-26CB-42F5-BF5D-5C7650B5D571
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso98win32client.dll
  • C:\Users\Harry Dresden\AppData\Local\
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
  • C:\Windows\System32\shdocvw.dll
  • C:\Users\Harry Dresden\Desktop\desktop.ini
  • C:\Windows\System32
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\808DC5C5-B148-4EE5-9895-76A37ACA3254
  • C:\Windows\
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B912B2C6928A18B8CD7D50CF08BEA95B_D584270CE0A6FC97CB7DF30639AB4938
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\93CD87F8-3BD3-46FF-9E72-F541341C5638
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\4D5491FC-D226-4986-AA0C-4278DDA8F144
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\OTele\
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DAF2884EC4DFA96BA4A58D4DBC9C406
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\FB1750B1-CC8B-4D59-88A7-3909D4B3486C
  • C:\Users\desktop.ini
  • C:\Program Files (x86)\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\076D60B7-0372-4FDF-8884-08CF03B689B2
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\424BD1E3-52C0-4290-A9AA-17AE2AF49576
  • C:\Program Files (x86)\Microsoft Office\root\Office16\CHART.DLL
  • C:\Windows\Fonts\segoeui.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\
  • C:\Program Files (x86)\Microsoft Office\root\Office16\MSPUB.EXE
  • C:\Users\Harry Dresden\Documents\desktop.ini
  • C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHEV.DLL
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\303ECF0A-4EBE-4E78-A291-6A89FA3FA825
  • C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\26402AE1-BA53-4D6A-A157-FB9AC06A9C49
  • C:\Windows\System32\
  • C:\Program Files (x86)\Microsoft Office\root\Office16
  • C:\Users\Harry Dresden\AppData\Local\Temp\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\63A62980-3DDF-4995-9D01-6B4278363B9F
  • C:\Users\Harry Dresden\AppData

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 460, Parent PID: 364

"C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE" C:\Users\HARRYD~1\AppData\Local\Temp\125f17f63050aee4f5500b4afef9a889afd91102.xlsx PID: 2376, Parent PID: 1268

Volatility

Nothing to display.