'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2017-11-01 16:11:15.470246 2017-11-01 16:13:55.946426 160 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo2 win7 Clone 2 VirtualBox 2017-11-01 16:11:16 2017-11-01 16:13:55

File Details

File name 21cc0044ae6de6e40fcb6cc7f1c869f2c9e69f67.xlsx
File size 14398 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 929B8AD0
MD5 bb7a435babf0ec8c452a6f86caa01a2a
SHA1 21cc0044ae6de6e40fcb6cc7f1c869f2c9e69f67
SHA256 b88fd03195c4336300a0a4ca1068a9d46439d8933ce04c0678ef05572f122135
SHA512 ebedfd2663a71a9adc4573f10b93371d48463e2d7c858df6a42f1ee6ea5abee21e5fc4027e8a21239aa2a344d5c268637756f59c22332e43a21356ee4751f710
Ssdeep None
PEiD None matched
Yara None matched
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=2, VT[1509567247]=0): Snort Events=0, AV Events=0
Total Score=75

Signatures

raises_exception details
creates_doc details
office_vuln_modules details

Screenshots

No screenshots available.

Static Analysis

Strings

Dropped Files

40fe4c923962b9cb_3e09658f-0e70-4377-bebf-806c6f26c23b

cbb4b652e37fbca8_heartbeatcache.xml

7a961e3b4829838c_excel.exe_rules.xml

933d1d925d9bea73_1daf2884ec4dfa96ba4a58d4dbc9c406

4a495a631245b745_b912b2c6928a18b8cd7d50cf08bea95b_01e86961c648b4b727602ae8aeba82b8

116fea2b638c4584_b912b2c6928a18b8cd7d50cf08bea95b_01e86961c648b4b727602ae8aeba82b8

390adc57e6bbc5dc_1daf2884ec4dfa96ba4a58d4dbc9c406

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Written
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3E09658F-0E70-4377-BEBF-806C6F26C23B
  • C:\Users\Harry Dresden\AppData\Local\Temp\~$21cc0044ae6de6e40fcb6cc7f1c869f2c9e69f67.xlsx
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DAF2884EC4DFA96BA4A58D4DBC9C406
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B912B2C6928A18B8CD7D50CF08BEA95B_01E86961C648B4B727602AE8AEBA82B8
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B912B2C6928A18B8CD7D50CF08BEA95B_01E86961C648B4B727602AE8AEBA82B8
  • C:\ProgramData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DAF2884EC4DFA96BA4A58D4DBC9C406
File-Opened
  • C:\Users\Harry Dresden\AppData\Local\Temp
  • C:\
  • C:\Windows\System32\mscoree.dll
  • C:\Windows\SysWOW64\en-US\CRYPT32.dll.mui
  • C:\Windows\Fonts\tahoma.ttf
  • C:\Users\Harry Dresden\Favorites\desktop.ini
  • C:\Users\Harry Dresden\
  • C:\Users\Harry Dresden\AppData\
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Excel\XLSTART\
  • C:\Windows\WindowsShell.Manifest
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO40UIRES.DLL
  • C:\Users\Harry Dresden\AppData\Local\Temp\~$21cc0044ae6de6e40fcb6cc7f1c869f2c9e69f67.xlsx
  • C:\Users\Harry Dresden\Links\desktop.ini
  • C:\Windows\SysWOW64\en-US\USER32.dll.mui
  • C:\Users\Harry Dresden\Videos\desktop.ini
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\1033\msointl30.dll
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\
  • C:\Program Files (x86)\Common Files\Microsoft Shared\
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso20win32client.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSORES.DLL
  • C:\Users\Harry Dresden\AppData\LocalLow
  • C:\Windows\AppPatch\sysmain.sdb
  • C:\Users\Harry Dresden\AppData\Local\Temp\21cc0044ae6de6e40fcb6cc7f1c869f2c9e69f67.xlsx
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\ocsa.office.microsoft.com\
  • C:\Users\Harry Dresden\Pictures\desktop.ini
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF
  • C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHEV.DLL
  • C:\Users\Harry Dresden\Searches\desktop.ini
  • C:\Windows\SysWOW64\shell32.dll
  • C:\Users\Harry Dresden\Downloads\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\
  • C:\Users\Harry Dresden\Contacts\desktop.ini
  • C:\Program Files (x86)\Microsoft Office\root\Office16\XLSTART\
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
  • C:\Windows\SysWOW64\en-US\setupapi.dll.mui
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso50win32client.dll
  • C:\Users\Harry Dresden
  • C:\Program Files (x86)\Microsoft Office\root\Office16\IVY.DLL
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO.DLL
  • C:\Windows\System32\en-US\shdocvw.dll.mui
  • C:\Program Files (x86)\Microsoft Office\root\Office16\OART.DLL
  • C:\Users\Harry Dresden\Documents\
  • C:\Windows\Fonts\SEGOEUISL.TTF
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\
  • C:\Windows\Fonts\
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso40uiwin32client.dll
  • C:\Program Files (x86)\Microsoft Office\root\Office16\1033\XLINTL32.DLL
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO99LRES.DLL
  • C:\Users\Harry Dresden\AppData\Local
  • C:\Windows\SysWOW64\en-US\SETUPAPI.dll.mui
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\
  • C:\ProgramData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml
  • C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO.DLL
  • C:\Users\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\OTele\
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADAL.DLL
  • C:\Users\Harry Dresden\Music\desktop.ini
  • C:\Users
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db
  • C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
  • C:\Users\Harry Dresden\Saved Games\desktop.ini
  • C:\Windows\Microsoft.NET\Framework\
  • C:\Windows\System32\en-US\d2d1.dll.mui
  • C:\Users\desktop.ini
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\1033\MSOINTL.DLL
  • C:\Windows\Fonts\staticcache.dat
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso30win32client.dll
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso98win32client.dll
  • C:\Users\Harry Dresden\AppData\Local\
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\
  • C:\Windows\System32\shdocvw.dll
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B912B2C6928A18B8CD7D50CF08BEA95B_01E86961C648B4B727602AE8AEBA82B8
  • C:\Users\Harry Dresden\Desktop\desktop.ini
  • C:\Windows\System32
  • C:\Windows\
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DAF2884EC4DFA96BA4A58D4DBC9C406
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DAF2884EC4DFA96BA4A58D4DBC9C406
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\SystemCertificates\My
  • C:\Program Files (x86)\
  • C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLL
  • C:\Program Files (x86)\Microsoft Office\root\Office16\CHART.DLL
  • C:\Windows\Fonts\segoeui.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\
  • C:\Program Files (x86)\Microsoft Office\root\Office16\MSPUB.EXE
  • C:\Users\Harry Dresden\Documents\desktop.ini
  • C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
  • C:\Windows\System32\
  • C:\Program Files (x86)\Microsoft Office\root\Office16
  • C:\Users\Harry Dresden\AppData\Local\Temp\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
  • C:\Users\Harry Dresden\AppData

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 484, Parent PID: 388

"C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE" C:\Users\HARRYD~1\AppData\Local\Temp\21cc0044ae6de6e40fcb6cc7f1c869f2c9e69f67.xlsx PID: 4992, Parent PID: 4968

Volatility

Nothing to display.