IPMO Order Adhoc.xls
This report is generated from a file or URL submitted to this webservice on April 2nd 2018 14:47:39 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.00 © Hybrid Analysis
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 1
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"31>BIC Round Stic Ballpoint Pens, Medium Point, 1.0 mm, Black Ink, 60/Bx</td> <td class=3Dxl37 x:num=3D"42548">6/27/2016</td></tr><tr> <td class=3Dxl31>Post-it Self-Stick Easel Pad, 30 Sheets, White, Unruled, 30"H x 25"W, 2/Ct</td> <td class=3Dxl37 x:num=3D"42548">6/27/2016</td></tr><tr> <td class=3Dxl31>Post-it Super Sticky Notes, 3" x 3", Rio de Janeiro Collection, 24 Pads/Pack</td> <td class=3Dxl37 x:num=3D"42548">6/27/2016</td></tr><tr> <td rowspan=3D2 class=3Dxl36>4x Veeam Backup & Replication Enterprise Plus</td> <td rowspan=3D2 class=3Dxl31>16209355</td> <td rowspan=3D2 class=3Dxl31></td> <td rowspan=3D2 class=3Dxl31>2626 - Avox IT</td> <td rowspan=3D2 class=3Dxl31>Softcat Ltd</td> <td rowspan=3D2 class=3Dxl31>3505.32</td> <td rowspan=3D2 class=3Dxl31>New Order</td> <td rowspan=3D2 class=3Dxl31>Variable</td> <td rowspan=3D2 class=3Dxl31>Service</td> <td class=3Dxl31>QUANTITY OF 4 VEEAM BACKUP & REPLICATION ENTERPRISE PLUS SUBSCRIPTION LICENSE FOR VMWARE" (Indicator: "vmware")
"rowspan=3D2 class=3Dxl31>5800</td> <td rowspan=3D2 class=3Dxl31>New Order</td> <td rowspan=3D2 class=3Dxl31>Fixed</td> <td rowspan=3D2 class=3Dxl31>Service</td> <td class=3Dxl31>Business Continuity Transport Agreement -Year 2</td> <td class=3Dxl37 x:num=3D"42325">11/17/2015</td></tr><tr> <td class=3Dxl31>Business COntinuity Transport Services Agreement</td> <td class=3Dxl37 x:num=3D"42325">11/17/2015</td></tr><tr> <td class=3Dxl36>Business Critical Support- VMWare 3yr</td> <td class=3Dxl31>18214392</td> <td class=3Dxl31></td> <td class=3Dxl31>8857 - Distributed Storage-HW/SW</td> <td class=3Dxl31>VMWare Inc</td> <td class=3Dxl31>172465.92</td> <td class=3Dxl31>New Order</td> <td class=3Dxl31>Variable</td> <td class=3Dxl31>Service</td> <td class=3Dxl31>BCS service for 6 users in 1 region for 3 years</td> <td class=3Dxl37 x:num=3D"43118">1/18/2018</td></tr><tr> <td rowspan=3D2 class=3Dxl36>Business Objects renewal 2014 - Copy</td> <td rowspan=3D2 class=3Dxl31>15204833-001</td> <td ro" (Indicator: "vmware")
"rowspan=3D8 class=3Dxl31>16205900-001</td> <td rowspan=3D8 class=3Dxl31></td> <td rowspan=3D8 class=3Dxl31>2626 - Avox IT</td> <td rowspan=3D8 class=3Dxl31>Softcat Ltd</td> <td rowspan=3D8 class=3Dxl31>1792.79</td> <td rowspan=3D8 class=3Dxl31>Change Order</td> <td rowspan=3D5 class=3Dxl31>Material</td> <td rowspan=3D5 class=3Dxl31>Material</td> <td class=3Dxl31>ASA 5512-X 5555-X 120 GB MLC SED SSD</td> <td class=3Dxl37 x:num=3D"42445">3/16/2016</td></tr><tr> <td class=3Dxl31>Cisco FireSIGHT Management Center (VMWare) for 2 devices</td> <td class=3Dxl37 x:num=3D"42445">3/16/2016</td></tr><tr> <td class=3Dxl31>Cisco Hardware Licensing - Upgrade Licence - 1 Appliance</td> <td class=3Dxl37 x:num=3D"42445">3/16/2016</td></tr><tr> <td class=3Dxl31>Upgrade Kit: ASA5512-X FW, IPS, CX to ASA5512-X FirePower</td> <td class=3Dxl37 x:num=3D"42445">3/16/2016</td></tr><tr> <td class=3Dxl31>Upgrade Kit: Cisco ASA5512 FirePOWER IPS Licenses</td> <td class=3Dxl37 x:num=3D"42445">3/16/2016</td></tr>" (Indicator: "vmware")
"pgrade from 2.5 Gbps to 20Gbps License</td> <td class=3Dxl37 x:num=3D"43007">9/29/2017</td></tr><tr> <td rowspan=3D4 class=3Dxl36>GTR EI Vsphere Extended Support</td> <td rowspan=3D4 class=3Dxl31>17209994-001</td> <td rowspan=3D4 class=3Dxl31></td> <td rowspan=3D4 class=3Dxl31>8098 - GTR ADC</td> <td rowspan=3D4 class=3Dxl31>VMWare Inc</td> <td rowspan=3D4 class=3Dxl31>170493.76</td> <td rowspan=3D4 class=3Dxl31>Change Order</td> <td rowspan=3D4 class=3Dxl31>Variable</td> <td rowspan=3D4 class=3Dxl31>Service</td> <td class=3Dxl31>VMware vSphere 5.1 Extended Support - *MUST BE BOOKED WITH VS51-LIC-C* (Co-term 7 months) - for Singapore Site</td> <td class=3Dxl37 x:num=3D"42879">5/24/2017</td></tr><tr> <td class=3Dxl31>VMware vSphere 5.1 Extended Support - *MUST BE BOOKED WITH VS51-LIC-C* (Co-term 7 months) for Singapore Site</td> <td class=3Dxl37 x:num=3D"42879">5/24/2017</td></tr><tr> <td class=3Dxl31>VMware vSphere 5.1 Extended Support License - for Netherlands</td> <td class=3Dxl37 x:nu" (Indicator: "vmware")
"m=3D"42879">5/24/2017</td></tr><tr> <td class=3Dxl31>VMware vSphere 5.1 Extended Support License - for Singapore Site</td> <td class=3Dxl37 x:num=3D"42879">5/24/2017</td></tr><tr> <td rowspan=3D42 class=3Dxl36>GTR EOL Refresh NDC</td> <td rowspan=3D42 class=3Dxl31>17212859-001</td> <td rowspan=3D42 class=3Dxl31></td> <td rowspan=3D42 class=3Dxl31>9502 - Tech-Netherlands Service Co</td> <td rowspan=3D42 class=3Dxl31>Computer Design And Integration LLC</td> <td rowspan=3D42 class=3Dxl31>798866.55</td> <td rowspan=3D42 class=3Dxl31>Change Order</td> <td rowspan=3D30 class=3Dxl31>Material</td> <td rowspan=3D30 class=3Dxl31>Material</td> <td class=3Dxl31>1000BASE-LX/LH SFP transceiver module, MMF/SMF, 1310nm, DOM</td> <td class=3Dxl37 x:num=3D"43038">10/30/2017</td></tr><tr> <td class=3Dxl31>1000BASE-T SFP transceiver module for Category 5 copper wire</td> <td class=3Dxl37 x:num=3D"43038">10/30/2017</td></tr><tr> <td class=3Dxl31>1000BASE-T SFP transceiver module for Category 5 copper wire." (Indicator: "vmware")
"integration for ServiceNow  -Tier 2</td> <td class=3Dxl37 x:num=3D"43144">2/13/2018</td></tr><tr> <td class=3Dxl31>IT Data Source - ServiceNow Discovery</td> <td class=3Dxl37 x:num=3D"43144">2/13/2018</td></tr><tr> <td class=3Dxl31>IT Data Source - VMWare vCenter Protect</td> <td class=3Dxl37 x:num=3D"43144">2/13/2018</td></tr><tr> <td class=3Dxl31>IT Data Source" (Indicator: "vmware") - source
- File/Memory
- relevance
- 4/10
-
Possibly tries to implement anti-virtualization techniques
-
Informative 10
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/53 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-59428"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-59428"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZonesCounterMutex"
"Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZonesCacheCounterMutex"
"Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Local\10MU_ACB10_S-1-5-5-0-59428"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Local\10MU_ACBPIDS_S-1-5-5-0-59428" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "EXCEL.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 65D50000
- source
- Loaded Module
-
Scanning for window names
- details
- "EXCEL.EXE" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
-
Creates mutants
-
Installation/Persistance
-
Found a string that may be used as part of an injection method
- details
- "Shell_TrayWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method)
- source
- File/Memory
- relevance
- 4/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "EXCEL.EXE" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"EXCEL.EXE" touched file "C:\Windows\AppPatch\sysmain.sdb"
"EXCEL.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"EXCEL.EXE" touched file "C:\Windows\Fonts\StaticCache.dat"
"EXCEL.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"EXCEL.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"EXCEL.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"EXCEL.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"EXCEL.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"EXCEL.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"EXCEL.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"EXCEL.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"EXCEL.EXE" touched file "C:\Windows\System32\en-US\setupapi.dll.mui"
"EXCEL.EXE" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"EXCEL.EXE" touched file "C:\Windows\System32\rsaenh.dll"
"EXCEL.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"EXCEL.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"EXCEL.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"EXCEL.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso1FA6.tmp" - source
- API Call
- relevance
- 7/10
-
Found a string that may be used as part of an injection method
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://www.w3.org/TR/REC-html40"
Pattern match: "http://www.dell.com/contactdell"
Pattern match: "http://support.dell.com/ProSupport" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Hooks API calls
- details
-
"VariantChangeType@OLEAUT32.DLL" in "EXCEL.EXE"
"OleLoadFromStream@OLE32.DLL" in "EXCEL.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "EXCEL.EXE"
"VariantClear@OLEAUT32.DLL" in "EXCEL.EXE"
"SysFreeString@OLEAUT32.DLL" in "EXCEL.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"EXCEL.EXE" wrote bytes "9c0e706c" to virtual address "0x6BA478E4" (part of module "OART.DLL")
"EXCEL.EXE" wrote bytes "e923992af4" to virtual address "0x765A5DEE" ("VariantChangeType@OLEAUT32.DLL")
"EXCEL.EXE" wrote bytes "e9c532d4f4" to virtual address "0x76086143" ("OleLoadFromStream@OLE32.DLL")
"EXCEL.EXE" wrote bytes "4e47706c" to virtual address "0x6D39CA70" (part of module "GFX.DLL")
"EXCEL.EXE" wrote bytes "e99e4816f4" to virtual address "0x76683D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"EXCEL.EXE" wrote bytes "e9603328f4" to virtual address "0x765A4731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"EXCEL.EXE" wrote bytes "e9365528f4" to virtual address "0x765A3EAE" ("VariantClear@OLEAUT32.DLL")
"EXCEL.EXE" wrote bytes "a209b56d" to virtual address "0x6AA40BA8" (part of module "MSO.DLL")
"EXCEL.EXE" wrote bytes "cc4c706c" to virtual address "0x2F4C4354" (part of module "EXCEL.EXE")
"EXCEL.EXE" wrote bytes "62b8016d" to virtual address "0x65D99904" (part of module "RICHED20.DLL")
"EXCEL.EXE" wrote bytes "c4ca677680bb6776aa6e68769fbb677608bb677646ce677661386876de2f6876d0d96776000000001779a7754f91a7757f6fa775f4f7a77511f7a775f283a775857ea77500000000" to virtual address "0x6E091000" (part of module "MSIMG32.DLL")
"EXCEL.EXE" wrote bytes "e99a5427f4" to virtual address "0x765A3E59" ("SysFreeString@OLEAUT32.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Installs hooks/patches the running process
File Details
IPMO Order Adhoc.xls
- Filename
- IPMO Order Adhoc.xls
- Size
- 11MiB (11605959 bytes)
- Type
- text email
- Description
- MIME entity, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
- Architecture
- WINDOWS
- SHA256
- bb92cb59805d97a8a3be5c61942e936357fca5a62ccf5a50866af55331deca90
- MD5
- 0dd7efa4d23884ace16f2ca1298ea072
- SHA1
- f3c3746ae4af4a037f891d4fbf1df0024b9b58c0
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- EXCEL.EXE /dde (PID: 2760)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
No significant files were extracted.