CREDIT SUISSE GLOBAL METALS AND MINING COMPS.xls
This report is generated from a file or URL submitted to this webservice on October 17th 2016 16:10:32 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v5.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
Unusual Characteristics
-
Detected known bank URL artifact
- details
-
"paul.mctaggart@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"matthew.hope@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"james.gurry@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"michael.slifirski@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"trina.chen@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"shinya.yamada@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"paworamon.suvarnatemee@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"neelkanth.mishra@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"michael.shillaker@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"liam.fitzpatrick@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"semyon.mironov@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"mikhail.priklonsky@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"ralph.profiti@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"anita.soni@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"minseok.sinn@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"conor.rowley@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"ivano.westin@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"yan.truong@credit-suisse.com!" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"robert.reynolds@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"gayle.podurgiel@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"nick.herbert@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"christian.Prendiville@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"serena.rochacalejon@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"prateek.singh@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"jun.yamaguchi@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"sam.webb@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"renan.criscio@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"gary.xu@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"hayoung.chung@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"ravi.shankar@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"ariyanto.jahja@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"curt.woodworth@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"jou.zhang@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"globalmetals.mining@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"mailto:ariyanto.jahja@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"mailto:ravi.shankar@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"mailto:gary.xu@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"mailto:sam.webb@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"mailto:jun.yamaguchi@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"mailto:christian.Prendiville@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"mailto:gayle.podurgiel@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"mailto:jou.zhang@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"mailto:yan.truong@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"mailto:ivano.westin@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"mailto:conor.rowley@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"mailto:curt.woodworth@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"mailto:nick.herbert@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"mailto:hayoung.chung@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"mailto:anita.soni@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com")
"mailto:matthew.hope@credit-suisse.com" (Source: CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.xls.bin, Indicator: "credit-suisse.com") - source
- File/Memory
- relevance
- 8/10
-
Detected known bank URL artifact
-
Suspicious Indicators 9
-
Environment Awareness
-
Reads the active computer name
- details
- "EXCEL.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
- "EXCEL.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
Installation/Persistance
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "EXCEL.EXE" opened "MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Opens the MountPointManager (often used to detect additional infection locations)
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "14.0.6126.5003"
"166.13.116.160" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
System Security
-
Hooks API calls
- details
-
"SysFreeString@OLEAUT32.DLL" in "EXCEL.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "EXCEL.EXE"
"OleLoadFromStream@OLE32.DLL" in "EXCEL.EXE"
"VariantChangeType@OLEAUT32.DLL" in "EXCEL.EXE"
"VariantClear@OLEAUT32.DLL" in "EXCEL.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
- "EXCEL.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
-
Hooks API calls
-
Unusual Characteristics
-
Contains embedded VBA macros with suspicious keywords
- details
- Found suspicious keyword "CreateObject" which indicates: "May create an OLE object"
- source
- Static Parser
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"EXCEL.EXE" wrote bytes "e99a543ef3" to virtual address "0x75813E59" ("SysFreeString@OLEAUT32.DLL")
"EXCEL.EXE" wrote bytes "e0b0e263" to virtual address "0x63C2737C" (part of module "GKEXCEL.DLL")
"EXCEL.EXE" wrote bytes "c4cafb7580bbfb7552bafb759fbbfb7508bbfb7546cefb756138fc75de2ffc75d0d9fb750000000017796c754f916c757f6f6c75f4f76c7511f76c75f2836c75857e6c7500000000" to virtual address "0x6B5A1000" (part of module "MSIMG32.DLL")
"EXCEL.EXE" wrote bytes "e960333ff3" to virtual address "0x75814731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"EXCEL.EXE" wrote bytes "e9c5325af3" to virtual address "0x75C06143" ("OleLoadFromStream@OLE32.DLL")
"EXCEL.EXE" wrote bytes "e9239941f3" to virtual address "0x75815DEE" ("VariantChangeType@OLEAUT32.DLL")
"EXCEL.EXE" wrote bytes "e99e48c0f2" to virtual address "0x75FC3D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"EXCEL.EXE" wrote bytes "6f2ef4f7" to virtual address "0x68E20BA8" (part of module "MSO.DLL")
"EXCEL.EXE" wrote bytes "759eebf7" to virtual address "0x63F09904" (part of module "RICHED20.DLL")
"EXCEL.EXE" wrote bytes "6dea2299" to virtual address "0x6E4B10AC" (part of module "MSPTLS.DLL")
"EXCEL.EXE" wrote bytes "7be999f7" to virtual address "0x2FFE4354" (part of module "EXCEL.EXE")
"EXCEL.EXE" wrote bytes "caa199f7" to virtual address "0x69E278E4" (part of module "OART.DLL")
"EXCEL.EXE" wrote bytes "e936553ff3" to virtual address "0x75813EAE" ("VariantClear@OLEAUT32.DLL")
"EXCEL.EXE" wrote bytes "dab88b6f" to virtual address "0x6E33207C" (part of module "MSOSTYLE.DLL")
"EXCEL.EXE" wrote bytes "50b099f7" to virtual address "0x6B15CA70" (part of module "GFX.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"EXCEL.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"EXCEL.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000401")
"EXCEL.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040D")
"EXCEL.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000041E")
"EXCEL.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000042A")
"EXCEL.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000439")
"EXCEL.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000420")
"EXCEL.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000429") - source
- Registry Access
- relevance
- 3/10
-
Contains embedded VBA macros with suspicious keywords
-
Informative 8
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/54 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains embedded VBA macros
- details
-
File "ThisWorkbook.cls" (Streampath: "_VBA_PROJECT_CUR/VBA/ThisWorkbook") has code: "Private Function CheckAdvanceInstalled(wb As Workbook, SaveAsUI As Boolean) As Boolean
On Error GoTo eh:
Dim RegisterIt As Object
Dim oSheet As Worksheet
Dim blnFound As Boolean
'SP7 Kiran Req 421 18-Jan-2007
'To check the user click on the messagebox
Dim iresult As Integer
'End
Set RegisterIt = CreateObject("DSARegistry.DSCRegistry")
Dim strValue As String
strValue = RegisterIt.ReadString(-2147483647, "SOFTWARE\Datastream\Datastream Advance\Files", "AdvanceEXEPath")
Set RegisterIt = Nothing
If IsControlsCorrupted(wb) Then GoTo eh:
CheckAdvanceInstalled = True
Exit Function
eh:
'SP7 Kiran Req 421 18-Jan-2007
'To check whether the AFOSHEEt already exists.
Dim wbFound As Boolean
wbFound = False
For Each oSheet In wb.Worksheets
If oSheet.Name = "AFOSHEET" Then
wbFound = True
Exit For
End If
Next oSheet
'End
If SaveAsUI Then
CheckAdvanceInstalled = True
'SP7 Kiran Req 421 18-Jan-2007
'To check whether the AFOSHEEt already exists,if yes dont add AFOSHEEt else add AFOSHEEt
If wbFound = False Then
'End
Set oSheet = wb.Sheets.Add
oSheet.Name = "AFOSHEET"
oSheet.Visible = xlSheetHidden
Set oSheet = Nothing
'SP7 Kiran Req 421 18-Jan-2007
End If
'End
Else
blnFound = False
For Each oSheet In wb.Worksheets
If oSheet.Name = "AFOSHEET" Then
blnFound = True
Exit For
End If
Next oSheet
If Not blnFound Then
'SP7 Kiran Req 421 18-Jan-2007
'To prompt message to user,avoid to save and suggest to save as
iresult = MsgBox("Issues found with the AFO controls. Please save as a new workbook by selecting File -> Save As.", vbOKOnly, "ActiveX control error...")
If iresult = vbOK Then
'End
CheckAdvanceInstalled = False
'SP7 Kiran Req 421 18-Jan-2007
Application.DisplayAlerts = False
'End
wb.Saved = True
'SP7 Kiran Req 421 18-Jan-2007
End If
'End
Else
CheckAdvanceInstalled = True
End If
End If
End Function
Private Function CheckComments(celladdress As String) As String
On Error GoTo CheckComments_error
CheckComments = Range(celladdress).Comment.Text
Exit Function
CheckComments_error:
CheckComments = "*ERROR* " & Error(Err)
Resume Next
End Function
Private Function CheckRequest(ByVal thisSheet As Worksheet, ByVal embeddedobj As Object, progid As String) As String
On Error GoTo CheckRequest_error
If Left$(progid, 10) = "Datastream" Then
CheckRequest = thisSheet.OLEObjects(embeddedobj.Name).Object.request
Else
If Left$(progid, 7) = "DSAFO32" Then
CheckRequest = thisSheet.OLEObjects(embeddedobj.Name).Object.requeststring
Else
CheckRequest = "OHTER CONTROL"
End If
End If
Exit Function
CheckRequest_error:
CheckRequest = "*ERROR* " & Error(Err)
Resume Next
End Function
Private Function CheckType(ByVal thisSheet As Worksheet, ByVal embeddedobject As Shape) As String
On Error GoTo CheckType_error
Select Case thisSheet.OLEObjects(embeddedobject.Name).OLEType
Case xlOLELink
CheckType = "OLE Link"
Case xlOLEControl
CheckType = "OLE Control"
Case xlOLEEmbed
CheckType = "OLE Embed"
Case Else
CheckType = thisSheet.OLEObjects(embeddedobject.Name).OLEType
End Select
Exit Function
CheckType_error:
CheckType = "*ERROR* " & Error(Err)
Resume Next
End Function
Private Function CheckProgID(ByVal thisSheet As Worksheet, ByVal embeddedobject As Shape) As String
On Error GoTo CheckProgID_err
If thisSheet.OLEObjects(embeddedobject.Name).progid <> "" Then
CheckProgID = thisSheet.OLEObjects(embeddedobject.Name).progid
Else
CheckProgID = ""
End If
Exit Function
CheckProgID_err:
CheckProgID = "*ERROR* " & Error(Err)
Resume Next
End Function
Private Function IsControlsCorrupted(wb As Workbook) As Boolean
On Error GoTo eh:
Dim oSheet As Worksheet
Dim oShape As Shape
Dim strProgID As String
Dim strRequest As String
For Each oSheet In wb.Worksheets
For Each oShape In oSheet.Shapes
If oShape.Type = msoEmbeddedOLEObject Or oShape.Type = msoOLEControlObject Then
strProgID = CheckProgID(oSheet, oShape)
If Len(Trim(strProgID)) > 0 And InStr(1, strProgID, "*ERROR*") = 0 Then
strRequest = CheckRequest(oSheet, oShape, strProgID)
If Len(Trim(strRequest)) > 0 And InStr(1, strRequest, "*ERROR*") = 0 Then
Else
IsControlsCorrupted = True
Exit Function
End If
Else
IsControlsCorrupted = True
Exit Function
End If
End If
Next oShape
Next oSheet
Exit Function
eh:
IsControlsCorrupted = True
End Function
'SP7 req 421 Venkat 6-Feb-2007
Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
If Not CheckAdvanceInstalled(ActiveWorkbook, SaveAsUI) Then: Cancel = True: Exit Sub
End Sub
'End"
File "Sheet2.cls" (Streampath: "_VBA_PROJECT_CUR/VBA/Sheet2") has code: ""
File "Sheet3.cls" (Streampath: "_VBA_PROJECT_CUR/VBA/Sheet3") has code: ""
File "Sheet6.cls" (Streampath: "_VBA_PROJECT_CUR/VBA/Sheet6") has code: ""
File "Sheet4.cls" (Streampath: "_VBA_PROJECT_CUR/VBA/Sheet4") has code: ""
File "Sheet5.cls" (Streampath: "_VBA_PROJECT_CUR/VBA/Sheet5") has code: ""
File "Sheet8.cls" (Streampath: "_VBA_PROJECT_CUR/VBA/Sheet8") has code: ""
File "Sheet7.cls" (Streampath: "_VBA_PROJECT_CUR/VBA/Sheet7") has code: ""
File "Sheet1.cls" (Streampath: "_VBA_PROJECT_CUR/VBA/Sheet1") has code: "" - source
- Static Parser
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
-
"EXCEL.EXE" created file "%TEMP%\~DF74CFC43EB08E74D2.TMP"
"EXCEL.EXE" created file "%TEMP%\~DF40BA2B0FB2A4A206.TMP" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-61158"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-61158"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\KYIMEShareCachedData.MutexObject.p8ehxOQ"
"\Sessions\1\BaseNamedObjects\KYTransactionServer.MutexObject.p8ehxOQ" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "EXCEL.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 63EC0000
- source
- Loaded Module
-
Contains embedded VBA macros
-
Installation/Persistance
-
Dropped files
- details
-
"CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Hidden Archive ctime=Mon Oct 17 23:10:23 2016 mtime=Mon Oct 17 23:10:23 2016 atime=Mon Oct 17 23:35:00 2016 length=1066496 window=hide"
"1C61DB2E.emf" has type "Windows Enhanced Metafile (EMF) image data version 0x10000"
"index.dat" has type "data"
"8D1C1FDB.emf" has type "Windows Enhanced Metafile (EMF) image data version 0x10000"
"E80521A1.emf" has type "Windows Enhanced Metafile (EMF) image data version 0x10000"
"7B81E020.emf" has type "Windows Enhanced Metafile (EMF) image data version 0x10000" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"EXCEL.EXE" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"EXCEL.EXE" touched file "%WINDIR%\Fonts\staticcache.dat"
"EXCEL.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"EXCEL.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"EXCEL.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"EXCEL.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"EXCEL.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"EXCEL.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"EXCEL.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"EXCEL.EXE" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui"
"EXCEL.EXE" touched file "%WINDIR%\system32\rsaenh.dll"
"EXCEL.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"EXCEL.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"EXCEL.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
"EXCEL.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.MSO\8D1C1FDB.emf"
"EXCEL.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B81E020.emf"
"EXCEL.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.MSO\E80521A1.emf" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "=C:\WINNT35\SYSTEM32\COMMAND.COM"
Heuristic match: "pdcaplp08.corpny.csfb.com"
Heuristic match: "pdcgws04.corpny.csfb.com"
Heuristic match: "lns06a-2601.eqteur.csfb.com"
Heuristic match: "pdcgws06.corpny.csfb.com"
Heuristic match: "paul.mctaggart@credit-suisse.com"
Heuristic match: "matthew.hope@credit-suisse.com"
Heuristic match: "james.gurry@credit-suisse.com"
Heuristic match: "michael.slifirski@credit-suisse.com"
Heuristic match: "trina.chen@credit-suisse.com"
Heuristic match: "shinya.yamada@credit-suisse.com"
Heuristic match: "paworamon.suvarnatemee@credit-suisse.com"
Heuristic match: "neelkanth.mishra@credit-suisse.com"
Heuristic match: "michael.shillaker@credit-suisse.com"
Heuristic match: "liam.fitzpatrick@credit-suisse.com"
Heuristic match: "semyon.mironov@credit-suisse.com"
Heuristic match: "mikhail.priklonsky@credit-suisse.com"
Heuristic match: "ralph.profiti@credit-suisse.com"
Heuristic match: "anita.soni@credit-suisse.com"
Heuristic match: "minseok.sinn@credit-suisse.com"
Heuristic match: "conor.rowley@credit-suisse.com"
Heuristic match: "ivano.westin@credit-suisse.com"
Heuristic match: "robert.reynolds@credit-suisse.com"
Heuristic match: "gayle.podurgiel@credit-suisse.com"
Heuristic match: "GMEXICOB.MX"
Heuristic match: "PENOLES.MX"
Heuristic match: "MFRISCOA1.MX"
Heuristic match: "nick.herbert@credit-suisse.com"
Heuristic match: "christian.Prendiville@credit-suisse.com"
Heuristic match: "serena.rochacalejon@credit-suisse.com"
Heuristic match: "prateek.singh@credit-suisse.com"
Heuristic match: "jun.yamaguchi@credit-suisse.com"
Heuristic match: "sam.webb@credit-suisse.com"
Heuristic match: "renan.criscio@credit-suisse.com"
Heuristic match: "gary.xu@credit-suisse.com"
Heuristic match: "hayoung.chung@credit-suisse.com"
Heuristic match: "ravi.shankar@credit-suisse.com"
Heuristic match: "ariyanto.jahja@credit-suisse.com"
Heuristic match: "curt.woodworth@credit-suisse.com"
Heuristic match: "jou.zhang@credit-suisse.com"
Heuristic match: "globalmetals.mining@credit-suisse.com"
Pattern match: "http://research-and-analytics.csfb.com/R2Action.do?tab=EQFrm_Home&TOP_LEVEL=EQFrm_Home&menuid=4"
Heuristic match: "mailto:ariyanto.jahja@credit-suisse.com"
Heuristic match: "mailto:ravi.shankar@credit-suisse.com"
Heuristic match: "mailto:gary.xu@credit-suisse.com"
Heuristic match: "mailto:sam.webb@credit-suisse.com"
Heuristic match: "mailto:jun.yamaguchi@credit-suisse.com"
Heuristic match: "mailto:christian.Prendiville@credit-suisse.com"
Heuristic match: "mailto:gayle.podurgiel@credit-suisse.com"
Heuristic match: "mailto:jou.zhang@credit-suisse.com"
Heuristic match: "mailto:yan.truong@credit-suisse.com"
Heuristic match: "mailto:ivano.westin@credit-suisse.com"
Heuristic match: "mailto:conor.rowley@credit-suisse.com"
Heuristic match: "mailto:curt.woodworth@credit-suisse.com"
Heuristic match: "mailto:nick.herbert@credit-suisse.com"
Heuristic match: "mailto:hayoung.chung@credit-suisse.com"
Heuristic match: "mailto:anita.soni@credit-suisse.com"
Heuristic match: "mailto:matthew.hope@credit-suisse.com"
Heuristic match: "mailto:semyon.mironov@credit-suisse.com"
Heuristic match: "mailto:neelkanth.mishra@credit-suisse.com"
Heuristic match: "mailto:michael.slifirski@credit-suisse.com"
Heuristic match: "mailto:paul.mctaggart@credit-suisse.com" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
CREDIT SUISSE GLOBAL METALS AND MINING COMPS.xls
- Filename
- CREDIT SUISSE GLOBAL METALS AND MINING COMPS.xls
- Size
- 1MiB (1066496 bytes)
- Type
- xls office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Adnan, Last Saved By: Welekar Aditya (VZDJ 110), Name of Creating Application: Microsoft Excel, Last Printed: Mon Apr 28 11:16:47 2014, Create Time/Date: Wed Feb 10 04:44:11 2010, Last Saved Time/Date: Fri Sep 30 06:59:17 2016, Security: 0
- Architecture
- WINDOWS
- SHA256
- 6ceb187870aace92ea8039c10c4e1683cd8cdd31e3f2c8221af256844b7f4cb8
- MD5
- aff89cb9ebf347b420ff2d31f1a51a19
- SHA1
- d437dac0fad495c9ce1871d2d4c35c2fb3ab8748
Classification (TrID)
- 48.0% (.XLS) Microsoft Excel sheet
- 39.2% (.XLS) Microsoft Excel sheet (alternate)
- 12.8% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- EXCEL.EXE /dde (PID: 3276)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 6
-
-
CREDIT_SUISSE_GLOBAL_METALS_AND_MINING_COMPS.LNK
- Size
- 633B (633 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Hidden, Archive, ctime=Mon Oct 17 23:10:23 2016, mtime=Mon Oct 17 23:10:23 2016, atime=Mon Oct 17 23:35:00 2016, length=1066496, window=hide
- Runtime Process
- EXCEL.EXE (PID: 3276)
- MD5
- 4c17439a7ba9326ccbfb58d048406e19
- SHA1
- 9460802605cba3371b202be6679eb0c5f2876389
- SHA256
- a66d1edd7510342a2693db571e4de20c6719f03b4e0ec7650f8737e74a3847f9
-
1C61DB2E.emf
- Size
- 3.1KiB (3160 bytes)
- Type
- Windows Enhanced Metafile (EMF) image data version 0x10000
- Runtime Process
- EXCEL.EXE (PID: 3276)
- MD5
- 9f3ed9b35a693b261fececde36bd2550
- SHA1
- 896e400b08670e66766ff0de551c54fd5638e9f5
- SHA256
- 7957e3fb4b2a253c848c231a0a82241e04ab8efb9a504b8a66fc2f815b639d8d
-
index.dat
- Size
- 567B (567 bytes)
- Type
- data
- Runtime Process
- EXCEL.EXE (PID: 3276)
- MD5
- 4cee6780bce50bb38e3898c6ef902245
- SHA1
- b56e166e20ce7ac9acf2eecdf16ddc86837eb30a
- SHA256
- dd6b81735d0a566209e86951489ccec061b68fec7bde6339257fea01665e48be
-
8D1C1FDB.emf
- Size
- 123KiB (125792 bytes)
- Type
- Windows Enhanced Metafile (EMF) image data version 0x10000
- Runtime Process
- EXCEL.EXE (PID: 3276)
- MD5
- 1240435586f8488daa061d1bba60ebd1
- SHA1
- f1ac142c419cfc099ea841f3224e9e3515084822
- SHA256
- dcc46fc267a320d4454bc621a2dab312b73ca72381804906b908fc9fdabe218c
-
E80521A1.emf
- Size
- 73KiB (74788 bytes)
- Type
- Windows Enhanced Metafile (EMF) image data version 0x10000
- Runtime Process
- EXCEL.EXE (PID: 3276)
- MD5
- 72e242e2b89f9ed0345a349ae05e1006
- SHA1
- 56e7059cff17fd7248a6b3e6147bea183765b28f
- SHA256
- e26a23a2ee7771afaac051f1d0331004987365819a073a2f32caab077fa904a4
-
7B81E020.emf
- Size
- 35KiB (35872 bytes)
- Type
- Windows Enhanced Metafile (EMF) image data version 0x10000
- Runtime Process
- EXCEL.EXE (PID: 3276)
- MD5
- eddb07c394eaa293bc39a18cdf364f60
- SHA1
- d71d8b93351536952e8880c2ad6d29c5cf3874c2
- SHA256
- 69f06fe28016efc65c584037fe840ea7b9d609f67800e007b027153eb41b22c6
-