Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

ACH-6573-15March.xlsx

Microsoft Excel 2007+

initial sample

Details

Filetype:	Microsoft Excel 2007+
Entropy:	7.860351025490348
Filename:	ACH-6573-15March.xlsx
Filesize:	49374
MD5:	fde60a11d2d5ab4723e863053b434337
SHA1:	7afbbc76fde0162904ad9665863a439de8c7a650
SHA256:	afacfa9dddc8e1170e6e30352be71bb8d7484ea9ceec0671aa9877805c456420
SHA512:	234c6149eba890e22da7ef1d46a38f83cd2aab274cfe22d3e2d332e58dd6a85c52066c6af2fb866d49abd5d24a0208fa01685a6bd1c2bf7beb45f7952714c05b
SSDEEP:	768:ZFlppbq6i4Y/TJC4xJMxXcvFLwAPq4Sxv9PvEgzegYN1T/f:tLq94YV7JMxXyd4x+gzexTn
Preview:	PK..........!.\.f.r...........[Content_Types].xml ...(.........................................................................................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Document contains an OLE Workbook stream indicating a Microsoft Excel file	System Summary
Document has a 'vbamacros' value indicative of goodware	System Summary
Document is a ZIP file with path names indicative of goodware	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\619E9856.gif

GIF image data, version 89a, 1400 x 670

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\619E9856.gif
Category:	dropped
Dump:	619E9856.gif.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Type:	GIF image data, version 89a, 1400 x 670
Entropy:	7.978277383272288
Encrypted:	false
Size:	32479
Whitelisted:	false

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\626005F.png

PNG image data, 300 x 153, 8-bit/color RGBA, non-interlaced

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\626005F.png
Category:	dropped
Dump:	626005F.png.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Type:	PNG image data, 300 x 153, 8-bit/color RGBA, non-interlaced
Entropy:	7.932768962029169
Encrypted:	false
Size:	7177
Whitelisted:	false

C:\Users\user\AppData\Local\Temp\~DF645802A6CB8EDC27.TMP

Composite Document File V2 Document, Cannot read section info

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\~DF645802A6CB8EDC27.TMP
Category:	dropped
Dump:	~DF645802A6CB8EDC27.TMP.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Type:	Composite Document File V2 Document, Cannot read section info
Entropy:	0.5248092504851318
Encrypted:	false
Size:	16384
Whitelisted:	false

C:\Users\user\Desktop\~$ACH-6573-15March.xlsx

data

dropped

Details

File:	C:\Users\user\Desktop\~$ACH-6573-15March.xlsx
Category:	dropped
Dump:	~$ACH-6573-15March.xlsx.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Type:	data
Entropy:	1.4988604911361962
Encrypted:	false
Size:	165
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading
Document contains an OLE Workbook stream indicating a Microsoft Excel file	System Summary
Document has a 'vbamacros' value indicative of goodware	System Summary
Document is a ZIP file with path names indicative of goodware	System Summary

Domains

Name

Malicious

part-0012.t-0009.t-msedge.net

13.107.213.40

Details

Name:	part-0012.t-0009.t-msedge.net
IP:	13.107.213.40
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

52.109.56.128

unknown

United States

52.113.194.132

unknown

United States

52.109.8.36

unknown

United States

13.107.213.40

part-0012.t-0009.t-msedge.net

United States

Details

IP:	13.107.213.40
TargetID:	0
Current Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	8068
ASN name:	MICROSOFT-CORP-MSN-AS-BLOCKUS
Private:	false
Domain:	part-0012.t-0009.t-msedge.net

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking

52.182.143.213

unknown

United States

23.51.58.94

unknown

United States

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ACH-6573-15March.xlsx

Files

Domains

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportACH-6573-15March.xlsx

Files

Domains

IPs

IOC Report
ACH-6573-15March.xlsx