Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Ref_Order04.xls

Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Apr 23 07:24:16 2024, Security: 1

initial sample

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1

data

modified

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

ASCII text

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

ASCII text

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF5ff8c1.TMP (copy)

ASCII text

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links

data

dropped

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst (copy)

PostScript document text

dropped

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.3132

PostScript document text

dropped

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst (copy)

PostScript document text

dropped

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst (copy)

PostScript document text

dropped

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt16.lst.3132

PostScript document text

dropped

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

data

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\74B64408.emf

Windows Enhanced Metafile (EMF) image data version 0x10000

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\93FFC36E.emf

Windows Enhanced Metafile (EMF) image data version 0x10000

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EFC4C163.emf

Windows Enhanced Metafile (EMF) image data version 0x10000

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F45EDAE1.emf

Windows Enhanced Metafile (EMF) image data version 0x10000

dropped

C:\Users\user\AppData\Local\Temp\~DF4B56670EB3637289.TMP

data

dropped

C:\Users\user\AppData\Local\Temp\~DF64D55B2DB0DD8C11.TMP

data

dropped

C:\Users\user\AppData\Local\Temp\~DFB539EB711BE446FF.TMP

data

dropped

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store

data

dropped

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei

data

dropped

C:\Users\user\Desktop\2D030000

Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Apr 24 05:51:17 2024, Security: 1

dropped

C:\Users\user\Desktop\2D030000:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

C:\Users\user\Desktop\Ref_Order04.xls (copy)

dropped

There are 14 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	1908
Target ID:	0
Parent PID:	564
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Size:	28253536
MD5:	D53B85E21886D2AF9815C377537BCAC3
Time:	06:50:37
Date:	24/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f070000
Modulesize:	28282880
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
Sigma detected: Modification of IE Registry Settings	System Summary
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	3088
Target ID:	4
Parent PID:	564
Name:	AcroRd32.exe
Class:	acrobat
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
Size:	2525680
MD5:	2F8D93826B8CBF9290BC57535C7A6817
Time:	06:51:05
Date:	24/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1360000
Modulesize:	2539520
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

Details

Is windows:	true
Is dropped:	false
PID:	3400
Target ID:	6
Parent PID:	3088
Name:	RdrCEF.exe
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Size:	9805808
MD5:	326A645391A97C760B60C558A35BB068
Time:	06:51:20
Date:	24/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xd0000
Modulesize:	9830400
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://bun.is/mjai39

76.76.21.98

Details

Name:	http://bun.is/mjai39
IP:	76.76.21.98
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for domain / URL	AV Detection
Document embeds suspicious OLE2 link	System Summary
IP address seen in connection with other malware	Networking
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
URLs found in memory or binary data	Networking

Domains

Name

Malicious

bun.is

76.76.21.98

Details

Name:	bun.is
IP:	76.76.21.98
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Document embeds suspicious OLE2 link	System Summary
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

76.76.21.98

bun.is

United States

Details

IP:	76.76.21.98
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false
Domain:	bun.is

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

'-&

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Excel

Enabled

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\275CC

275CC

HKEY_CURRENT_USER\Software\Microsoft\GDIPlus

FontCachePath

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

`:&

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU

Max Display

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Max Display

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 1

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 2

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 3

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 4

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 5

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 6

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 7

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 8

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 9

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 10

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 11

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 12

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 13

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 14

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 15

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 16

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 17

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 18

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 19

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 20

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\30F1D

30F1D

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\31017

31017

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\311FB

311FB

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached

{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} {000214E6-0000-0000-C000-000000000046} 0xFFFF

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU

Max Display

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU

Item 1

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Max Display

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 1

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 2

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 3

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 4

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 5

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 6

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 7

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 8

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 9

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 10

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 11

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 12

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 13

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 14

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 15

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 16

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 17

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 18

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 19

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 20

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 21

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

EXCELFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

VBAFiles

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

SavedLegacySettings

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\31017

31017

There are 55 hidden registries, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Ref_Order04.xls

Files

Processes

URLs

Domains

IPs

Registry

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportRef_Order04.xls

Files

Processes

URLs

Domains

IPs

Registry

IOC Report
Ref_Order04.xls