Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Serbia_Vendor_Creation_1.xlsx

Microsoft Excel 2007+

initial sample

Details

Filetype:	Microsoft Excel 2007+
Entropy:	7.882885545830819
Filename:	Serbia_Vendor_Creation_1.xlsx
Filesize:	130230
MD5:	c1cda6d17a11952fef58a1aa3a47c30f
SHA1:	1c51727af61fd17e8d437a736bf254cd470a54a2
SHA256:	7c3babffc38d4b977d7e8ecef338936e9a002655a6fbbbd4bc2feaecfdbbdcca
SHA512:	980495c5269b79209122e862438fadf1b85f1b1b0b9b0322a2d1ff49f716d3e4ec40aa3924d8e67d3f6eb65f8a4f4a691ad6ec82586a107d17a2689c00ccfdfe
SSDEEP:	1536:9A7uoyHbZzbjC94SCTpIA5TyIUFCpC+1HHH10fZ5KzTSCIHbp46Ej2XfFHqH:67+HFzb/ZuYZAWN14qzWCr6Ej2MH
Preview:	PK..........!..!].............[Content_Types].xml ...(.........................................................................................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Document contains an OLE Workbook stream indicating a Microsoft Excel file	System Summary
Document has a 'vbamacros' value indicative of goodware	System Summary
Document is a ZIP file with path names indicative of goodware	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\40AD1EBD.png

PNG image data, 918 x 680, 8-bit/color RGBA, non-interlaced

modified

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\40AD1EBD.png
Category:	modified
Dump:	40AD1EBD.png.0.dr
ID:	dr_6
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	PNG image data, 918 x 680, 8-bit/color RGBA, non-interlaced
Entropy:	7.91872755440117
Encrypted:	false
Ssdeep:	768:yhShil1HH4o1Qvf+1WIYwISz5xYO3Y9abIHhxPppWVMXi2UJOWAoj2BW0fk:j+1HHH10fZ5KzTSCIHbp46Ej2Xfk
Size:	54350
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6C4E2997.emf

Windows Enhanced Metafile (EMF) image data version 0x10000

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6C4E2997.emf
Category:	dropped
Dump:	6C4E2997.emf.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Entropy:	3.5505650261081096
Encrypted:	false
Ssdeep:	96:ydozbTGLIQYC0iiGBjkep0vllllllllllllllCoKkbdV:j+LIQYUrjLallllllllllllllC/ID
Size:	7976
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6DB1906E.emf

Windows Enhanced Metafile (EMF) image data version 0x10000

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6DB1906E.emf
Category:	dropped
Dump:	6DB1906E.emf.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Entropy:	3.050501564190144
Encrypted:	false
Ssdeep:	96:OdoeUUUUUUUU7RRRRRRRRRRRRRRRRRRV7RRRRRRRRRRRRRRRRRRV77V77V77V7D6:iqrnxT
Size:	8324
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Downloads files	Networking	Ingress Tool Transfer

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B44946AC.png

PNG image data, 423 x 695, 8-bit/color RGBA, non-interlaced

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B44946AC.png
Category:	dropped
Dump:	B44946AC.png.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	PNG image data, 423 x 695, 8-bit/color RGBA, non-interlaced
Entropy:	7.9626137752387525
Encrypted:	false
Ssdeep:	768:DztA4k8C98Zn+DNCpREJ1XTIpITR6MWT6VuFOIUsIECWEnm8:DzbjC94SCTpIA5TyIUFCp8
Size:	44746
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\6B9E.tmp

Microsoft Excel 2007+

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\6B9E.tmp
Category:	dropped
Dump:	6B9E.tmp.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	Microsoft Excel 2007+
Entropy:	7.882885545830819
Encrypted:	false
Ssdeep:	1536:9A7uoyHbZzbjC94SCTpIA5TyIUFCpC+1HHH10fZ5KzTSCIHbp46Ej2XfFHqH:67+HFzb/ZuYZAWN14qzWCr6Ej2MH
Size:	130230
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\6B9E.tmp:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\6B9E.tmp:Zone.Identifier
Category:	dropped
Dump:	6B9E.tmp_Zone.Identifier.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

C:\Users\user\Desktop\~$Serbia_Vendor_Creation_1.xlsx

data

dropped

Details

File:	C:\Users\user\Desktop\~$Serbia_Vendor_Creation_1.xlsx
Category:	dropped
Dump:	~$Serbia_Vendor_Creation_1.xlsx.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	1.4377382811115937
Encrypted:	false
Ssdeep:	3:vZ/FFDJw2fV:vBFFGS
Size:	165
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading
Document contains an OLE Workbook stream indicating a Microsoft Excel file	System Summary
Document has a 'vbamacros' value indicative of goodware	System Summary
Document is a ZIP file with path names indicative of goodware	System Summary

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	3172
Target ID:	0
Parent PID:	564
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Size:	28253536
MD5:	D53B85E21886D2AF9815C377537BCAC3
Time:	11:13:22
Date:	26/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f1d0000
Modulesize:	28282880
Wow64:	false

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

fo.

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Excel

Enabled

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

ProductNonBootFilesIntl_1033

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\2822A

2822A

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

ej.

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

EXCELFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

ProductNonBootFilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

VBAFiles

There are 4 hidden registries, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Serbia_Vendor_Creation_1.xlsx

Files

Processes

Registry

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSerbia_Vendor_Creation_1.xlsx

Files

Processes

Registry

IOC Report
Serbia_Vendor_Creation_1.xlsx