Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Marine Tiger.xlsm

Microsoft Excel 2007+

initial sample

Details

Filetype:	Microsoft Excel 2007+
Entropy:	7.2916363654589444
Filename:	Marine Tiger.xlsm
Filesize:	13677
MD5:	18d6c58d438aa199c43cec6503ae2a6c
SHA1:	f2dbad3686195f07db9bac1aa7eba45120069ded
SHA256:	6c92ed33934d5a604f57aac4ff33252720354285291791bed88b6f3f15b9631d
SHA512:	2a0c139a909810abbeea86258c7fa4960b6eb2893e8203a0f5815a080070062957a7aa7ccfc27bd3ef5129c31c03c28139b9e05d2284d52b9f89ec15752c1621
SSDEEP:	192:HePPN4twKo8V99pSKCxW9KBIYU0mT2+QOUSp+Qak1Y5t0SQxizT3W7+p+1iTvVp+:HeHNSVV9GKCZBILhTBY4D9SQITMaT2
Preview:	PK..........!...5Qo...?.......[Content_Types].xml ...(.........................................................................................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection,
Document contains an embedded VBA macro with suspicious strings	System Summary,
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)	System Summary,
Document contains an embedded VBA with hexadecimal encoded strings	System Summary,
Machine Learning detection for sample	AV Detection,
Document contains an embedded VBA macro which executes code when the document is opened / closed	System Summary,
Document contains embedded VBA macros	System Summary,	Scripting
Sample is known by Antivirus	System Summary,

C:\Users\user\Desktop\~$Marine Tiger.xlsm

data

dropped

Details

File:	C:\Users\user\Desktop\~$Marine Tiger.xlsm
Category:	dropped
Dump:	~$Marine Tiger.xlsm.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	1.4377382811115937
Encrypted:	false
Ssdeep:	3:vZ/FFDJw2fV:vBFFGS
Size:	165
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection,
Document contains an embedded VBA macro with suspicious strings	System Summary,	Scripting
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)	System Summary,	Scripting
Document contains an embedded VBA with hexadecimal encoded strings	System Summary,	Scripting
Machine Learning detection for sample	AV Detection,
Document contains an embedded VBA macro which executes code when the document is opened / closed	System Summary,	Scripting
Document contains embedded VBA macros	System Summary,	Scripting
Creates files inside the user directory	System Summary,	Masquerading
Sample is known by Antivirus	System Summary,

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2284
Target ID:	0
Parent PID:	584
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	27641504
MD5:	5FB0A0F93382ECD19F5F499A5CAA59F0
Time:	08:12:37
Date:	08/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13fba0000
Modulesize:	27758592
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Spawns processes	System Summary,	Process Injection

C:\Windows\System32\cmd.exe

'C:\Windows\System32\cmd.exe' /c schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I

Details

Is windows:	true
Is dropped:	false
PID:	2464
Target ID:	2
Parent PID:	2284
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	'C:\Windows\System32\cmd.exe' /c schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Size:	345088
MD5:	5746BD7E255DD6A8AFA06F7C42C1BA41
Time:	08:12:38
Date:	08/02/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x4ab10000
Modulesize:	364544
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities,	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Spawns processes	System Summary,	Process Injection

C:\Windows\System32\schtasks.exe

schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I

Details

Is windows:	true
Is dropped:	false
PID:	2496
Target ID:	4
Parent PID:	2464
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\System32\schtasks.exe
Commandline:	schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Size:	285696
MD5:	97E0EC3D6D99E8CC2B17EF2D3760E8FC
Time:	08:12:39
Date:	08/02/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xfffa0000
Modulesize:	294912
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival,	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Spawns processes	System Summary,	Process Injection

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

(*3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ED0E6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

windir

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DefaultSheetR2L

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

UseSystemSeparators

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ThousandsSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DecimalSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

There are 21 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

17D000

unkown

page read and write

E4000

heap private

page read and write

2BB000

heap default

page read and write

3A6000

unkown

page read and write

23F000

unkown

page read and write

C1E000

unkown

page read and write

2AD000

heap default

page read and write

370000

unkown

page read and write

60000

unkown

page readonly

270000

heap default

page read and write

5B0000

unkown

page readonly

277000

heap default

page read and write

2B6000

heap default

page read and write

96F000

unkown

page read and write

5AF000

unkown

page read and write

E0000

heap private

page read and write

There are 6 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

Registry

Memdumps