Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	1552
Target ID:	0
Parent PID:	584
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	27641504
MD5:	5FB0A0F93382ECD19F5F499A5CAA59F0
Time:	16:54:31
Date:	21/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13fe10000
Modulesize:	27758592
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Spawns processes	System Summary,	Process Injection

C:\Windows\System32\rundll32.exe

rundll32 ..\idefje.ekfd,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2844
Target ID:	3
Parent PID:	1552
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	rundll32 ..\idefje.ekfd,DllRegisterServer
Size:	45568
MD5:	DD81D91FF3B0763C392422865C9AC12E
Time:	16:54:38
Date:	21/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xffc30000
Modulesize:	61440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities,	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Runs a DLL by calling functions	System Summary,	Rundll32
Spawns processes	System Summary,	Process Injection

URLs

Name

Malicious

https://kashful.softwarebd.biz/ds/1802.gif

unknown

https://kashful.softwarebd.biz/ds/1802.Dc

unknown

http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check

unknown

http://www.windows.com/pctv.

unknown

http://investor.msn.com

unknown

http://www.msnbc.com/news/ticker.txt

unknown

http://www.icra.org/vocabulary/.

unknown

http://windowsmedia.com/redir/services.asp?WMPFriendly=true

unknown

http://www.hotmail.com/oe

unknown

http://investor.msn.com/

unknown

http://cert.int-x1.letsencrypt.org/

unknown

http://cps.root-x1.letsencrypt.org0

unknown

There are 2 hidden URLs, click here to show them.

Domains

Name

Malicious

kashful.softwarebd.biz

185.151.30.170

Details

Name:	kashful.softwarebd.biz
IP:	185.151.30.170
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for domain / URL	AV Detection,
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution
Performs DNS lookups	Networking,	Application Layer Protocol Non-Application Layer Protocol
Urls found in memory or binary data	Networking,
Uses secure TLS version for HTTPS connections	Compliance, Networking,

cert.int-x1.letsencrypt.org

unknown

IPs

Domain

Country

Active

Malicious

185.151.30.170

unknown

United Kingdom

unknown

Details

IP:	185.151.30.170
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	United Kingdom
Countrycode:	GBR
ASN number:	48254
ASN name:	TWENTYIGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution
Uses secure TLS version for HTTPS connections	Compliance, Networking,

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

|h2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EB809

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DefaultSheetR2L

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

UseSystemSeparators

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ThousandsSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DecimalSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EBA0C

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EBAC7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EBB82

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EBBFF

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} {000214E6-0000-0000-C000-000000000046} 0xFFFF

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

kp2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\system32\qagentrt.dll,-10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\fveui.dll,-843

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\fveui.dll,-844

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\wuaueng.dll,-400

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F5792

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F5918

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SavedLegacySettings

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

There are 110 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2ED000

heap default

page read and write

2989000

unkown

page readonly

2260000

heap private

page read and write

2966000

unkown

page readonly

2BD0000

unkown

page readonly

2912000

unkown

page readonly

2844000

unkown

page readonly

2906000

unkown

page readonly

DD000

unkown

page read and write

4D0000

unkown

page readonly

2D0000

unkown

page read and write

2265000

heap private

page read and write

2B72000

unkown

page readonly

2864000

unkown

page readonly

1D0000

heap default

page read and write

2BB0000

unkown

page readonly

29E2000

unkown

page readonly

2BF0000

unkown

page readonly

2942000

unkown

page readonly

254000

heap private

page read and write

29A5000

unkown

page readonly

4C0000

heap private

page read and write

28F5000

unkown

page readonly

E0000

unkown

page read and write

29E9000

unkown

page readonly

3D0000

unkown

page write copy

2025000

heap private

page read and write

2C10000

unkown

page readonly

2FB000

heap default

page read and write

2A05000

unkown

page readonly

20000

unkown

page readonly

2925000

unkown

page readonly

2969000

unkown

page readonly

2982000

unkown

page readonly

186000

unkown

page read and write

2682000

unkown

page readonly

54F000

unkown

page read and write

1BF0000

unkown

page readonly

29B2000

unkown

page readonly

1D7000

heap default

page read and write

2020000

heap private

page read and write

2F6000

heap default

page read and write

250000

heap private

page read and write

205B000

heap private

page read and write

29D5000

unkown

page readonly

2269000

heap private

page read and write

2782000

unkown

page readonly

28C5000

unkown

page readonly

20C0000

heap private

page read and write

60000

unkown

page readonly

2955000

unkown

page readonly

20E000

heap default

page read and write

2862000

unkown

page readonly

2300000

unkown

page readonly

2140000

unkown

page readonly

28D6000

unkown

page readonly

28E2000

unkown

page readonly

2884000

unkown

page readonly

306000

unkown

page read and write

E0000

unkown

page readonly

22E0000

unkown

page readonly

2B7000

heap default

page read and write

6F0000

unkown

page readonly

2EE0000

unkown

page read and write

296D000

unkown

page readonly

28B2000

unkown

page readonly

2842000

unkown

page readonly

67F000

unkown

page read and write

1DD7000

unkown

page readonly

2936000

unkown

page readonly

42E000

unkown

page read and write

2B0000

heap default

page read and write

2882000

unkown

page readonly

650000

unkown

page readonly

2688000

unkown

page readonly

17B000

unkown

page read and write

4C4000

heap private

page read and write

A3F000

unkown

page read and write

29B9000

unkown

page readonly

150000

unkown

page read and write

D0000

unkown

page read and write

There are 71 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

Memdumps