Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

C:\Windows\System32\rundll32.exe

rundll32 ..\kdfe.vbox,DllRegisterServer

C:\Windows\SysWOW64\rundll32.exe

rundll32 ..\kdfe.vbox,DllRegisterServer

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn sgovokol /tr 'regsvr32.exe -s \'C:\Users\user\kdfe.vbox\'' /SC ONCE /Z /ST 22:40 /ET 22:52

C:\Windows\System32\regsvr32.exe

regsvr32.exe -s 'C:\Users\user\kdfe.vbox'

C:\Windows\SysWOW64\regsvr32.exe

-s 'C:\Users\user\kdfe.vbox'

C:\Windows\System32\regsvr32.exe

regsvr32.exe -s 'C:\Users\user\kdfe.vbox'

C:\Windows\SysWOW64\regsvr32.exe

-s 'C:\Users\user\kdfe.vbox'

C:\Windows\System32\taskeng.exe

taskeng.exe {DA6299CA-95CA-4E9D-8974-2CC05321254C} S-1-5-18:NT AUTHORITY\System:Service:

URLs

Name

Malicious

http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check

unknown

http://www.windows.com/pctv.

unknown

http://investor.msn.com

unknown

http://www.msnbc.com/news/ticker.txt

unknown

http://www.%s.comPA

unknown

http://www.icra.org/vocabulary/.

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.

unknown

http://windowsmedia.com/redir/services.asp?WMPFriendly=true

unknown

http://www.hotmail.com/oe

unknown

http://servername/isapibackend.dll

unknown

http://investor.msn.com/

unknown

There are 1 hidden URLs, click here to show them.

Domains

Name

Malicious

remedial.aaua.edu.ng

unknown

Details

Name:	remedial.aaua.edu.ng
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

aaua.edu.ng

104.196.7.213

Details

Name:	aaua.edu.ng
IP:	104.196.7.213
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Active

Malicious

104.196.7.213

unknown

United States

unknown

Details

IP:	104.196.7.213
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	15169
ASN name:	GOOGLEUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

bp4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EC2E2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DefaultSheetR2L

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

UseSystemSeparators

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ThousandsSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DecimalSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EC60D

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EC6F7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EC89C

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EC90A

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} {000214E6-0000-0000-C000-000000000046} 0xFFFF

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

pz4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\system32\qagentrt.dll,-10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\fveui.dll,-843

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\fveui.dll,-844

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\wuaueng.dll,-400

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F48C3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F4CF8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SavedLegacySettings

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Windows\SysWOW64\explorer.exe

8e79298b

C:\Windows\SysWOW64\explorer.exe

bbe6f9c5

C:\Windows\SysWOW64\explorer.exe

11bbedc

C:\Windows\SysWOW64\explorer.exe

7c13f156

C:\Windows\SysWOW64\explorer.exe

b9a7d9b9

C:\Windows\SysWOW64\explorer.exe

c4af9633

C:\Windows\SysWOW64\explorer.exe

35a9ea0

C:\Windows\SysWOW64\explorer.exe

f130467d

C:\Windows\SysWOW64\explorer.exe

8e79298b

C:\Windows\System32\taskeng.exe

data

There are 115 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

300000

unkown

page execute and read and write

3A0000

unkown

page execute and read and write

6EB000

unkown

page read and write

28E0000

heap private

page read and write

251000

unkown

page read and write

600000

unkown

page readonly

B4E000

unkown

page read and write

90000

unkown

page readonly

510000

unkown

page readonly

650000

unkown

page readonly

A9F000

unkown

page read and write

1CC000

unkown

page read and write

150000

unkown

page read and write

2022000

heap private

page read and write

840000

unkown

page readonly

3A0000

unkown

page read and write

3D0000

unkown

page read and write

7C0000

unkown

page readonly

63E000

unkown

page read and write

14C000

unkown

page read and write

640000

unkown

page readonly

150000

unkown

page read and write

2740000

heap private

page read and write

860000

unkown

page readonly

21D000

stack

page read and write

7EFDF000

unkown

page read and write

B70000

unkown

page readonly

B60000

heap private

page read and write

7EFDF000

unkown

page read and write

5C7000

heap default

page read and write

120000

unkown

page readonly

7B0000

unkown

page readonly

3F7000

heap default

page read and write

29C000

unkown

page read and write

27D000

stack

page read and write

480000

unkown

page read and write

97E000

unkown

page read and write

100000

unkown

page read and write

2B4000

heap private

page read and write

E0000

unkown

page read and write

8D0000

unkown

page readonly

9C0000

heap private

page read and write

CFD000

unkown

page read and write

620000

heap default

page read and write

20E000

heap default

page read and write

20000

unkown

page readonly

D6B000

heap private

page read and write

6F8000

unkown

page read and write

460000

unkown

page read and write

1DD7000

unkown

page readonly

4A0000

unkown

page read and write

B64000

heap private

page read and write

26CE000

stack

page read and write

297000

heap default

page read and write

1BF0000

unkown

page readonly

1010000

unkown

page readonly

370000

heap private

page read and write

6D0000

unkown

page readonly

1EC000

unkown

page read and write

170000

unkown

page read and write

2B0000

heap private

page read and write

14C000

unkown

page read and write

20000

unkown

page readonly

5B0000

unkown

page readonly

616000

heap default

page read and write

1A0000

unkown

page readonly

6F6000

unkown

page read and write

60B000

heap default

page read and write

A7000

heap default

page read and write

90000

unkown

page readonly

A00000

unkown

page readonly

DD000

heap default

page read and write

2E3000

heap default

page read and write

240000

unkown

page read and write

244D000

unkown

page read and write

546000

unkown

page read and write

6A7000

heap default

page read and write

9D0000

unkown

page readonly

247000

unkown

page read and write

20000

unkown

page readonly

B82000

heap private

page read and write

624000

heap private

page read and write

BD0000

unkown

page read and write

254000

unkown

page read and write

7DF000

unkown

page read and write

F0000

unkown

page read and write

D97000

heap private

page read and write

90000

unkown

page readonly

180000

unkown

page readonly

2C9000

heap default

page read and write

363000

heap default

page read and write

234000

heap private

page read and write

D2D000

unkown

page read and write

620000

heap private

page read and write

70000

unkown

page readonly

34E000

heap default

page read and write

875000

heap private

page read and write

60000

unkown

page readonly

4D0000

unkown

page readonly

396000

heap private

page read and write

272F000

unkown

page read and write

1FBE000

unkown

page read and write

6EF000

unkown

page read and write

160000

unkown

page read and write

5F7000

heap default

page read and write

6E5000

heap default

page read and write

2DE0000

unkown

page readonly

42F000

heap default

page read and write

3B6000

unkown

page read and write

25EF000

heap private

page read and write

1090000

unkown

page write copy

470000

unkown

page write copy

2BE000

heap default

page read and write

E0000

unkown

page read and write

480000

unkown

page readonly

6ED000

heap default

page read and write

3F0000

heap default

page read and write

160000

heap default

page read and write

8EF000

heap private

page read and write

AB000

unkown

page read and write

630000

heap private

page read and write

24F000

unkown

page read and write

120000

heap private

page read and write

287000

heap default

page read and write

390000

unkown

page readonly

317000

heap default

page read and write

310000

heap default

page read and write

160000

unkown

page read and write

390000

heap private

page read and write

590000

heap default

page read and write

3D6000

unkown

page read and write

3B0000

heap default

page read and write

100000

unkown

page read and write

A20000

unkown

page readonly

124000

heap private

page read and write

E6F000

unkown

page read and write

27F000

unkown

page read and write

480000

unkown

page read and write

7A0000

unkown

page readonly

4F0000

unkown

page readonly

406000

unkown

page read and write

414000

heap default

page read and write

2387000

unkown

page readonly

280000

heap default

page read and write

394000

heap private

page read and write

DE0000

unkown

page readonly

65E000

unkown

page read and write

21A0000

unkown

page readonly

D90000

heap private

page read and write

634000

heap private

page read and write

6E3000

unkown

page read and write

510000

unkown

page read and write

190000

heap default

page read and write

380000

unkown

page read and write

2CEE000

unkown

page read and write

2D8E000

unkown

page read and write

830000

heap private

page read and write

D0000

unkown

page read and write

430000

unkown

page readonly

2570000

heap private

page read and write

6C4000

heap default

page read and write

20000

unkown

page readonly

6A0000

heap default

page read and write

5C0000

heap default

page read and write

220000

unkown image

page readonly

A0000

heap default

page read and write

D30000

heap private

page read and write

893000

heap private

page read and write

20000

unkown

page readonly

290000

heap default

page read and write

230000

heap private

page read and write

380000

unkown

page read and write

69E000

unkown

page read and write

EB000

heap default

page read and write

2B4000

heap default

page read and write

26DF000

unkown

page read and write

280000

unkown

page execute and read and write

390000

heap private

page read and write

2CF000

heap default

page read and write

7EFDF000

unkown

page read and write

410000

unkown

page read and write

CA0000

heap private

page read and write

2BF0000

unkown

page readonly

25CE000

unkown

page read and write

4B6000

unkown

page read and write

2F5F000

unkown

page read and write

25EF000

heap private

page read and write

3E0000

unkown

page read and write

30E000

heap default

page read and write

36A000

heap default

page read and write

A1F000

unkown

page read and write

2004000

heap private

page read and write

22A000

heap default

page read and write

20000

unkown

page readonly

F0000

unkown

page readonly

B40000

unkown

page read and write

7EFDF000

unkown

page read and write

E6000

heap default

page read and write

25EF000

heap private

page read and write

D34000

heap private

page read and write

1D0000

heap default

page read and write

2ED000

stack

page read and write

137F000

unkown

page read and write

630000

unkown

page readonly

2D0000

heap default

page read and write

840000

heap private

page read and write

20000

unkown

page readonly

1AB000

unkown

page read and write

223000

heap default

page read and write

150000

unkown

page read and write

39C000

unkown

page read and write

2BFB000

unkown

page read and write

2430000

unkown

page read and write

2F0000

heap private

page read and write

100000

unkown

page read and write

2120000

heap private

page read and write

1D7000

heap default

page read and write

B5D000

unkown

page read and write

F10000

unkown

page read and write

4FC000

unkown

page read and write

670000

unkown

page readonly

5E4000

heap default

page read and write

25EF000

heap private

page read and write

2DDF000

unkown

page read and write

3AE000

stack

page read and write

29D000

unkown

page read and write

3B6000

unkown

page read and write

6CE000

unkown

page read and write

CA0000

unkown

page readonly

27E0000

unkown

page readonly

780000

heap private

page read and write

850000

unkown

page readonly

20000

unkown

page readonly

244000

heap default

page read and write

120000

heap private

page read and write

3F0000

unkown

page readonly

150000

unkown

page read and write

446000

unkown

page read and write

D5F000

stack

page read and write

BD0000

unkown

page write copy

800000

heap private

page read and write

2000000

heap private

page read and write

429000

heap default

page read and write

2D7000

heap default

page read and write

26E0000

unkown

page read and write

130000

unkown

page execute and read and write

2040000

unkown

page readonly

60000

unkown

page readonly

6F2000

unkown

page read and write

870000

heap private

page read and write

846000

heap private

page read and write

5FD000

heap default

page read and write

950000

unkown

page readonly

2920000

unkown

page readonly

CE0000

unkown

page read and write

374000

heap private

page read and write

There are 246 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

Memdumps