Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

9177284661-04302021.xlsm

Microsoft Excel 2007+

initial sample

Details

Filetype:	Microsoft Excel 2007+
Entropy:	7.679226664040162
Filename:	9177284661-04302021.xlsm
Filesize:	114788
MD5:	a8b4e37766d35b543884d8882147eaa2
SHA1:	4356c14118ea9098dabb6d9af620003b7929058a
SHA256:	533c8713c4e10c223a9f8139f9d408ca326aee14a1d88382c91f2ff18cf0f93c
SHA512:	581ee69b843a7657677e1f6b74147f273f340474ff36de56b1d579d0364ccc6c27c2f9dedf4d855bc2841351957a3620dc0327153ff4ff3dc87a2c6ad7eb8a6f
SSDEEP:	3072:K6vKINbjvw548LMb/oqKO8NnS8+60Kcxtc:6AbT648LM7D98Np+Et
Preview:	PK..........!."..R....*.......[Content_Types].xml ...(.........................................................................................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Found malicious Excel 4.0 Macro	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Found Excel 4.0 Macro with suspicious formulas	System Summary
Document contains an embedded VBA macro which executes code when the document is opened / closed	System Summary
Document contains embedded VBA macros	System Summary
Sample is known by Antivirus	System Summary
Document is a ZIP file with path names indicative of goodware	System Summary

C:\Users\user\Desktop\~$9177284661-04302021.xlsm

data

dropped

Details

File:	C:\Users\user\Desktop\~$9177284661-04302021.xlsm
Category:	dropped
Dump:	~$9177284661-04302021.xlsm.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	1.4377382811115937
Encrypted:	false
Ssdeep:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
Size:	330
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malicious Excel 4.0 Macro	System Summary	Scripting
Multi AV Scanner detection for submitted file	AV Detection
Found Excel 4.0 Macro with suspicious formulas	System Summary	Scripting
Document contains an embedded VBA macro which executes code when the document is opened / closed	System Summary	Scripting
Document contains embedded VBA macros	System Summary	Scripting
Creates files inside the user directory	System Summary	Masquerading
Sample is known by Antivirus	System Summary
Document is a ZIP file with path names indicative of goodware	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EB62A569.jpg

[TIFF image data, big-endian, direntries=5], baseline, precision 8, 1080x1080, frames 3

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EB62A569.jpg
Category:	dropped
Dump:	EB62A569.jpg.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	[TIFF image data, big-endian, direntries=5], baseline, precision 8, 1080x1080, frames 3
Entropy:	7.654577060340879
Encrypted:	false
Ssdeep:	1536:1o1vutINbjOXGw548LBkVb/oyrKXkX89DcO9GQSnIv+C1EDFVxkR7Y90:wvKINbjvw548LMb/oqKO8NnS8+60Kc0
Size:	92379
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Downloads files	Networking	Ingress Tool Transfer

C:\Users\user\AppData\Local\Temp\46FE0000

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\46FE0000
Category:	dropped
Dump:	46FE0000.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	7.69393685758773
Encrypted:	false
Ssdeep:	3072:Gmk7zcrvKINbjvw548LMb/oqKO8NnS8+60Kcu:GXsmAbT648LM7D98Np+Ej
Size:	118458
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\9177284661-04302021.LNK

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:21 2020, mtime=Tue May 4 11:56:48 2021, atime=Tue May 4 11:56:48 2021, length=118468, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\9177284661-04302021.LNK
Category:	dropped
Dump:	9177284661-04302021.LNK.0.dr
ID:	dr_6
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:21 2020, mtime=Tue May 4 11:56:48 2021, atime=Tue May 4 11:56:48 2021, length=118468, window=hide
Entropy:	4.513586876217989
Encrypted:	false
Ssdeep:	24:8L948/XT46kZOBep6Dv3qodM7dD2L948/XT46kZOBep6Dv3qodM7dV:868/XTDkZEmoQh268/XTDkZEmoQ/
Size:	2128
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue May 4 11:56:48 2021, atime=Tue May 4 11:56:48 2021, length=12288, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
Category:	dropped
Dump:	Desktop.LNK.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue May 4 11:56:48 2021, atime=Tue May 4 11:56:48 2021, length=12288, window=hide
Entropy:	4.484024614599478
Encrypted:	false
Ssdeep:	12:85Q+H0LgXg/XAlCPCHaXIB8kB/KWUbX+WnicvbxbDtZ3YilMMEpxRljK2yTdJP9O:855Hi/XT46kkBYexDv3qorNru/
Size:	867
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
Category:	dropped
Dump:	index.dat.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	ASCII text, with CRLF line terminators
Entropy:	4.517286360501819
Encrypted:	false
Ssdeep:	3:oyBVomxW7SNRfRg9rlNRfRg9rlmxW7SNRfRg9rlv:djQc2pZ2pZc2p1
Size:	112
Whitelisted:	false
Reputation:	low

C:\Users\user\Desktop\27FE0000

data

dropped

Details

File:	C:\Users\user\Desktop\27FE0000
Category:	dropped
Dump:	27FE0000.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	7.693044301214109
Encrypted:	false
Ssdeep:	3072:GmkkSrvKINbjvw548LMb/oqKO8NnS8+60KcL:GXvmAbT648LM7D98Np+Ea
Size:	118468
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2388
Target ID:	0
Parent PID:	584
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	27641504
MD5:	5FB0A0F93382ECD19F5F499A5CAA59F0
Time:	05:56:45
Date:	04/05/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f7c0000
Modulesize:	27758592
Wow64:	false

URLs

Name

Malicious

http://185.45.193.80/44313,6048108796.dat

185.45.193.80

Details

Name:	http://185.45.193.80/44313,6048108796.dat
IP:	185.45.193.80
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for domain / URL	AV Detection
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

http://45.144.31.232/44313,6048108796.dat

45.144.31.232

Details

Name:	http://45.144.31.232/44313,6048108796.dat
IP:	45.144.31.232
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for domain / URL	AV Detection
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

IPs

Domain

Country

Malicious

82.118.21.70

unknown

Ukraine

Details

IP:	82.118.21.70
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	Ukraine
Countrycode:	UKR
ASN number:	204957
ASN name:	GREENFLOID-ASUA
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

45.144.31.232

unknown

United Kingdom

Details

IP:	45.144.31.232
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	United Kingdom
Countrycode:	GBR
ASN number:	42994
ASN name:	HQservCommunicationSolutionsIL
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

185.45.193.80

unknown

United Arab Emirates

Details

IP:	185.45.193.80
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	United Arab Emirates
Countrycode:	ARE
ASN number:	60117
ASN name:	HSAE
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

nt7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EF058

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DefaultSheetR2L

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

UseSystemSeparators

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ThousandsSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DecimalSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EF44E

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EF557

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EF602

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EF6DD

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EF779

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} {000214E6-0000-0000-C000-000000000046} 0xFFFF

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

$`7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SavedLegacySettings

There are 72 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

44D000

heap default

page read and write

A4F000

unkown

page read and write

60000

unkown

page readonly

60F000

unkown

page read and write

3F4000

heap private

page read and write

417000

heap default

page read and write

BBE000

unkown

page read and write

410000

heap default

page read and write

45B000

heap default

page read and write

24D000

unkown

page read and write

36F000

unkown

page read and write

456000

heap default

page read and write

106000

unkown

page read and write

6DF000

unkown

page read and write

3F0000

heap private

page read and write

6E0000

unkown

page readonly

D0000

unkown

page read and write

There are 7 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

IPs

Registry

Memdumps