Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

2021_0002565_DDT.xls

Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Create Time/Date: Mon Oct 11 09:03:47 2021, Last Saved Time/Date: Mon Oct 11 09:03:49 2021, Security: 0, Comments: ''BRT

initial sample

Details

Filetype:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Create Time/Date: Mon Oct 11 09:03:47 2021, Last Saved Time/Date: Mon Oct 11 09:03:49 2021, Security: 0, Comments: ''BRT
Entropy:	5.314831852450583
Filename:	2021_0002565_DDT.xls
Filesize:	51712
MD5:	5b239ac2b45218ad505553d52203c744
SHA1:	abefd9905f25fdcea76783cfd877c19206d117ab
SHA256:	f3ff9603b23796a30d10ae2cfa0001212752705a3e602371ae74d0f4d8defb71
SHA512:	af1bb5477e46cc4ed1177a0b48a6d187b2a45fa68a28291f10466d85816bae8d6ba1ad1579f1b1f6ef4d276ad73efd98cebf4fe7071349769c6a93dc0cbda5fd
SSDEEP:	1536:dsQlYkEIbSkKBEqEXPgsRZmbaoFhZhR0cixIHm0THPFDI0LF/yUKAmsiwc:dhlYkEIuPm3fNRZmbaoFhZhR0cixIHmP
Preview:	........................>...................................;..................................................................................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Document contains an embedded VBA macro with suspicious strings	System Summary	Scripting
Document contains embedded VBA macros	System Summary
Document contains an OLE Workbook stream indicating a Microsoft Excel file	System Summary
Document has a 'comments' value indicative of goodware	System Summary	Extra Window Memory Injection

C:\Users\alfredo\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

UTF-8 Unicode text, with very long lines, with no line terminators

dropped

Details

File:	C:\Users\alfredo\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json
Category:	dropped
Dump:	ListAll.Json.0.dr
ID:	dr_6
Target ID:	0
Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Entropy:	4.9088149211082355
Encrypted:	false
Size:	379722
Whitelisted:	false
Reputation:	low

C:\Users\alfredo\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_17.ttf

dropped

Details

File:	C:\Users\alfredo\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_17.ttf
Category:	dropped
Dump:	flat_officeFontsPreview_4_17.ttf.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Type:	TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_17RegularVersion 4.17;O365
Entropy:	6.566110770587873
Encrypted:	false
Size:	672416
Whitelisted:	false
Reputation:	low

C:\Users\alfredo\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D01F1074-7A8E-4E0B-A1C2-7BFA61CB3A1A

XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators

dropped

Details

File:	C:\Users\alfredo\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D01F1074-7A8E-4E0B-A1C2-7BFA61CB3A1A
Category:	dropped
Dump:	D01F1074-7A8E-4E0B-A1C2-7BFA61CB3A1A.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Entropy:	5.357962258943721
Encrypted:	false
Size:	139380
Whitelisted:	false
Reputation:	low

C:\Users\alfredo\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

XML 1.0 document, ASCII text, with very long lines, with no line terminators

dropped

Details

File:	C:\Users\alfredo\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
Category:	dropped
Dump:	excel.exe_Rules.xml.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Type:	XML 1.0 document, ASCII text, with very long lines, with no line terminators
Entropy:	5.173295416823414
Encrypted:	false
Size:	313927
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Allocates a big amount of memory (probably used for heap spraying)	Software Vulnerabilities	Extra Window Memory Injection

C:\Users\alfredo\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

data

dropped

Details

File:	C:\Users\alfredo\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Category:	dropped
Dump:	089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Type:	data
Entropy:	3.8556249257072412
Encrypted:	false
Size:	2278
Whitelisted:	false
Reputation:	low

C:\Users\alfredo\AppData\Local\Microsoft\TokenBroker\Cache\9aad439831564ef9f88438a70a63c87e26ef3852.tbres

data

dropped

Details

File:	C:\Users\alfredo\AppData\Local\Microsoft\TokenBroker\Cache\9aad439831564ef9f88438a70a63c87e26ef3852.tbres
Category:	dropped
Dump:	9aad439831564ef9f88438a70a63c87e26ef3852.tbres.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Type:	data
Entropy:	3.990812285105349
Encrypted:	false
Size:	3902
Whitelisted:	false
Reputation:	low

C:\Users\alfredo\AppData\Roaming\Microsoft\Office\Recent\2021_0002565_DDT.LNK

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jun 8 14:37:17 2021, mtime=Wed Oct 13 23:49:32 2021, atime=Wed Oct 13 23:49:26 2021, length=51712, window=hide

dropped

Details

File:	C:\Users\alfredo\AppData\Roaming\Microsoft\Office\Recent\2021_0002565_DDT.LNK
Category:	dropped
Dump:	2021_0002565_DDT.LNK.0.dr
ID:	dr_7
Target ID:	0
Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jun 8 14:37:17 2021, mtime=Wed Oct 13 23:49:32 2021, atime=Wed Oct 13 23:49:26 2021, length=51712, window=hide
Entropy:	4.669580883850226
Encrypted:	false
Size:	547
Whitelisted:	false
Reputation:	low

C:\Users\alfredo\AppData\Roaming\Microsoft\Office\Recent\index.dat

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\alfredo\AppData\Roaming\Microsoft\Office\Recent\index.dat
Category:	dropped
Dump:	index.dat.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Type:	ASCII text, with CRLF line terminators
Entropy:	4.548813030410997
Encrypted:	false
Size:	83
Whitelisted:	false
Reputation:	low

IPs

Domain

Country

Malicious

52.113.194.132

unknown

United States

Details

IP:	52.113.194.132
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	8068
ASN name:	MICROSOFT-CORP-MSN-AS-BLOCKUS
Private:	false

52.109.88.177

unknown

United States

Details

IP:	52.109.88.177
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	8075
ASN name:	MICROSOFT-CORP-MSN-AS-BLOCKUS
Private:	false

192.168.2.1

unknown

52.109.28.63

unknown

United States

Details

IP:	52.109.28.63
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	8075
ASN name:	MICROSOFT-CORP-MSN-AS-BLOCKUS
Private:	false

2.21.140.114

unknown

European Union

Details

IP:	2.21.140.114
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Country:	European Union
Countrycode:	EU
ASN number:	16625
ASN name:	AKAMAI-ASUS
Private:	false

20.50.201.195

unknown

United States

Details

IP:	20.50.201.195
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	8075
ASN name:	MICROSOFT-CORP-MSN-AS-BLOCKUS
Private:	false

52.109.88.34

unknown

United States

Details

IP:	52.109.88.34
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	8075
ASN name:	MICROSOFT-CORP-MSN-AS-BLOCKUS
Private:	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

IPs