Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	1592
Target ID:	0
Parent PID:	596
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	28253536
MD5:	D53B85E21886D2AF9815C377537BCAC3
Time:	19:41:16
Date:	21/10/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13fdb0000
Modulesize:	28282880
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary
Sigma detected: Suspicious WMI Execution	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\wbem\WMIC.exe

wmic.exe process call create 'regsvr32 -s C:\Users\Public\codec.dll'

Details

Is windows:	true
Is dropped:	false
PID:	2032
Target ID:	3
Parent PID:	1592
Name:	WMIC.exe
Class:	system-tools
Path:	C:\Windows\System32\wbem\WMIC.exe
Commandline:	wmic.exe process call create 'regsvr32 -s C:\Users\Public\codec.dll'
Size:	566272
MD5:	FD902835DEAEF4091799287736F3A028
Time:	19:41:20
Date:	21/10/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xff4a0000
Modulesize:	577536
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary
Sigma detected: Suspicious WMI Execution	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\regsvr32.exe

regsvr32 -s C:\Users\Public\codec.dll

Details

Is windows:	true
Is dropped:	false
PID:	836
Target ID:	5
Parent PID:	1304
Name:	regsvr32.exe
Class:	system-tools
Path:	C:\Windows\System32\regsvr32.exe
Commandline:	regsvr32 -s C:\Users\Public\codec.dll
Size:	19456
MD5:	59BCE9F07985F8A4204F4D6554CFF708
Time:	19:41:22
Date:	21/10/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xffda0000
Modulesize:	32768
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected Ursnif	Key, Mouse, Clipboard, Microphone and Screen Capturing, E-Banking Fraud, Hooking and other Techniques for Hiding and Protection, Stealing of Sensitive Information, Remote Access Functionality
Yara detected Ursnif	Key, Mouse, Clipboard, Microphone and Screen Capturing, E-Banking Fraud, Hooking and other Techniques for Hiding and Protection, Stealing of Sensitive Information, Remote Access Functionality
Sigma detected: Regsvr32 Anomaly	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Registers a DLL	Data Obfuscation	Regsvr32
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\regsvr32.exe

-s C:\Users\Public\codec.dll

Details

Is windows:	true
Is dropped:	false
PID:	1836
Target ID:	6
Parent PID:	836
Name:	regsvr32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\regsvr32.exe
Commandline:	-s C:\Users\Public\codec.dll
Size:	14848
MD5:	432BE6CF7311062633459EEF6B242FB5
Time:	19:41:23
Date:	21/10/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x3e0000
Modulesize:	28672
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Ursnif	Key, Mouse, Clipboard, Microphone and Screen Capturing, E-Banking Fraud, Hooking and other Techniques for Hiding and Protection, Stealing of Sensitive Information, Remote Access Functionality
Yara detected Ursnif	Key, Mouse, Clipboard, Microphone and Screen Capturing, E-Banking Fraud, Hooking and other Techniques for Hiding and Protection, Stealing of Sensitive Information, Remote Access Functionality
Sigma detected: Regsvr32 Anomaly	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Registers a DLL	Data Obfuscation	Regsvr32
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

https://iqwasithealth.com/wp-content/uploads/2019/06/a435gfhs109.cms

50.87.248.41

Details

Name:	https://iqwasithealth.com/wp-content/uploads/2019/06/a435gfhs109.cms
IP:	50.87.248.41
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for domain / URL	AV Detection
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

http://www.%s.comPA

unknown

Details

Name:	http://www.%s.comPA
TargetID:	6
From Memory:	true
Current Path:	C:\Windows\SysWOW64\regsvr32.exe
Source:	regsvr32.exe, 00000006.00000002.674022207.00000000021E0000.00000002.00020000.sdmp
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
TargetID:	6
From Memory:	true
Current Path:	C:\Windows\SysWOW64\regsvr32.exe
Source:	regsvr32.exe, 00000006.00000002.674022207.00000000021E0000.00000002.00020000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://apt.updateffboruse.com/_2BYjuB36DkhB1eXLxT/icgzR9URog3BC5Xw8V6nIs/1N91Pgd5TeSwG/3boxgKnH/mcET

unknown

Details

Name:	http://apt.updateffboruse.com/_2BYjuB36DkhB1eXLxT/icgzR9URog3BC5Xw8V6nIs/1N91Pgd5TeSwG/3boxgKnH/mcET
TargetID:	6
From Memory:	true
Current Path:	C:\Windows\SysWOW64\regsvr32.exe
Source:	regsvr32.exe, 00000006.00000002.673589094.0000000000518000.00000004.00000020.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://servername/isapibackend.dll

unknown

Details

Name:	http://servername/isapibackend.dll
TargetID:	3
From Memory:	true
Current Path:	C:\Windows\System32\wbem\WMIC.exe
Source:	WMIC.exe, 00000003.00000002.415850120.0000000001B60000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.673734417.0000000001D90000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.673666693.0000000001CC0000.00000002.00020000.sdmp
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

iqwasithealth.com

50.87.248.41

Details

Name:	iqwasithealth.com
IP:	50.87.248.41
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for domain / URL	AV Detection
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

app.updatebrouser.com

unknown

Details

Name:	app.updatebrouser.com
TargetID:	6
Current Path:	C:\Windows\SysWOW64\regsvr32.exe

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection

apt.updateffboruse.com

unknown

Details

Name:	apt.updateffboruse.com
TargetID:	6
Current Path:	C:\Windows\SysWOW64\regsvr32.exe

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

50.87.248.41

iqwasithealth.com

United States

Details

IP:	50.87.248.41
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	46606
ASN name:	UNIFIEDLAYER-AS-1US
Private:	false
Domain:	iqwasithealth.com

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

|#(

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\2DEBB

2DEBB

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

VBAFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

4'(

HKEY_CURRENT_USER_CLASSES\Local Settings\MuiCache\151\52C64B7E

@%SystemRoot%\system32\qagentrt.dll,-10

HKEY_CURRENT_USER_CLASSES\Local Settings\MuiCache\151\52C64B7E

@%SystemRoot%\System32\fveui.dll,-843

HKEY_CURRENT_USER_CLASSES\Local Settings\MuiCache\151\52C64B7E

@%SystemRoot%\System32\fveui.dll,-844

HKEY_CURRENT_USER_CLASSES\Local Settings\MuiCache\151\52C64B7E

@%SystemRoot%\System32\wuaueng.dll,-400

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\3311E

3311E

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

ProductNonBootFilesIntl_1033

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

EXCELFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

SavedLegacySettings