Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

KZ429 FEB17 BSRec_InvNet.xlsx

Microsoft Excel 2007+

initial sample

Details

Filetype:	Microsoft Excel 2007+
Entropy:	7.974035344901012
Filename:	KZ429 FEB17 BSRec_InvNet.xlsx
Filesize:	1358015
MD5:	31b67f4aa8dccb4ed683563dbc104bd0
SHA1:	ed39326058a73ab569efa22534f79ac9ee9953e7
SHA256:	4137a3675db12038c970e56f94ce7bee7a0d920e2514eabefd9a2b28348fc9eb
SHA512:	5803da5436340626230bb4b84a862a99bb2eb4fbd71d58fccc61514c3a8d9bf395b3eea80bbbd0d5e6d8ea8eda701ced4bb0103ae148c5c72775ba7b439c6a63
SSDEEP:	24576:PU+VurG3iP/t5kHbSqE8TE6eB3PHjfQ3JGMuLH3nS0IbrEXD6Px9Z:PZgrGyn4i8G3PHjfiJgLH3n74rEmB
Preview:	PK..........!..3y.............[Content_Types].xml ...(.........................................................................................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Document has a 'vbamacros' value indicative of goodware	System Summary
Submission file is bigger than most known malware samples	System Summary
Document is a ZIP file with path names indicative of goodware	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\98E6EBE4.jpeg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 660x137, frames 3

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\98E6EBE4.jpeg
Category:	dropped
Dump:	98E6EBE4.jpeg.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 660x137, frames 3
Entropy:	7.833218523254594
Encrypted:	false
Ssdeep:	768:RPdG3S2uAu5LAbvlGVzYO00pQlDSmM57dx7SiWIKLvW1:RP88Ap+cZ02kpCiWDg
Size:	25938
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9B0D5918.emf

Windows Enhanced Metafile (EMF) image data version 0x10000

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9B0D5918.emf
Category:	dropped
Dump:	9B0D5918.emf.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Entropy:	2.3433223432482677
Encrypted:	false
Ssdeep:	48:S83IHpHK2n4x//3G7+wJj7IaK0JohkN+DuuHmt:SVHpHKzx//3+xB7IaK0bNIXGt
Size:	5356
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AE0576B3.emf

Windows Enhanced Metafile (EMF) image data version 0x10000

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AE0576B3.emf
Category:	dropped
Dump:	AE0576B3.emf.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Entropy:	2.344745671221623
Encrypted:	false
Ssdeep:	48:SE3IHpHK2n4x//3G7+wJj7IaK0VNCedxp41:SNHpHKzx//3+xB7IaK0VUopw
Size:	5348
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Downloads files	Networking	Ingress Tool Transfer

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4851639.emf

Windows Enhanced Metafile (EMF) image data version 0x10000

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4851639.emf
Category:	dropped
Dump:	E4851639.emf.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Entropy:	4.880532580784114
Encrypted:	false
Ssdeep:	48:ANKfvG+H2cxp2K8R5mPK1PhfP5vVkFuGOa3GEze93tl7ykhA/XbvY+98woStReDk:gKHLYKG5mPKDRv4Og6tO/XP8lEE8
Size:	5004
Whitelisted:	false
Reputation:	low

C:\Users\user\Desktop\~$KZ429 FEB17 BSRec_InvNet.xlsx

data

dropped

Details

File:	C:\Users\user\Desktop\~$KZ429 FEB17 BSRec_InvNet.xlsx
Category:	dropped
Dump:	~$KZ429 FEB17 BSRec_InvNet.xlsx.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	1.4377382811115937
Encrypted:	false
Ssdeep:	3:vZ/FFDJw2fV:vBFFGS
Size:	165
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading
Document has a 'vbamacros' value indicative of goodware	System Summary
Submission file is bigger than most known malware samples	System Summary
Document is a ZIP file with path names indicative of goodware	System Summary

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	668
Target ID:	0
Parent PID:	596
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Size:	28253536
MD5:	D53B85E21886D2AF9815C377537BCAC3
Time:	00:59:17
Date:	29/01/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f120000
Modulesize:	28282880
Wow64:	false

Domains

Name

Malicious

windowsupdate.s.llnwi.net

41.63.96.0

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

.&.

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

ProductNonBootFilesIntl_1033

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

EXCELFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

ProductNonBootFilesIntl_1033

Memdumps

Base Address

Regiontype

Protect

Malicious

63F000

stack

page read and write

98F000

stack

page read and write

4AD000

heap

page read and write

440000

heap

page read and write

49D000

heap

page read and write

444000

heap

page read and write

AEE000

stack

page read and write

26D000

stack

page read and write

4A6000

heap

page read and write

460000

heap

page read and write

10000

heap

page read and write

7EFE0000

unkown

page readonly

D0000

heap

page read and write

106000

heap

page read and write

467000

heap

page read and write

There are 5 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

Domains

Registry

Memdumps