Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	5752
Target ID:	0
Parent PID:	788
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
Size:	27110184
MD5:	5D6638F2C8F8571C593999C58866007E
Time:	12:45:29
Date:	03/11/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa50000
Modulesize:	27131904
Wow64:	true

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2080
Target ID:	0
Parent PID:	576
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Size:	28253536
MD5:	D53B85E21886D2AF9815C377537BCAC3
Time:	12:32:16
Date:	03/11/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13fc80000
Modulesize:	28282880
Wow64:	false

Domains

Name

Malicious

dooxil.com

91.213.50.111

Details

Name:	dooxil.com
IP:	91.213.50.111
TargetID:	0
Current Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

91.213.50.111

dooxil.com

unknown

Details

IP:	91.213.50.111
TargetID:	0
Current Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
ASN number:	49392
ASN name:	ASBAXETNRU
Private:	false
Domain:	dooxil.com

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

it-IT

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems

b38

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems

c38

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\IOAV

LastBootTime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

VBAFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Excel8.0

MSForms

HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Excel8.0

MSComctlLib

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\24676

24676

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems

%e8

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\General

FileFormatBallotBoxTelemetrySent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

ProductFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-US

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-US

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

EXCELFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming

RoamingConfigurableSettings

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming

RoamingLastSyncTime

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming

RoamingLastWriteTime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

ProductFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\IOAV

LastBootTime

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\General

LastAutoSavePurgeTime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109E60090400000000000F01FEC\Usage

ProductNonBootFilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109E60090400000000000F01FEC\Usage

ProductNonBootFilesIntl_1033

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel

ExcelName

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

+:1

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1040

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel

MTTT

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

VBAFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\66670

66670

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

v?1

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common

QMSessionCount

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\General

LastAutoSavePurgeTime

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

EXCELFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

SavedLegacySettings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

There are 33 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

1ABD6502000

heap

page read and write

92315DC000

stack

page read and write

1ABD6524000

heap

page read and write

1C906C02000

trusted library allocation

page read and write

1ABD5A44000

heap

page read and write

1C90642A000

heap

page read and write

1ABD6528000

heap

page read and write

1ABD5A13000

heap

page read and write

A60B87B000

stack

page read and write

1C906502000

heap

page read and write

1ABD5B02000

heap

page read and write

1ABD5A79000

heap

page read and write

1ABD5A3E000

heap

page read and write

A60B27B000

stack

page read and write

1ABD6510000

heap

page read and write

1ABD5AEE000

heap

page read and write

1ABD5980000

heap

page read and write

A60B77E000

stack

page read and write

1ABD651C000

heap

page read and write

1ABD6531000

heap

page read and write

1C90642C000

heap

page read and write

9231AFD000

stack

page read and write

1ABD6280000

trusted library allocation

page read and write

1ABD5990000

heap

page read and write

1C906400000

heap

page read and write

A60B47D000

stack

page read and write

1C9063B0000

trusted library allocation

page read and write

1C906240000

heap

page read and write

1C906424000

heap

page read and write

9231BFC000

stack

page read and write

1C9062B0000

heap

page read and write

1C906464000

heap

page read and write

1ABD5A2A000

heap

page read and write

1ABD5A79000

heap

page read and write

1ABD6500000

heap

page read and write

1ABD59E0000

heap

page read and write

1C906462000

heap

page read and write

1C906402000

heap

page read and write

1C906413000

heap

page read and write

1ABD6402000

heap

page read and write

1C906250000

heap

page read and write

A60B67B000

stack

page read and write

1ABD5A00000

heap

page read and write

A60B57F000

stack

page read and write

1C90643C000

heap

page read and write

1C906457000

heap

page read and write

There are 36 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
xls.xls

Processes

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportxls.xls

Processes

Domains

IPs

Registry

Memdumps

IOC Report
xls.xls