Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

xls.xls

Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Enel SpA, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Nov 3 08:32:50 2022, Last Saved Time/Date: Thu Nov 3 08:32:57 2022, Security: 0

initial sample

Details

Filetype:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Enel SpA, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Nov 3 08:32:50 2022, Last Saved Time/Date: Thu Nov 3 08:32:57 2022, Security: 0
Entropy:	5.342866000055418
Filename:	xls.xls
Filesize:	69120
MD5:	109d15a7d33e671ded911d97bc4a15ab
SHA1:	c6660d40673400505c70af85dfddc735fa50a39f
SHA256:	822d2e533e0537f92fa3ddcbd8cb2a0d7c33ba2ada626e1cae4ecf466ac61e9b
SHA512:	1789d8a5381b24d58150eefb1748b7fa7c5c0782acf53796b517f258d178d6175d4e78717fd4a64c206fd0ee9d8b9bd29444ccc1ef35a337b8ad50548146ce30
SSDEEP:	1536:JcblYkEIbSkKBEqEXPgsRZmbaoFhZhR0cixIHm0YtjY+N81LobstcIUvcGJ/uW:2blYkEIuPm3fNRZmbaoFhZhR0cixIHmZ
Preview:	........................>...................................<...................\|..............................................................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Document contains an embedded VBA with functions possibly related to ADO stream file operations	System Summary
Document contains an embedded VBA macro which may execute processes	System Summary
Document contains an embedded VBA macro with suspicious strings	System Summary
Machine Learning detection for sample	AV Detection
Document contains an embedded VBA with functions possibly related to HTTP operations	System Summary	Application Layer Protocol
Document contains embedded VBA macros	System Summary	Scripting
Sample is known by Antivirus	System Summary
Document contains an OLE Workbook stream indicating a Microsoft Excel file	System Summary

C:\Users\user\AppData\Local\Temp\~DF9FCF82E2EEE48593.TMP

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\~DF9FCF82E2EEE48593.TMP
Category:	dropped
Dump:	~DF9FCF82E2EEE48593.TMP.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	512
Whitelisted:	true
Reputation:	high

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2352
Target ID:	0
Parent PID:	576
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Size:	28253536
MD5:	D53B85E21886D2AF9815C377537BCAC3
Time:	12:54:15
Date:	03/11/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f8c0000
Modulesize:	28282880
Wow64:	false

C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	5752
Target ID:	0
Parent PID:	788
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
Size:	27110184
MD5:	5D6638F2C8F8571C593999C58866007E
Time:	12:45:29
Date:	03/11/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa50000
Modulesize:	27131904
Wow64:	true

Domains

Name

Malicious

dooxil.com

91.213.50.111

Details

Name:	dooxil.com
IP:	91.213.50.111
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

91.213.50.111

dooxil.com

unknown

Details

IP:	91.213.50.111
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
ASN number:	49392
ASN name:	ASBAXETNRU
Private:	false
Domain:	dooxil.com

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

w|+

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel

MTTT

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

VBAFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\66410

66410

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

fa+

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common

QMSessionCount

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\General

LastAutoSavePurgeTime

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

EXCELFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

SavedLegacySettings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

it-IT

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems

b38

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems

c38

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\IOAV

LastBootTime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

VBAFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Excel8.0

MSForms

HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Excel8.0

MSComctlLib

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\24676

24676

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems

%e8

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\General

FileFormatBallotBoxTelemetrySent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

ProductFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-US

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-US

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

EXCELFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming

RoamingConfigurableSettings

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming

RoamingLastSyncTime

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming

RoamingLastWriteTime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

ProductFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\IOAV

LastBootTime

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\General

LastAutoSavePurgeTime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109E60090400000000000F01FEC\Usage

ProductNonBootFilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109E60090400000000000F01FEC\Usage

ProductNonBootFilesIntl_1033

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel

ExcelName

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

+:1

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1040

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\66670

66670

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

v?1

There are 36 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

C3E000

stack

page read and write

21B000

heap

page read and write

424000

heap

page read and write

20D000

heap

page read and write

5DE000

stack

page read and write

1D0000

heap

page read and write

420000

heap

page read and write

7EFE0000

unkown

page readonly

2D0000

heap

page read and write

10000

heap

page read and write

68F000

stack

page read and write

16D000

stack

page read and write

306000

heap

page read and write

BAF000

stack

page read and write

216000

heap

page read and write

1D7000

heap

page read and write

There are 6 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
xls.xls

Files

Processes

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportxls.xls

Files

Processes

Domains

IPs

Registry

Memdumps

IOC Report
xls.xls