Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	1128
Target ID:	0
Parent PID:	564
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Size:	28253536
MD5:	D53B85E21886D2AF9815C377537BCAC3
Time:	14:26:55
Date:	23/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13fe90000
Modulesize:	28282880
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
Sigma detected: Modification of IE Registry Settings	System Summary

URLs

Name

Malicious

http://qr-in.com/RtWEZGi

188.114.97.3

Details

Name:	http://qr-in.com/RtWEZGi
IP:	188.114.97.3
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Document embeds suspicious OLE2 link	System Summary
IP address seen in connection with other malware	Networking
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
URLs found in memory or binary data	Networking

http://www.day.com/dam/1.0

unknown

Domains

Name

Malicious

qr-in.com

188.114.97.3

Details

Name:	qr-in.com
IP:	188.114.97.3
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Document embeds suspicious OLE2 link	System Summary
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

188.114.97.3

qr-in.com

European Union

Details

IP:	188.114.97.3
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	qr-in.com

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

i *

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Excel

Enabled

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\29260

29260

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

q4+

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU

Max Display

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Max Display

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 1

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 2

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 3

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 4

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 5

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 6

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 7

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 8

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 9

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 10

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 11

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 12

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 13

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 14

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 15

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 16

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 17

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 18

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 19

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 20

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\354A5

354A5

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\35DC9

35DC9

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\36181

36181

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached

{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} {000214E6-0000-0000-C000-000000000046} 0xFFFF

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU

Max Display

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU

Item 1

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Max Display

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 1

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 2

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 3

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 4

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 5

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 6

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 7

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 8

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 9

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 10

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 11

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 12

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 13

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 14

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 15

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 16

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 17

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 18

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 19

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 20

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 21

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

EXCELFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

VBAFiles

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

SavedLegacySettings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\35DC9

35DC9

There are 55 hidden registries, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
PO 4500025813.xls

Files

Processes

URLs

Domains

IPs

Registry

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPO 4500025813.xls

Files

Processes

URLs

Domains

IPs

Registry

IOC Report
PO 4500025813.xls