Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Purchase Order # PO-00159.xla.xlsx

Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu May 23 01:48:01 2024, Security: 1

initial sample

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\352F24CE.emf

Windows Enhanced Metafile (EMF) image data version 0x10000

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BB4DC9C1.emf

Windows Enhanced Metafile (EMF) image data version 0x10000

dropped

C:\Users\user\AppData\Local\Temp\ED830000

CDFV2 Encrypted

dropped

C:\Users\user\AppData\Local\Temp\~$imgs.xlsx

data

dropped

C:\Users\user\AppData\Local\Temp\~DF21CF0594A7B9BFCC.TMP

data

dropped

C:\Users\user\AppData\Local\Temp\~DF316EEE353DDD792D.TMP

data

dropped

C:\Users\user\AppData\Local\Temp\~DF5D105711B4331728.TMP

Composite Document File V2 Document, Cannot read section info

dropped

C:\Users\user\AppData\Local\Temp\~DFF6AD63B7AC6BEEB6.TMP

Composite Document File V2 Document, Cannot read section info

dropped

C:\Users\user\Desktop\69930000

Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu May 23 19:38:33 2024, Security: 1

dropped

C:\Users\user\Desktop\69930000:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

C:\Users\user\Desktop\Purchase Order # PO-00159.xla.xls (copy)

dropped

C:\Users\user\Desktop\~$Purchase Order # PO-00159.xla.xlsx

data

modified

There are 3 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	1256
Target ID:	0
Parent PID:	564
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Size:	28253536
MD5:	D53B85E21886D2AF9815C377537BCAC3
Time:	14:37:18
Date:	23/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f320000
Modulesize:	28282880
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
Sigma detected: Modification of IE Registry Settings	System Summary

URLs

Name

Malicious

http://qr-in.com/YXcuqXy

188.114.96.3

Details

Name:	http://qr-in.com/YXcuqXy
IP:	188.114.96.3
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
URLs found in memory or binary data	Networking

Domains

Name

Malicious

qr-in.com

188.114.96.3

Details

Name:	qr-in.com
IP:	188.114.96.3
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

188.114.96.3

qr-in.com

European Union

Details

IP:	188.114.96.3
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	qr-in.com

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

"#&

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Excel

Enabled

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

i+&

HKEY_CURRENT_USER\Software\Microsoft\GDIPlus

FontCachePath

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU

Max Display