Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

PO-008847332.xlam.xlsx

Microsoft Excel 2007+

initial sample

Details

Filetype:	Microsoft Excel 2007+
Entropy:	7.982376608971824
Filename:	PO-008847332.xlam.xlsx
Filesize:	797580
MD5:	1ceb0704ce7180d31e51d1b19577f8fd
SHA1:	2b36a1718e467f7c651b0f6988c2c00bb2cf510d
SHA256:	87c11e91ae0ec1d31aba83c2e3f3a70a8bccfc731be2be1fe4aaa91681825acd
SHA512:	7443f2a334f5e47b6c9bcd9a2a34cd941d4c0e71d700e10c3fb5b0f126bd3b64b1d34aee0a979a9d97a799ae47ae8ba91968c187c1c6e4b1c72336c6e5e0367c
SSDEEP:	12288:5aF6ZLle9emStTf/lO3Hux7X1qR3RTL77MibFmK8EbbmgHiy1x4OfwI0R:QUOemQw3O9X1ql5L7Ix0mgHiyLS3R
Preview:	PK........&.VY_.."............[Content_Types].xmlUT....,.g.,.g.,.g..Ok.1....\|.E....C......J..I...4..?..c........u./.,..{.7#..7.Uk.............e#~<~..EU.....6b.E\^.}.=n.....4.#J_..C.E...W.1{ ..K.@.`...d.Y......3..l....`u....g..q.....T2OTW;a...H.Y..;W.`.q

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Document misses a certain OLE stream usually present in this Microsoft Office document type	System Summary
Sample is known by Antivirus	System Summary
Document has a 'vbamacros' value indicative of goodware	System Summary

C:\Users\user\AppData\Local\Temp\xyjhromj.exe

HTML document, ASCII text, with very long lines (4070)

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\xyjhromj.exe
Category:	dropped
Dump:	xyjhromj.exe.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Type:	HTML document, ASCII text, with very long lines (4070)
Entropy:	5.649370240383979
Encrypted:	false
Ssdeep:	192:olVZHCkA26xd3Q4JRveuTtMy47R/Ga0kVhFuPwf8Pn9wHHyJqYo4i:QJvVGaRF8I8y2i
Size:	7822
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: File Dropped By EQNEDT32EXE	Exploits

C:\Users\user\Desktop\~$PO-008847332.xlam.xlsx

data

dropped

Details

File:	C:\Users\user\Desktop\~$PO-008847332.xlam.xlsx
Category:	dropped
Dump:	~$PO-008847332.xlam.xlsx.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	1.4377382811115937
Encrypted:	false
Ssdeep:	3:vZ/FFDJw2fV:vBFFGS
Size:	165
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Document misses a certain OLE stream usually present in this Microsoft Office document type	System Summary
Creates files inside the user directory	System Summary	Masquerading
Sample is known by Antivirus	System Summary
Document has a 'vbamacros' value indicative of goodware	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\suspendedpage[1].htm

HTML document, ASCII text, with very long lines (4070)

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\suspendedpage[1].htm
Category:	dropped
Dump:	suspendedpage[1].htm.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Type:	HTML document, ASCII text, with very long lines (4070)
Entropy:	5.649370240383979
Encrypted:	false
Ssdeep:	192:olVZHCkA26xd3Q4JRveuTtMy47R/Ga0kVhFuPwf8Pn9wHHyJqYo4i:QJvVGaRF8I8y2i
Size:	7822
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Downloads files	Networking	Ingress Tool Transfer

C:\Users\user\Desktop\~$PO-008847332.xlam.xls

data

dropped

Details

File:	C:\Users\user\Desktop\~$PO-008847332.xlam.xls
Category:	dropped
Dump:	~$PO-008847332.xlam.xls.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	1.4377382811115937
Encrypted:	false
Ssdeep:	3:vZ/FFDJw2fV:vBFFGS
Size:	165
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	3380
Target ID:	0
Parent PID:	564
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Size:	28253536
MD5:	D53B85E21886D2AF9815C377537BCAC3
Time:	02:48:44
Date:	24/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f5d0000
Modulesize:	28282880
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	3576
Target ID:	2
Parent PID:	564
Name:	EQNEDT32.EXE
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Size:	543304
MD5:	A87236E214F6D42A65F5DEDAC816AEC8
Time:	02:49:33
Date:	24/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	581632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Sigma detected: File Dropped By EQNEDT32EXE	Exploits
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Office Equation Editor has been started	Exploits
Sigma detected: Modification of IE Registry Settings	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://eficienciaeningenieria.com.mx/kdeplu/ngoct2.exe

104.21.53.112

Details

Name:	http://eficienciaeningenieria.com.mx/kdeplu/ngoct2.exe
IP:	104.21.53.112
TargetID:	2
From Memory:	false
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Office equation editor establishes network connection	Exploits	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Suricata IDS alerts with low severity for network traffic	Networking
URLs found in memory or binary data	Networking

http://eficienciaeningenieria.com.mx/cgi-sys/suspendedpage.cgi

104.21.53.112

Details

Name:	http://eficienciaeningenieria.com.mx/cgi-sys/suspendedpage.cgi
IP:	104.21.53.112
TargetID:	2
From Memory:	false
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Office equation editor establishes network connection	Exploits	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Suricata IDS alerts with low severity for network traffic	Networking
URLs found in memory or binary data	Networking

http://eficienciaeningenieria.com.mx/kdeplu/ngoct2.exej

unknown

http://eficienciaeningenieria.com.mx/cgi-sys/suspendedpage.cgiB

unknown

http://eficienciaeningenieria.com.mx/cgi-sys/suspendedpage.cgis

unknown

Domains

Name

Malicious

eficienciaeningenieria.com.mx

104.21.53.112

Details

Name:	eficienciaeningenieria.com.mx
IP:	104.21.53.112
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Office equation editor establishes network connection	Exploits	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Suricata IDS alerts with low severity for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

104.21.53.112

eficienciaeningenieria.com.mx

United States

Details

IP:	104.21.53.112
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	eficienciaeningenieria.com.mx

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Office equation editor establishes network connection	Exploits	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Suricata IDS alerts with low severity for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

5b/

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Excel

Enabled

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

{h/

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

EXCELFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

VBAFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

EquationEditorFilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

EquationEditorFilesIntl_1033

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

SavedLegacySettings

There are 4 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

767E000

stack

page read and write

7680000

heap

page read and write

3570000

heap

page read and write

3585000

heap

page read and write

77BF000

stack

page read and write

23B2000

heap

page read and write

676000

heap

page read and write

783F000

stack

page read and write

291F000

stack

page read and write

2394000

heap

page read and write

6AC000

heap

page read and write

89000

stack

page read and write

7CBF000

stack

page read and write

281E000

stack

page read and write

7ABC000

stack

page read and write

77FC000

stack

page read and write

7BBF000

stack

page read and write

2BDE000

stack

page read and write

2C00000

heap

page read and write

18A000

stack

page read and write

8B0000

heap

page read and write

63E000

heap

page read and write

79BE000

stack

page read and write

600000

heap

page read and write

10000

heap

page read and write

2B9F000

stack

page read and write

607000

heap

page read and write

74F4000

heap

page read and write

2A9E000

stack

page read and write

2C08000

heap

page read and write

7880000

heap

page read and write

240000

heap

page read and write

75EE000

stack

page read and write

336000

heap

page read and write

677000

heap

page read and write

5C0000

heap

page read and write

62F000

heap

page read and write

27DF000

stack

page read and write

1E50000

direct allocation

page read and write

36D000

heap

page read and write

668000

heap

page read and write

2390000

heap

page read and write

7600000

heap

page read and write

74B0000

heap

page read and write

330000

heap

page read and write

624000

heap

page read and write

74DF000

heap

page read and write

8B7000

heap

page read and write

787F000

stack

page read and write

74EF000

heap

page read and write

673000

heap

page read and write

2C04000

heap

page read and write

7E80000

heap

page read and write

26DD000

stack

page read and write

74CD000

heap

page read and write

228E000

stack

page read and write

238F000

stack

page read and write

58F000

stack

page read and write

3EF000

stack

page read and write

74AD000

stack

page read and write

7CE0000

heap

page read and write

2C0B000

heap

page read and write

There are 52 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
PO-008847332.xlam.xlsx

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPO-008847332.xlam.xlsx

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
PO-008847332.xlam.xlsx