Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx

Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Oct 23 07:43:41 2024, Security: 1

initial sample

Details

Filetype:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Oct 23 07:43:41 2024, Security: 1
Entropy:	7.581512756769931
Filename:	SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx
Filesize:	100864
MD5:	3d36155c4af65b9dd19c7da9ed0461dd
SHA1:	5ba7e33fbc5c6d208daaf5665176defb13aa1c65
SHA256:	1078b2b307b35167121d518c004f8403f4d52bdb41c9f399fa141bf3a6f3c4ae
SHA512:	25ebb6722308ca49813972d0b75c1d7da76df7dbb17e6c4c5eed8be22541b614d4df4e2133b68dc2d4044caa95be1d66a8ba3a82709f3dc3c9533e92568bfa74
SSDEEP:	1536:piqHy1S6F8b2SQrEkawpoXIogl7t5qjkQVwKNEzXGOsErnUEYzi1dLPfA7:zeFHrE2sIogNt50kQVwKNEdlUTzi1dj
Preview:	........................>...................................N...................Q..............................................................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Excel sheet contains many unusual embedded objects	System Summary
Machine Learning detection for sample	AV Detection
Document contains embedded VBA macros	System Summary	Scripting
Document embeds suspicious OLE2 link	System Summary
Document contains OLE streams with high entropy indicating encrypted embedded content	Hooking and other Techniques for Hiding and Protection	Obfuscated Files or Information
Document contains an OLE Workbook stream indicating a Microsoft Excel file	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Document has an 'encrypted' value indicative of goodware	System Summary

C:\Users\user\Desktop\~$SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx

data

modified

Details

File:	C:\Users\user\Desktop\~$SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx
Category:	modified
Dump:	~$SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	1.4377382811115937
Encrypted:	false
Ssdeep:	3:vZ/FFDJw2fV:vBFFGS
Size:	165
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Excel sheet contains many unusual embedded objects	System Summary
Machine Learning detection for sample	AV Detection
Document contains embedded VBA macros	System Summary	Scripting
Document embeds suspicious OLE2 link	System Summary
Creates files inside the user directory	System Summary	Masquerading
Document contains OLE streams with high entropy indicating encrypted embedded content	Hooking and other Techniques for Hiding and Protection	Obfuscated Files or Information
Document contains an OLE Workbook stream indicating a Microsoft Excel file	System Summary
Sample is known by Antivirus	System Summary
Document has an 'encrypted' value indicative of goodware	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A51302D8.emf

Windows Enhanced Metafile (EMF) image data version 0x10000

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A51302D8.emf
Category:	dropped
Dump:	A51302D8.emf.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Entropy:	3.1342558498505824
Encrypted:	false
Ssdeep:	1536:7DqEuvAIid/aQGb1BfUErpxTORWEl+tIL22EZCd:iEuWd/adDrvTUP22Bd
Size:	172076
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Downloads files	Networking	Ingress Tool Transfer

C:\Users\user\AppData\Local\Temp\~DFE31BA8F8BB774F26.TMP

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\~DFE31BA8F8BB774F26.TMP
Category:	dropped
Dump:	~DFE31BA8F8BB774F26.TMP.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	512
Whitelisted:	true
Reputation:	high

C:\Users\user\AppData\Local\Temp\~DFED176E1516681872.TMP

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\~DFED176E1516681872.TMP
Category:	dropped
Dump:	~DFED176E1516681872.TMP.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	512
Whitelisted:	true
Reputation:	high

C:\Users\user\Desktop\EC130000

Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Oct 24 20:19:41 2024, Security: 1

dropped

Details

File:	C:\Users\user\Desktop\EC130000
Category:	dropped
Dump:	EC130000.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Oct 24 20:19:41 2024, Security: 1
Entropy:	7.796999868317942
Encrypted:	false
Ssdeep:	1536:6iqHy1S6F8b2SQrEkawpoXIoHwfElrGQZemz70I4:KeFHrE2sIoHtlqMee7u
Size:	91648
Whitelisted:	false
Reputation:	low

C:\Users\user\Desktop\EC130000:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\Desktop\EC130000:Zone.Identifier
Category:	dropped
Dump:	EC130000_Zone.Identifier.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

C:\Users\user\Desktop\SecuriteInfo.com.Other.Malware-gen.26961.24680.xls (copy)

dropped

Details

File:	C:\Users\user\Desktop\SecuriteInfo.com.Other.Malware-gen.26961.24680.xls (copy)
Category:	dropped
Dump:	EC130000.0.dr
ID:	dr_6
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Oct 24 20:19:41 2024, Security: 1
Entropy:	7.796999868317942
Encrypted:	false
Ssdeep:	1536:6iqHy1S6F8b2SQrEkawpoXIoHwfElrGQZemz70I4:KeFHrE2sIoHtlqMee7u
Size:	91648
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	3288
Target ID:	0
Parent PID:	564
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Size:	28253536
MD5:	D53B85E21886D2AF9815C377537BCAC3
Time:	15:19:03
Date:	24/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13fee0000
Modulesize:	28282880
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
Sigma detected: Modification of IE Registry Settings	System Summary

URLs

Name

Malicious

https://u4u.kids/n7pOWA?&regulation=noisy&mixer=needless&brown=grotesque&parent=jumbled&luttuce=famous&harbour=chivalrous&champion=Early&printer

24.199.88.84

Details

Name:	https://u4u.kids/n7pOWA?&regulation=noisy&mixer=needless&brown=grotesque&parent=jumbled&luttuce=famous&harbour=chivalrous&champion=Early&printer
IP:	24.199.88.84
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Document embeds suspicious OLE2 link	System Summary
IP address seen in connection with other malware	Networking
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking

http://107.175.113.214/xampp/nx/nixogivenbestthingswithgreatthingswillinthelineforgreatthings.hta

107.175.113.214

Details

Name:	http://107.175.113.214/xampp/nx/nixogivenbestthingswithgreatthingswillinthelineforgreatthings.hta
IP:	107.175.113.214
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Suricata IDS alerts with low severity for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

https://u4u.kids/n7pOWA?&regulation=noisy&mixer=needless&brown=grotesque&parent=jumbled&luttuce=famo

unknown

Domains

Name

Malicious

u4u.kids

24.199.88.84

Details

Name:	u4u.kids
IP:	24.199.88.84
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Document embeds suspicious OLE2 link	System Summary
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

24.199.88.84

u4u.kids

United States

Details

IP:	24.199.88.84
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	12271
ASN name:	TWC-12271-NYCUS
Private:	false
Domain:	u4u.kids

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking

107.175.113.214

unknown

United States

Details

IP:	107.175.113.214
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	36352
ASN name:	AS-COLOCROSSINGUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Suricata IDS alerts with low severity for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

`f/

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Excel

Enabled

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\28DDE

28DDE

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

-l/

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU

Max Display