Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

PO906-645S790768.xlam.xlsx

Microsoft Excel 2007+

initial sample

Details

Filetype:	Microsoft Excel 2007+
Entropy:	7.9807482507851
Filename:	PO906-645S790768.xlam.xlsx
Filesize:	736638
MD5:	29a10a50eb01fe79324c9cd3dc663941
SHA1:	a36ccbd34c01fed16e27a53751accab681941c5a
SHA256:	ef561a4cdb2a47c93a4b84a825c5ef76cbaf89ae3e1d7bef8034c33e0b8a1c03
SHA512:	91a192057bc8c5dc131567cef6bc698b14b0b0533f3868592732fe6bc94161464eb336d9617a656a598c0522860ae2051bcc5823034da00321794e77e863aa6e
SSDEEP:	12288:TIMD4ybeFnJUQFQtmXo01kvTI3dXQugbXZihxdG3OZLa:NSzCtwozvTI3dvgbpihx43O4
Preview:	PK........j.AY.h."............[Content_Types].xmlUT...iI.fiI.fiI.f.T.n.0....?..."......C......^z[.k.5_ 7...].M......P .....rv....`.6.FL.DT.t46.......&.B......;,......q..T.....Q..T..z(2&.\|.....6.T...../..W.c .TS.!.g.. [..=d...:j..1....d>Q...{.F@J.j .\m.y.Z

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Document misses a certain OLE stream usually present in this Microsoft Office document type	System Summary
Sample is known by Antivirus	System Summary
Document has a 'vbamacros' value indicative of goodware	System Summary

C:\Users\user\Desktop\~$PO906-645S790768.xlam.xlsx

data

dropped

Details

File:	C:\Users\user\Desktop\~$PO906-645S790768.xlam.xlsx
Category:	dropped
Dump:	~$PO906-645S790768.xlam.xlsx.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	1.4377382811115937
Encrypted:	false
Ssdeep:	3:vZ/FFDJw2fV:vBFFGS
Size:	165
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Document misses a certain OLE stream usually present in this Microsoft Office document type	System Summary
Creates files inside the user directory	System Summary	Masquerading
Sample is known by Antivirus	System Summary
Document has a 'vbamacros' value indicative of goodware	System Summary

C:\Users\user\Desktop\~$PO906-645S790768.xlam.xls

data

dropped

Details

File:	C:\Users\user\Desktop\~$PO906-645S790768.xlam.xls
Category:	dropped
Dump:	~$PO906-645S790768.xlam.xls.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	1.4377382811115937
Encrypted:	false
Ssdeep:	3:vZ/FFDJw2fV:vBFFGS
Size:	165
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	3200
Target ID:	0
Parent PID:	564
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Size:	28253536
MD5:	D53B85E21886D2AF9815C377537BCAC3
Time:	04:03:13
Date:	03/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f800000
Modulesize:	28282880
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	3356
Target ID:	1
Parent PID:	564
Name:	EQNEDT32.EXE
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Size:	543304
MD5:	A87236E214F6D42A65F5DEDAC816AEC8
Time:	04:04:01
Date:	03/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	581632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Office Equation Editor has been started	Exploits
Sigma detected: Modification of IE Registry Settings	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://plugsbreakers.top/voicxe/mynnft.exe

66.63.187.171

Details

Name:	http://plugsbreakers.top/voicxe/mynnft.exe
IP:	66.63.187.171
TargetID:	1
From Memory:	false
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Office equation editor establishes network connection	Exploits	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
URLs found in memory or binary data	Networking

http://plugsbreakers.top/voicxe/mynnft.exej

unknown

http://plugsbreakers.top/voicxe/mynnft.exeiEHT2T

unknown

http://plugsbreakers.top/voicxe/mynnft.exeQHU

unknown

Domains

Name

Malicious

plugsbreakers.top

66.63.187.171

Details

Name:	plugsbreakers.top
IP:	66.63.187.171
TargetID:	1
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Office equation editor establishes network connection	Exploits	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

66.63.187.171

plugsbreakers.top

United States

Details

IP:	66.63.187.171
TargetID:	1
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Country:	United States
Countrycode:	USA
ASN number:	8100
ASN name:	ASN-QUADRANET-GLOBALUS
Private:	false
Domain:	plugsbreakers.top

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Office equation editor establishes network connection	Exploits	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

t&/

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Excel

Enabled

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

j*/

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

EXCELFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

VBAFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

EquationEditorFilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

EquationEditorFilesIntl_1033

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

SavedLegacySettings

There are 4 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

1E0000

heap

page read and write

89000

stack

page read and write

7C50000

heap

page read and write

1C1F000

stack

page read and write

2FD000

heap

page read and write

2E3000

heap

page read and write

2BAF000

stack

page read and write

795D000

stack

page read and write

7BEF000

stack

page read and write

7C2F000

stack

page read and write

7A9F000

heap

page read and write

1E40000

direct allocation

page read and write

2C24000

heap

page read and write

287000

heap

page read and write

35A3000

heap

page read and write

7AAF000

heap

page read and write

7A8D000

heap

page read and write

7F3E000

stack

page read and write

7AB4000

heap

page read and write

2CD000

heap

page read and write

1C9E000

stack

page read and write

7BAF000

stack

page read and write

7A70000

heap

page read and write

7DC0000

heap

page read and write

1E6000

heap

page read and write

79DE000

stack

page read and write

640000

heap

page read and write

280000

heap

page read and write

309000

heap

page read and write

813F000

stack

page read and write

1CB0000

heap

page read and write

1D64000

heap

page read and write

647000

heap

page read and write

21D000

heap

page read and write

7A1C000

stack

page read and write

251F000

stack

page read and write

29EF000

stack

page read and write

30E000

heap

page read and write

2A4000

heap

page read and write

18A000

stack

page read and write

7A30000

heap

page read and write

1D60000

heap

page read and write

2C2B000

heap

page read and write

1CFE000

stack

page read and write

8230000

heap

page read and write

2C28000

heap

page read and write

1D82000

heap

page read and write

7E00000

heap

page read and write

2AF000

heap

page read and write

833F000

stack

page read and write

803C000

stack

page read and write

10000

heap

page read and write

2C5000

heap

page read and write

1E30000

heap

page read and write

28EF000

stack

page read and write

2FE000

heap

page read and write

2C8000

heap

page read and write

1D3E000

stack

page read and write

2BED000

stack

page read and write

3590000

heap

page read and write

330000

heap

page read and write

2C20000

heap

page read and write

241F000

stack

page read and write

843F000

stack

page read and write

1C5D000

stack

page read and write

There are 55 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
PO906-645S790768.xlam.xlsx

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPO906-645S790768.xlam.xlsx

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
PO906-645S790768.xlam.xlsx