Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Quotation_398893.xlam.xlsx

Microsoft Excel 2007+

initial sample

Details

Filetype:	Microsoft Excel 2007+
Entropy:	7.9984395290620505
Filename:	Quotation_398893.xlam.xlsx
Filesize:	849761
MD5:	8ab8d813d3ca68c8effdb8abbf4a4f86
SHA1:	f26fa096a70eec2a9900e363f63a1e6cafe5e8d4
SHA256:	11a5d3add86410357163004a54f22335583b895a390e7eaf567e423ac7ccfeff
SHA512:	cc5afb9559e049d62133d89c488d12b81c8338bf29177def06f890310ae75ae2964a21d07e3cf6bcbbdc103cfdf102f1ce35111ead80f9c8d247c8b8b663f0a5
SSDEEP:	24576:7Y6dnGcLIS97usf6ZHqRPK21eOWWiB5Etu/3PP4qZaP2/:7YEvLISHkqjEhWVt2PwqZaP2/
Preview:	PK........<-IY2...............[Content_Types].xmlUT......g...g...g.UMk.1......].Jv....sh.[..&.<+.m..BR...;..S.....\.C..7.iF.]........aS>a.:..v......_Y.28..;l.......0.;.L.E...u....I..B.>......2.... 7.Bq1.\|.......`......hru...>..V....+T.....q1.-(...V...O.4/

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Document misses a certain OLE stream usually present in this Microsoft Office document type	System Summary
Sample is known by Antivirus	System Summary
Document has a 'vbamacros' value indicative of goodware	System Summary
Document is a ZIP file with path names indicative of goodware	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vss[1].exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vss[1].exe
Category:	dropped
Dump:	vss[1].exe.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	4.949634118704398
Encrypted:	false
Ssdeep:	384:E7f/5MRXGHE4ii3BmrBDcJ+NaFcwaGFKLRk6bYK+CpPX:EeRgtNYcoicBv+CxX
Size:	30208
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: File Dropped By EQNEDT32EXE	Exploits
Office equation editor drops PE file	System Summary
Drops PE files	Persistence and Installation Behavior
Downloads files	Networking	Ingress Tool Transfer

C:\Users\user\AppData\Local\Temp\opponbvew.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\opponbvew.exe
Category:	dropped
Dump:	opponbvew.exe.1.dr
ID:	dr_3
Target ID:	1
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	4.949634118704398
Encrypted:	false
Ssdeep:	384:E7f/5MRXGHE4ii3BmrBDcJ+NaFcwaGFKLRk6bYK+CpPX:EeRgtNYcoicBv+CxX
Size:	30208
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Office equation editor drops PE file	System Summary
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits	Exploitation for Client Execution
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application	System Summary
Sigma detected: Suspicious Microsoft Office Child Process	System Summary
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\Desktop\~$Quotation_398893.xlam.xlsx

data

dropped

Details

File:	C:\Users\user\Desktop\~$Quotation_398893.xlam.xlsx
Category:	dropped
Dump:	~$Quotation_398893.xlam.xlsx.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	1.4377382811115937
Encrypted:	false
Ssdeep:	3:vZ/FFDJw2fV:vBFFGS
Size:	165
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Document misses a certain OLE stream usually present in this Microsoft Office document type	System Summary
Creates files inside the user directory	System Summary	Masquerading
Sample is known by Antivirus	System Summary
Document has a 'vbamacros' value indicative of goodware	System Summary
Document is a ZIP file with path names indicative of goodware	System Summary

C:\Users\user\Desktop\~$Quotation_398893.xlam.xls

data

dropped

Details

File:	C:\Users\user\Desktop\~$Quotation_398893.xlam.xls
Category:	dropped
Dump:	~$Quotation_398893.xlam.xls.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	1.4377382811115937
Encrypted:	false
Ssdeep:	3:vZ/FFDJw2fV:vBFFGS
Size:	165
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	3352
Target ID:	0
Parent PID:	564
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Size:	28253536
MD5:	D53B85E21886D2AF9815C377537BCAC3
Time:	03:42:44
Date:	10/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13ffc0000
Modulesize:	28282880
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	3504
Target ID:	1
Parent PID:	564
Name:	EQNEDT32.EXE
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Size:	543304
MD5:	A87236E214F6D42A65F5DEDAC816AEC8
Time:	03:43:33
Date:	10/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	581632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: File Dropped By EQNEDT32EXE	Exploits
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application	System Summary
Sigma detected: Suspicious Microsoft Office Child Process	System Summary
Office Equation Editor has been started	Exploits
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Sigma detected: Modification of IE Registry Settings	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\opponbvew.exe

Details

Is windows:	false
Is dropped:	true
PID:	3664
Target ID:	4
Parent PID:	3504
Name:	opponbvew.exe
Path:	C:\Users\user\AppData\Local\Temp\opponbvew.exe
Commandline:	C:\Users\user\AppData\Local\Temp\opponbvew.exe
Size:	30208
MD5:	F5435E421FF6FCFC359478B4CF638358
Time:	03:43:35
Date:	10/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xcd0000
Modulesize:	57344
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Office equation editor drops PE file	System Summary
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits	Exploitation for Client Execution
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application	System Summary
Sigma detected: Suspicious Microsoft Office Child Process	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

https://estqrow.com/rt/vss.exe

154.38.177.76

http://crl.pkioverheid.nl/DomOvLatestCRL.crl0

unknown

http://crl.entrust.net/server1.crl0

unknown

http://ocsp.entrust.net03

unknown

https://estqrow.com/

unknown

http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0

unknown

http://www.diginotar.nl/cps/pkioverheid0

unknown

http://ocsp.entrust.net0D

unknown

https://estqrow.com/rt/vss.exehhC:

unknown

https://secure.comodo.com/CPS0

unknown

https://estqrow.com/rt/vss.exej

unknown

http://crl.entrust.net/2048ca.crl0

unknown

https://estqrow.com/rt/vss.exeC:

unknown

There are 3 hidden URLs, click here to show them.

Domains

Name

Malicious

estqrow.com

154.38.177.76

Details

Name:	estqrow.com
IP:	154.38.177.76
TargetID:	1
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Office equation editor establishes network connection	Exploits	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Suricata IDS alerts with low severity for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

154.38.177.76

estqrow.com

United States

Details

IP:	154.38.177.76
TargetID:	1
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Country:	United States
Countrycode:	USA
ASN number:	174
ASN name:	COGENT-174US
Private:	false
Domain:	estqrow.com

Signature Hits	Behavior Group	Mitre Attack
Office equation editor establishes network connection	Exploits	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Suricata IDS alerts with low severity for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C

Blob

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

t&/

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Excel

Enabled

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

c+/

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

EXCELFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

VBAFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

EquationEditorFilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

EquationEditorFilesIntl_1033

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

SavedLegacySettings

There are 11 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

67CD000

stack

page read and write

1B795000

heap

page read and write

1CD5B000

heap

page read and write

2611000

trusted library allocation

page read and write

27EF000

stack

page read and write

680F000

heap

page read and write

6ACC000

stack

page read and write

36C000

heap

page read and write

1CD3E000

heap

page read and write

3610000

heap

page read and write

7FE8B5E2000

trusted library allocation

page read and write

1C8BF000

stack

page read and write

1B02F000

stack

page read and write

1EAE000

stack

page read and write

2DE000

heap

page read and write

2B60000

heap

page read and write

7FE8B686000

trusted library allocation

page read and write

3DF000

stack

page read and write

67D0000

heap

page read and write

7FE8B690000

trusted library allocation

page execute and read and write

7FE8B6B6000

trusted library allocation

page execute and read and write

2A0000

heap

page read and write

1D10000

heap

page read and write

7E6000

heap

page read and write

6B0F000

stack

page read and write

1CCF0000

heap

page read and write

36D000

heap

page read and write

2B20000

heap

page read and write

71D0000

heap

page read and write

C78000

heap

page read and write

2AAE000

stack

page read and write

1B5EB000

heap

page execute and read and write

6E4D000

stack

page read and write

18A000

stack

page read and write

282E000

stack

page read and write

70DF000

stack

page read and write

1B728000

heap

page read and write

10000

heap

page read and write

1B630000

heap

page read and write

1CD2D000

heap

page read and write

1B6EC000

heap

page read and write

6FD0000

heap

page read and write

3E7000

heap

page read and write

1D60000

heap

page read and write

1B0F5000

heap

page read and write

1ABBD000

stack

page read and write

CD2000

unkown

page execute read

2A0000

heap

page read and write

2A4000

heap

page read and write

1C49F000

stack

page read and write

7FE8B5F0000

trusted library allocation

page read and write

266000

stack

page read and write

1B12B000

heap

page read and write

1C69F000

stack

page read and write

CD6000

unkown

page write copy

7210000

heap

page read and write

7FE8B5ED000

trusted library allocation

page execute and read and write

2B00000

remote allocation

page read and write

316000

heap

page read and write

640000

heap

page read and write

1B0F0000

heap

page read and write

CD0000

unkown

page readonly

1D14000

heap

page read and write

2BA0000

heap

page read and write

10000

heap

page read and write

CD8000

unkown

page readonly

1CD79000

heap

page read and write

1F10000

heap

page read and write

7FE8B68C000

trusted library allocation

page execute and read and write

241F000

stack

page read and write

7FFFFF00000

trusted library allocation

page execute and read and write

1B5B5000

heap

page execute and read and write

1F0000

heap

page read and write

2C4000

heap

page read and write

1B6FB000

heap

page read and write

2BA8000

heap

page read and write

67ED000

heap

page read and write

7FE8B5DD000

trusted library allocation

page execute and read and write

2400000

heap

page execute and read and write

474000

heap

page read and write

22E0000

heap

page read and write

12618000

trusted library allocation

page read and write

1F20000

direct allocation

page read and write

7FE8B5D4000

trusted library allocation

page read and write

1C49E000

stack

page read and write | page guard

6814000

heap

page read and write

2BAB000

heap

page read and write

2316000

heap

page read and write

6F8F000

stack

page read and write

7FE8B770000

trusted library allocation

page read and write

260E000

stack

page read and write | page guard

1E6F000

stack

page read and write

CD0000

unkown

page readonly

7FE8B5D3000

trusted library allocation

page execute and read and write

7FE8B6F0000

trusted library allocation

page execute and read and write

7FE8B5F4000

trusted library allocation

page read and write

6F4F000

stack

page read and write

307000

heap

page read and write

365000

heap

page read and write

2BA4000

heap

page read and write

337000

heap

page read and write

67FF000

heap

page read and write

330000

heap

page read and write

3E0000

heap

page read and write

260F000

stack

page read and write

1D32000

heap

page read and write

39C000

heap

page read and write

644000

heap

page read and write

1B681000

heap

page read and write

3A4000

heap

page read and write

6A4E000

stack

page read and write

1AA8E000

stack

page read and write

1B71B000

heap

page read and write

2CF000

heap

page read and write

6D4C000

stack

page read and write

1B790000

heap

page read and write

12611000

trusted library allocation

page read and write

1B799000

heap

page read and write

89000

stack

page read and write

1CD54000

heap

page read and write

12613000

trusted library allocation

page read and write

7FE8B5E0000

trusted library allocation

page read and write

1CD0F000

heap

page read and write

6C4F000

stack

page read and write

6A8C000

stack

page read and write

1B6C3000

heap

page read and write

1B59D000

stack

page read and write

7FE8B5FD000

trusted library allocation

page execute and read and write

7FE8B62C000

trusted library allocation

page execute and read and write

39E000

heap

page read and write

2260000

heap

page read and write

470000

heap

page read and write

1CA2E000

stack

page read and write

6A0F000

stack

page read and write

BF4000

heap

page read and write

2B00000

remote allocation

page read and write

7FE8B780000

trusted library allocation

page execute and read and write

480000

heap

page read and write

292F000

stack

page read and write

7B0000

heap

page read and write

388000

heap

page read and write

7FE8B680000

trusted library allocation

page read and write

360F000

stack

page read and write

1EED000

stack

page read and write

690E000

stack

page read and write

4B6000

heap

page read and write

2A7000

heap

page read and write

100000

trusted library allocation

page read and write

1B817000

heap

page read and write

314000

heap

page read and write

1B810000

heap

page read and write

2AEE000

stack

page read and write

120000

trusted library allocation

page read and write

6B10000

heap

page read and write

1B5B0000

heap

page execute and read and write

There are 145 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Quotation_398893.xlam.xlsx

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportQuotation_398893.xlam.xlsx

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Quotation_398893.xlam.xlsx