Malware Analysis Report

2025-03-15 07:14

Sample ID 230129-x24drscb4z
Target 48a3e9b980b570c4414685c37a4cce6a81e32005c825559bc6049f5045385242
SHA256 48a3e9b980b570c4414685c37a4cce6a81e32005c825559bc6049f5045385242
Tags
macro xlm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

48a3e9b980b570c4414685c37a4cce6a81e32005c825559bc6049f5045385242

Threat Level: Known bad

The file 48a3e9b980b570c4414685c37a4cce6a81e32005c825559bc6049f5045385242 was found to be: Known bad.

Malicious Activity Summary

macro xlm

Process spawned unexpected child process

Suspicious Office macro

Blocklisted process makes network request

Checks processor information in registry

Modifies Internet Explorer settings

Enumerates system info in registry

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-29 19:21

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-29 19:21

Reported

2023-01-29 19:25

Platform

win10v2004-20221111-en

Max time kernel

167s

Max time network

192s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\48a3e9b980b570c4414685c37a4cce6a81e32005c825559bc6049f5045385242.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\explorer.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings C:\Windows\explorer.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4540 wrote to memory of 4768 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\explorer.exe
PID 4540 wrote to memory of 4768 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\explorer.exe
PID 1152 wrote to memory of 456 N/A C:\Windows\explorer.exe C:\Windows\System32\WScript.exe
PID 1152 wrote to memory of 456 N/A C:\Windows\explorer.exe C:\Windows\System32\WScript.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\48a3e9b980b570c4414685c37a4cce6a81e32005c825559bc6049f5045385242.xls"

C:\Windows\explorer.exe

explorer.exe C:\Users\Public\Documents\L8eI.vbs

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\L8eI.vbs"

Network

Country Destination Domain Proto
N/A 72.21.91.29:80 tcp
N/A 84.53.175.11:80 tcp
N/A 20.189.173.3:443 tcp
N/A 96.16.53.137:80 tcp
N/A 96.16.53.137:80 tcp
N/A 96.16.53.137:80 tcp
N/A 104.80.225.205:443 tcp
N/A 20.189.173.11:443 tcp
N/A 8.8.8.8:53 statedauto.com udp
N/A 54.209.32.212:443 statedauto.com tcp
N/A 8.8.8.8:53 106.89.54.20.in-addr.arpa udp
N/A 52.71.57.184:443 statedauto.com tcp

Files

memory/4540-132-0x00007FFB54410000-0x00007FFB54420000-memory.dmp

memory/4540-134-0x00007FFB54410000-0x00007FFB54420000-memory.dmp

memory/4540-133-0x00007FFB54410000-0x00007FFB54420000-memory.dmp

memory/4540-135-0x00007FFB54410000-0x00007FFB54420000-memory.dmp

memory/4540-136-0x00007FFB54410000-0x00007FFB54420000-memory.dmp

memory/4540-137-0x00007FFB51AB0000-0x00007FFB51AC0000-memory.dmp

memory/4540-138-0x00007FFB51AB0000-0x00007FFB51AC0000-memory.dmp

memory/4768-139-0x0000000000000000-mapping.dmp

C:\Users\Public\Documents\L8eI.vbs

MD5 17803c6b6961acec9b27d7a4b025444a
SHA1 3986beb10d337ad145a62b1df574e1f00851c23b
SHA256 7d2630ec3008c8706c58f1f6ec00f9922e80892b56e98c742467475fc3ad2d02
SHA512 653cbc455fea8e3f64505b833934af5b06aa1c175b4d5a456caecd534fcd418f560193f2e41c80a36e675c5cfa17040446e0d22c5d4e5dbd44154218113310cf

memory/456-141-0x0000000000000000-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-29 19:21

Reported

2023-01-29 19:27

Platform

win7-20221111-en

Max time kernel

251s

Max time network

335s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\48a3e9b980b570c4414685c37a4cce6a81e32005c825559bc6049f5045385242.xls

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\48a3e9b980b570c4414685c37a4cce6a81e32005c825559bc6049f5045385242.xls

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 statedauto.com udp
N/A 52.71.57.184:443 statedauto.com tcp
N/A 54.209.32.212:443 statedauto.com tcp
N/A 8.8.8.8:53 markens.online udp

Files

memory/620-54-0x000000002F071000-0x000000002F074000-memory.dmp

memory/620-55-0x00000000715C1000-0x00000000715C3000-memory.dmp

memory/620-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/620-57-0x00000000725AD000-0x00000000725B8000-memory.dmp

memory/620-58-0x0000000075491000-0x0000000075493000-memory.dmp

memory/620-59-0x00000000725AD000-0x00000000725B8000-memory.dmp

memory/620-60-0x00000000725AD000-0x00000000725B8000-memory.dmp