Analysis Overview
SHA256
35e039a66a9affb95d4559db535447a81d2de071708b97f65771ea3a9548f1d9
Threat Level: Known bad
The file caadd85c84ed66919e44d324606f5289 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Suspicious Office macro
Deletes itself
Office loads VBA resources, possible macro or embedded object present
Suspicious use of FindShellTrayWindow
Views/modifies file attributes
Enumerates system info in registry
Modifies Internet Explorer settings
NTFS ADS
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-21 17:07
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-21 17:07
Reported
2023-02-21 17:10
Platform
win7-20230220-en
Max time kernel
108s
Max time network
33s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\91AD6000\:Zone.Identifier:$DATA | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\caadd85c84ed66919e44d324606f5289.xlsm
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
C:\Windows\SysWOW64\attrib.exe
attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
Network
Files
memory/1692-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1692-55-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-57-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-56-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-58-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-59-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-60-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-62-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-61-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-64-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-65-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-67-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-66-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-68-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-69-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-71-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-72-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-73-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-74-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-77-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-78-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-76-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-79-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-81-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-82-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-80-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-75-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-70-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-63-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-83-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1692-105-0x0000000000740000-0x0000000000840000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\k4.xls
| MD5 | 9d3e540b2f18436bf4efa8dd0719596d |
| SHA1 | da19f1cf68e8e73ab6306e86f775796dbda8aebd |
| SHA256 | ca833248e443c79127598a8f5609dd0b9e4721cce87379bd8c686980ab81e3aa |
| SHA512 | 050fa577ab9ff83181333433c38961b43b8baee0f02865acb5ea975750e062c08960911d9bad4aea37be1f2fed36949c860a76735e14143d22deac842ac698d6 |
C:\Users\Admin\AppData\Local\Temp\caadd85c84ed66919e44d324606f5289.xlsm
| MD5 | 1d2dd3723b0d3cccdf6c74a95955776a |
| SHA1 | 425c8e3403cdf200fd9ad28a3253a273f6fcb7c7 |
| SHA256 | f65ce38704b20e4e2527a36ddb2d29951c988ee3cd399fbdabaefac2bc0fdd66 |
| SHA512 | 74d77c5b06a145141715e21dc41a5bc3c09512480f379704cfe7ba8a55d53e79cd5e5c48c03d2d0f7da2e8bf3f508944450a1ddb8d7f18a80dcf9eabd66a155f |
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-21 17:07
Reported
2023-02-21 17:10
Platform
win10v2004-20230220-en
Max time kernel
106s
Max time network
118s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\30F75E00\:Zone.Identifier:$DATA | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4420 wrote to memory of 3252 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\system32\cmd.exe |
| PID 4420 wrote to memory of 3252 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\system32\cmd.exe |
| PID 4420 wrote to memory of 1696 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\system32\cmd.exe |
| PID 4420 wrote to memory of 1696 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\system32\cmd.exe |
| PID 4420 wrote to memory of 2232 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\system32\cmd.exe |
| PID 4420 wrote to memory of 2232 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\system32\cmd.exe |
| PID 3252 wrote to memory of 1972 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
| PID 3252 wrote to memory of 1972 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\attrib.exe |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\caadd85c84ed66919e44d324606f5289.xlsm"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
C:\Windows\system32\attrib.exe
attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 14.110.152.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.232.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
memory/4420-133-0x00007FFC61A70000-0x00007FFC61A80000-memory.dmp
memory/4420-135-0x00007FFC61A70000-0x00007FFC61A80000-memory.dmp
memory/4420-134-0x00007FFC61A70000-0x00007FFC61A80000-memory.dmp
memory/4420-136-0x00007FFC61A70000-0x00007FFC61A80000-memory.dmp
memory/4420-137-0x00007FFC61A70000-0x00007FFC61A80000-memory.dmp
memory/4420-138-0x00007FFC5F6E0000-0x00007FFC5F6F0000-memory.dmp
memory/4420-139-0x00007FFC5F6E0000-0x00007FFC5F6F0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\k4.xls
| MD5 | 6d1df1dfc32adb3050a0b25c5b4a806a |
| SHA1 | c575448ea82fb84e2c8e52c86388fbf1a0d85fd0 |
| SHA256 | fbdab822f829a75f3b9b1478c8e80f92393d8f57d3804681c3430bea8bbedc74 |
| SHA512 | 5dff4047676c438e13d61b9ecdba5f024629a5fd3e58e627fbe9bb802d54d7d7cd273783be7f57aa4b33d115713fe3d13bda12f43df1f0a6d14ac442d4d6e5f2 |
C:\Users\Admin\AppData\Local\Temp\30F75E00
| MD5 | bff51b94f240dd95101d6fca6ac4aae3 |
| SHA1 | 52d39a6d8ad545963e8089d888f0b27aef808df7 |
| SHA256 | 4304e18876f921b2a962851dbef2dcb2ee2aee3124dac5c14ee26ca3cd656cc9 |
| SHA512 | 810e252e9515341b35d6617400ea2b3c0e25f36aeaf5f1153389c3bf1be37555d10e96333ff285b5c0c7ab8186d7e042671563f2099291a0082a681d8ae482e2 |
memory/4420-230-0x00007FFC61A70000-0x00007FFC61A80000-memory.dmp
memory/4420-231-0x00007FFC61A70000-0x00007FFC61A80000-memory.dmp
memory/4420-232-0x00007FFC61A70000-0x00007FFC61A80000-memory.dmp
memory/4420-233-0x00007FFC61A70000-0x00007FFC61A80000-memory.dmp