Malware Analysis Report

2025-03-15 07:13

Sample ID 230221-vm6t8she6x
Target caadd85c84ed66919e44d324606f5289
SHA256 35e039a66a9affb95d4559db535447a81d2de071708b97f65771ea3a9548f1d9
Tags
macro xlm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35e039a66a9affb95d4559db535447a81d2de071708b97f65771ea3a9548f1d9

Threat Level: Known bad

The file caadd85c84ed66919e44d324606f5289 was found to be: Known bad.

Malicious Activity Summary

macro xlm

Process spawned unexpected child process

Suspicious Office macro

Deletes itself

Office loads VBA resources, possible macro or embedded object present

Suspicious use of FindShellTrayWindow

Views/modifies file attributes

Enumerates system info in registry

Modifies Internet Explorer settings

NTFS ADS

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-21 17:07

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-21 17:07

Reported

2023-02-21 17:10

Platform

win7-20230220-en

Max time kernel

108s

Max time network

33s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\caadd85c84ed66919e44d324606f5289.xlsm

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\91AD6000\:Zone.Identifier:$DATA C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 1768 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 1768 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 1768 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 1768 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 1436 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 1436 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 1436 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 1436 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 876 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1768 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1768 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1768 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\caadd85c84ed66919e44d324606f5289.xlsm

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"

C:\Windows\SysWOW64\attrib.exe

attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"

Network

N/A

Files

memory/1692-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1692-55-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-57-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-56-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-58-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-59-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-60-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-62-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-61-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-64-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-65-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-67-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-66-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-68-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-69-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-71-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-72-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-73-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-74-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-77-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-78-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-76-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-79-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-81-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-82-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-80-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-75-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-70-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-63-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-83-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1692-105-0x0000000000740000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\k4.xls

MD5 9d3e540b2f18436bf4efa8dd0719596d
SHA1 da19f1cf68e8e73ab6306e86f775796dbda8aebd
SHA256 ca833248e443c79127598a8f5609dd0b9e4721cce87379bd8c686980ab81e3aa
SHA512 050fa577ab9ff83181333433c38961b43b8baee0f02865acb5ea975750e062c08960911d9bad4aea37be1f2fed36949c860a76735e14143d22deac842ac698d6

C:\Users\Admin\AppData\Local\Temp\caadd85c84ed66919e44d324606f5289.xlsm

MD5 1d2dd3723b0d3cccdf6c74a95955776a
SHA1 425c8e3403cdf200fd9ad28a3253a273f6fcb7c7
SHA256 f65ce38704b20e4e2527a36ddb2d29951c988ee3cd399fbdabaefac2bc0fdd66
SHA512 74d77c5b06a145141715e21dc41a5bc3c09512480f379704cfe7ba8a55d53e79cd5e5c48c03d2d0f7da2e8bf3f508944450a1ddb8d7f18a80dcf9eabd66a155f

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-21 17:07

Reported

2023-02-21 17:10

Platform

win10v2004-20230220-en

Max time kernel

106s

Max time network

118s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\caadd85c84ed66919e44d324606f5289.xlsm"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\system32\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\system32\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\system32\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\30F75E00\:Zone.Identifier:$DATA C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\caadd85c84ed66919e44d324606f5289.xlsm"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c RD /S /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Del /F /Q "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"

C:\Windows\system32\attrib.exe

attrib -S -h "C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\K4.XLS"

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 8.8.8.8:53 24.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 240.232.229.192.in-addr.arpa udp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

memory/4420-133-0x00007FFC61A70000-0x00007FFC61A80000-memory.dmp

memory/4420-135-0x00007FFC61A70000-0x00007FFC61A80000-memory.dmp

memory/4420-134-0x00007FFC61A70000-0x00007FFC61A80000-memory.dmp

memory/4420-136-0x00007FFC61A70000-0x00007FFC61A80000-memory.dmp

memory/4420-137-0x00007FFC61A70000-0x00007FFC61A80000-memory.dmp

memory/4420-138-0x00007FFC5F6E0000-0x00007FFC5F6F0000-memory.dmp

memory/4420-139-0x00007FFC5F6E0000-0x00007FFC5F6F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Excel\XLSTART\k4.xls

MD5 6d1df1dfc32adb3050a0b25c5b4a806a
SHA1 c575448ea82fb84e2c8e52c86388fbf1a0d85fd0
SHA256 fbdab822f829a75f3b9b1478c8e80f92393d8f57d3804681c3430bea8bbedc74
SHA512 5dff4047676c438e13d61b9ecdba5f024629a5fd3e58e627fbe9bb802d54d7d7cd273783be7f57aa4b33d115713fe3d13bda12f43df1f0a6d14ac442d4d6e5f2

C:\Users\Admin\AppData\Local\Temp\30F75E00

MD5 bff51b94f240dd95101d6fca6ac4aae3
SHA1 52d39a6d8ad545963e8089d888f0b27aef808df7
SHA256 4304e18876f921b2a962851dbef2dcb2ee2aee3124dac5c14ee26ca3cd656cc9
SHA512 810e252e9515341b35d6617400ea2b3c0e25f36aeaf5f1153389c3bf1be37555d10e96333ff285b5c0c7ab8186d7e042671563f2099291a0082a681d8ae482e2

memory/4420-230-0x00007FFC61A70000-0x00007FFC61A80000-memory.dmp

memory/4420-231-0x00007FFC61A70000-0x00007FFC61A80000-memory.dmp

memory/4420-232-0x00007FFC61A70000-0x00007FFC61A80000-memory.dmp

memory/4420-233-0x00007FFC61A70000-0x00007FFC61A80000-memory.dmp