Malware Analysis Report

2025-03-15 07:04

Sample ID 231228-scrlfsbag5
Target e559b0253c2430abc0cdb3ec4c174336
SHA256 74652bc35f41b68f965426375c04ce5ab08197507adb00ef8b81eb1b73e7d552
Tags
macro xlm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

74652bc35f41b68f965426375c04ce5ab08197507adb00ef8b81eb1b73e7d552

Threat Level: Known bad

The file e559b0253c2430abc0cdb3ec4c174336 was found to be: Known bad.

Malicious Activity Summary

macro xlm

Process spawned unexpected child process

Suspicious Office macro

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-28 14:59

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-28 14:59

Reported

2024-01-08 19:20

Platform

win7-20231215-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-28 14:59

Reported

2024-01-08 19:20

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

117s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\e559b0253c2430abc0cdb3ec4c174336.xlsm"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\e559b0253c2430abc0cdb3ec4c174336.xlsm"

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32 -silent ..\yeieowur.dll

Network

Country Destination Domain Proto
US 162.248.227.39:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4508-3-0x00007FFF96010000-0x00007FFF96020000-memory.dmp

memory/4508-8-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/4508-11-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/4508-15-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/4508-16-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/4508-19-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/4508-20-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/4508-22-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/4508-23-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/4508-21-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/4508-18-0x00007FFF93F60000-0x00007FFF93F70000-memory.dmp

memory/4508-17-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/4508-14-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/4508-13-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/4508-12-0x00007FFF93F60000-0x00007FFF93F70000-memory.dmp

memory/4508-10-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/4508-9-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/4508-7-0x00007FFF96010000-0x00007FFF96020000-memory.dmp

memory/4508-6-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/4508-5-0x00007FFF96010000-0x00007FFF96020000-memory.dmp

memory/4508-4-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/4508-2-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/4508-1-0x00007FFF96010000-0x00007FFF96020000-memory.dmp

memory/4508-0-0x00007FFF96010000-0x00007FFF96020000-memory.dmp

memory/4508-33-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp