Analysis Overview
SHA256
91a9d1482cacbe1adc5b23f56604b376860c13b69894164a9f79f9292d7f79b1
Threat Level: Known bad
The file 1e69c532796ae69da06ba992a1b2f03b was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Suspicious Office macro
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-12-30 22:26
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 22:26
Reported
2024-01-01 09:02
Platform
win7-20231215-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 22:26
Reported
2024-01-01 09:02
Platform
win10v2004-20231222-en
Max time kernel
0s
Max time network
129s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\Wbem\wmic.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\mshta.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\1e69c532796ae69da06ba992a1b2f03b.xlsb"
C:\Windows\System32\Wbem\wmic.exe
wmic process call create 'mshta C:\ProgramData\XKVFTaGdSiA.sct'
C:\Windows\system32\mshta.exe
mshta C:\ProgramData\XKVFTaGdSiA.sct
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 6.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alliancefinancebank.com | udp |
| GB | 185.151.30.188:443 | alliancefinancebank.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.30.151.185.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 162.214.202.31:443 | jalmalapillingworks.com | tcp |
| US | 8.8.8.8:53 | 40.13.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.202.214.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | space.egematey.com | udp |
| DE | 168.119.140.244:443 | space.egematey.com | tcp |
| US | 8.8.8.8:53 | 244.140.119.168.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nileshengineering.co.in | udp |
| US | 162.214.202.31:443 | nileshengineering.co.in | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| GB | 88.221.134.18:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| GB | 96.17.178.174:80 | tcp | |
| GB | 87.248.204.0:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| IE | 52.111.236.21:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 204.79.197.200:443 | g.bing.com | tcp |
Files
memory/2496-3-0x00007FFB2BC50000-0x00007FFB2BC60000-memory.dmp
memory/2496-8-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp
memory/2496-12-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp
memory/2496-16-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp
memory/2496-20-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp
memory/2496-22-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp
memory/2496-23-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp
memory/2496-21-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp
memory/2496-19-0x00007FFB29460000-0x00007FFB29470000-memory.dmp
memory/2496-18-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp
memory/2496-17-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp
memory/2496-15-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp
memory/2496-13-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp
memory/2496-14-0x00007FFB29460000-0x00007FFB29470000-memory.dmp
memory/2496-11-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp
memory/2496-10-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp
memory/2496-9-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp
memory/2496-7-0x00007FFB2BC50000-0x00007FFB2BC60000-memory.dmp
memory/2496-6-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp
memory/2496-5-0x00007FFB2BC50000-0x00007FFB2BC60000-memory.dmp
memory/2496-4-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp
memory/2496-2-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp
memory/2496-1-0x00007FFB2BC50000-0x00007FFB2BC60000-memory.dmp
memory/2496-0-0x00007FFB2BC50000-0x00007FFB2BC60000-memory.dmp
memory/2496-52-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp
memory/2496-59-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp
memory/2496-60-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp
memory/2496-80-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp
memory/2496-79-0x00007FFB2BC50000-0x00007FFB2BC60000-memory.dmp
memory/2496-78-0x00007FFB2BC50000-0x00007FFB2BC60000-memory.dmp
memory/2496-77-0x00007FFB2BC50000-0x00007FFB2BC60000-memory.dmp
memory/2496-76-0x00007FFB2BC50000-0x00007FFB2BC60000-memory.dmp