Malware Analysis Report

2025-03-15 07:00

Sample ID 231231-dq9lvsfecj
Target 25f943be1bb8caf3d5954dbb68a908b9
SHA256 e5936f60478373eb2bba2acb992531d5c753130937f3ecc160904a5663b4c31b
Tags
macro xlm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e5936f60478373eb2bba2acb992531d5c753130937f3ecc160904a5663b4c31b

Threat Level: Known bad

The file 25f943be1bb8caf3d5954dbb68a908b9 was found to be: Known bad.

Malicious Activity Summary

macro xlm

Process spawned unexpected child process

Suspicious Office macro

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 03:13

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 03:13

Reported

2024-01-02 01:58

Platform

win7-20231215-en

Max time kernel

163s

Max time network

213s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\25f943be1bb8caf3d5954dbb68a908b9.xlsm

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\25f943be1bb8caf3d5954dbb68a908b9.xlsm

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 -silent ..\we.hide

Network

Country Destination Domain Proto
US 8.8.8.8:53 metalpro.com.ng udp
CA 198.27.69.89:80 metalpro.com.ng tcp
CA 198.27.69.89:443 metalpro.com.ng tcp
CA 198.27.69.89:443 metalpro.com.ng tcp
CA 198.27.69.89:443 metalpro.com.ng tcp
CA 198.27.69.89:443 metalpro.com.ng tcp

Files

memory/1336-1-0x000000007282D000-0x0000000072838000-memory.dmp

memory/1336-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1336-5-0x000000007282D000-0x0000000072838000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 03:13

Reported

2024-01-02 01:58

Platform

win10v2004-20231215-en

Max time kernel

163s

Max time network

210s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\25f943be1bb8caf3d5954dbb68a908b9.xlsm"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3776 wrote to memory of 3056 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\regsvr32.exe
PID 3776 wrote to memory of 3056 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\regsvr32.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\25f943be1bb8caf3d5954dbb68a908b9.xlsm"

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32 -silent ..\we.hide

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 metalpro.com.ng udp
CA 198.27.69.89:80 metalpro.com.ng tcp
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 89.69.27.198.in-addr.arpa udp
CA 198.27.69.89:443 metalpro.com.ng tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
CA 198.27.69.89:443 metalpro.com.ng tcp
CA 198.27.69.89:443 metalpro.com.ng tcp
US 8.8.8.8:53 40.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp

Files

memory/3776-0-0x00007FF975390000-0x00007FF9753A0000-memory.dmp

memory/3776-1-0x00007FF975390000-0x00007FF9753A0000-memory.dmp

memory/3776-2-0x00007FF975390000-0x00007FF9753A0000-memory.dmp

memory/3776-4-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

memory/3776-3-0x00007FF975390000-0x00007FF9753A0000-memory.dmp

memory/3776-5-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

memory/3776-6-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

memory/3776-9-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

memory/3776-10-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

memory/3776-8-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

memory/3776-7-0x00007FF975390000-0x00007FF9753A0000-memory.dmp

memory/3776-11-0x00007FF972F40000-0x00007FF972F50000-memory.dmp

memory/3776-12-0x00007FF972F40000-0x00007FF972F50000-memory.dmp

memory/3776-22-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp