Analysis Overview
SHA256
6dbc537d23144b267f2cf60ec2c92aa8a785ed95edecaa9586aa2bbf2628b51a
Threat Level: Known bad
The file 31768471945e6ca95322da8080a89296 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Suspicious Office macro
Modifies Internet Explorer settings
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 09:47
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 09:47
Reported
2024-01-10 05:22
Platform
win7-20231215-en
Max time kernel
1s
Max time network
128s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\MSHTA.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\31768471945e6ca95322da8080a89296.xlsm
C:\Windows\SysWOW64\MSHTA.exe
MSHTA C:\ProgramData\QdCxTbYphUuRZG.sct
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
Files
memory/2012-1-0x0000000072CBD000-0x0000000072CC8000-memory.dmp
memory/2012-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab7689.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar76CA.tmp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2012-52-0x0000000072CBD000-0x0000000072CC8000-memory.dmp
memory/2012-55-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2012-56-0x0000000072CBD000-0x0000000072CC8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 09:47
Reported
2024-01-10 05:22
Platform
win10v2004-20231215-en
Max time kernel
82s
Max time network
167s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SYSTEM32\MSHTA.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\31768471945e6ca95322da8080a89296.xlsm"
C:\Windows\SYSTEM32\MSHTA.exe
MSHTA C:\ProgramData\QdCxTbYphUuRZG.sct
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 84.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.189.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
Files
memory/2452-1-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp
memory/2452-0-0x00007FFA00D30000-0x00007FFA00D40000-memory.dmp
memory/2452-2-0x00007FFA00D30000-0x00007FFA00D40000-memory.dmp
memory/2452-3-0x00007FFA00D30000-0x00007FFA00D40000-memory.dmp
memory/2452-4-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp
memory/2452-6-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp
memory/2452-5-0x00007FFA00D30000-0x00007FFA00D40000-memory.dmp
memory/2452-7-0x00007FFA00D30000-0x00007FFA00D40000-memory.dmp
memory/2452-8-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp
memory/2452-9-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp
memory/2452-10-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp
memory/2452-11-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp
memory/2452-12-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp
memory/2452-14-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp
memory/2452-13-0x00007FF9FE3D0000-0x00007FF9FE3E0000-memory.dmp
memory/2452-15-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp
memory/2452-19-0x00007FF9FE3D0000-0x00007FF9FE3E0000-memory.dmp
memory/2452-26-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp
memory/2452-27-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp
C:\ProgramData\QdCxTbYphUuRZG.sct
| MD5 | 4543691e3046395792569d0fce6c2da2 |
| SHA1 | 721db4d08b6872145b77a01298dfba14b2128766 |
| SHA256 | 51d99cad321960a22ada7d96d9bb143f84549f4c5e466127a208cda69f39e7fc |
| SHA512 | f63a10c9aa98b4612d0c86a376c04f5b1bb30e445412a8571df5565273f0d6a0c363b935a2022400582502994e6d29f50c6ce8bc294075e7407ec5fce39548d2 |
memory/2452-46-0x00007FFA00D30000-0x00007FFA00D40000-memory.dmp
memory/2452-47-0x00007FFA00D30000-0x00007FFA00D40000-memory.dmp
memory/2452-48-0x00007FFA00D30000-0x00007FFA00D40000-memory.dmp
memory/2452-49-0x00007FFA00D30000-0x00007FFA00D40000-memory.dmp
memory/2452-50-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp
memory/2452-51-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp