Malware Analysis Report

2025-03-15 06:58

Sample ID 231231-lr8pysgeg3
Target 31768471945e6ca95322da8080a89296
SHA256 6dbc537d23144b267f2cf60ec2c92aa8a785ed95edecaa9586aa2bbf2628b51a
Tags
macro xlm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6dbc537d23144b267f2cf60ec2c92aa8a785ed95edecaa9586aa2bbf2628b51a

Threat Level: Known bad

The file 31768471945e6ca95322da8080a89296 was found to be: Known bad.

Malicious Activity Summary

macro xlm

Process spawned unexpected child process

Suspicious Office macro

Modifies Internet Explorer settings

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 09:47

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 09:47

Reported

2024-01-10 05:22

Platform

win7-20231215-en

Max time kernel

1s

Max time network

128s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\31768471945e6ca95322da8080a89296.xlsm

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\MSHTA.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\31768471945e6ca95322da8080a89296.xlsm

C:\Windows\SysWOW64\MSHTA.exe

MSHTA C:\ProgramData\QdCxTbYphUuRZG.sct

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp

Files

memory/2012-1-0x0000000072CBD000-0x0000000072CC8000-memory.dmp

memory/2012-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab7689.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar76CA.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2012-52-0x0000000072CBD000-0x0000000072CC8000-memory.dmp

memory/2012-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2012-56-0x0000000072CBD000-0x0000000072CC8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 09:47

Reported

2024-01-10 05:22

Platform

win10v2004-20231215-en

Max time kernel

82s

Max time network

167s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\31768471945e6ca95322da8080a89296.xlsm"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\MSHTA.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\31768471945e6ca95322da8080a89296.xlsm"

C:\Windows\SYSTEM32\MSHTA.exe

MSHTA C:\ProgramData\QdCxTbYphUuRZG.sct

Network

Country Destination Domain Proto
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 59.189.79.40.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp

Files

memory/2452-1-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp

memory/2452-0-0x00007FFA00D30000-0x00007FFA00D40000-memory.dmp

memory/2452-2-0x00007FFA00D30000-0x00007FFA00D40000-memory.dmp

memory/2452-3-0x00007FFA00D30000-0x00007FFA00D40000-memory.dmp

memory/2452-4-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp

memory/2452-6-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp

memory/2452-5-0x00007FFA00D30000-0x00007FFA00D40000-memory.dmp

memory/2452-7-0x00007FFA00D30000-0x00007FFA00D40000-memory.dmp

memory/2452-8-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp

memory/2452-9-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp

memory/2452-10-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp

memory/2452-11-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp

memory/2452-12-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp

memory/2452-14-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp

memory/2452-13-0x00007FF9FE3D0000-0x00007FF9FE3E0000-memory.dmp

memory/2452-15-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp

memory/2452-19-0x00007FF9FE3D0000-0x00007FF9FE3E0000-memory.dmp

memory/2452-26-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp

memory/2452-27-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp

C:\ProgramData\QdCxTbYphUuRZG.sct

MD5 4543691e3046395792569d0fce6c2da2
SHA1 721db4d08b6872145b77a01298dfba14b2128766
SHA256 51d99cad321960a22ada7d96d9bb143f84549f4c5e466127a208cda69f39e7fc
SHA512 f63a10c9aa98b4612d0c86a376c04f5b1bb30e445412a8571df5565273f0d6a0c363b935a2022400582502994e6d29f50c6ce8bc294075e7407ec5fce39548d2

memory/2452-46-0x00007FFA00D30000-0x00007FFA00D40000-memory.dmp

memory/2452-47-0x00007FFA00D30000-0x00007FFA00D40000-memory.dmp

memory/2452-48-0x00007FFA00D30000-0x00007FFA00D40000-memory.dmp

memory/2452-49-0x00007FFA00D30000-0x00007FFA00D40000-memory.dmp

memory/2452-50-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp

memory/2452-51-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp