Analysis Overview
SHA256
b0298ff6a3e9f4d3acef0032e08987f75e9c6497a5d79d24f8ffd4d2bb07053f
Threat Level: Known bad
The file 4fbf1643e1ceabcde287dd33e125cc75 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-10 05:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-10 05:46
Reported
2024-01-10 05:49
Platform
win7-20231215-en
Max time kernel
0s
Max time network
120s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\wscript.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\4fbf1643e1ceabcde287dd33e125cc75.xlsm
C:\Windows\SysWOW64\wscript.exe
wscript C:\zer\spp.vbs
Network
| Country | Destination | Domain | Proto |
| NL | 46.17.98.187:80 | tcp | |
| NL | 46.17.98.187:80 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 216.58.212.238:80 | google.com | tcp |
Files
memory/1888-1-0x00000000726CD000-0x00000000726D8000-memory.dmp
memory/1888-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1888-2-0x00000000726CD000-0x00000000726D8000-memory.dmp
memory/1888-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1888-5-0x00000000726CD000-0x00000000726D8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-10 05:46
Reported
2024-01-10 05:49
Platform
win10v2004-20231222-en