Malware Analysis Report

2025-03-15 07:04

Sample ID 240110-ggnjtagaa3
Target 4fbf1643e1ceabcde287dd33e125cc75
SHA256 b0298ff6a3e9f4d3acef0032e08987f75e9c6497a5d79d24f8ffd4d2bb07053f
Tags
xlm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b0298ff6a3e9f4d3acef0032e08987f75e9c6497a5d79d24f8ffd4d2bb07053f

Threat Level: Known bad

The file 4fbf1643e1ceabcde287dd33e125cc75 was found to be: Known bad.

Malicious Activity Summary

xlm

Process spawned unexpected child process

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-10 05:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-10 05:46

Reported

2024-01-10 05:49

Platform

win7-20231215-en

Max time kernel

0s

Max time network

120s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\4fbf1643e1ceabcde287dd33e125cc75.xlsm

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\wscript.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\4fbf1643e1ceabcde287dd33e125cc75.xlsm

C:\Windows\SysWOW64\wscript.exe

wscript C:\zer\spp.vbs

Network

Country Destination Domain Proto
NL 46.17.98.187:80 tcp
NL 46.17.98.187:80 tcp
US 8.8.8.8:53 google.com udp
GB 216.58.212.238:80 google.com tcp

Files

memory/1888-1-0x00000000726CD000-0x00000000726D8000-memory.dmp

memory/1888-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1888-2-0x00000000726CD000-0x00000000726D8000-memory.dmp

memory/1888-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1888-5-0x00000000726CD000-0x00000000726D8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-10 05:46

Reported

2024-01-10 05:49

Platform

win10v2004-20231222-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A