Malware Analysis Report

2025-08-11 01:42

Sample ID 221109-xvnpqsdagk
Target 036c407c5ff8f377307e137173fd3c18e0f4b1f755fa4074442a2cc2a6df88ef.xls
SHA256 036c407c5ff8f377307e137173fd3c18e0f4b1f755fa4074442a2cc2a6df88ef
Tags
macro xlm
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

036c407c5ff8f377307e137173fd3c18e0f4b1f755fa4074442a2cc2a6df88ef

Threat Level: Likely malicious

The file 036c407c5ff8f377307e137173fd3c18e0f4b1f755fa4074442a2cc2a6df88ef.xls was found to be: Likely malicious.

Malicious Activity Summary

macro xlm

Suspicious Office macro

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-09 19:10

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-09 19:10

Reported

2022-11-09 19:13

Platform

win10-20220812-en

Max time kernel

126s

Max time network

141s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\036c407c5ff8f377307e137173fd3c18e0f4b1f755fa4074442a2cc2a6df88ef.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\036c407c5ff8f377307e137173fd3c18e0f4b1f755fa4074442a2cc2a6df88ef.xls"

Network

Country Destination Domain Proto
FR 51.11.192.50:443 tcp
NL 8.238.23.254:80 tcp
US 93.184.220.29:80 tcp

Files

memory/516-116-0x00007FFF56AB0000-0x00007FFF56AC0000-memory.dmp

memory/516-119-0x00007FFF56AB0000-0x00007FFF56AC0000-memory.dmp

memory/516-118-0x00007FFF56AB0000-0x00007FFF56AC0000-memory.dmp

memory/516-117-0x00007FFF56AB0000-0x00007FFF56AC0000-memory.dmp

memory/516-128-0x00007FFF533C0000-0x00007FFF533D0000-memory.dmp

memory/516-129-0x00007FFF533C0000-0x00007FFF533D0000-memory.dmp

memory/516-290-0x00007FFF56AB0000-0x00007FFF56AC0000-memory.dmp

memory/516-291-0x00007FFF56AB0000-0x00007FFF56AC0000-memory.dmp

memory/516-292-0x00007FFF56AB0000-0x00007FFF56AC0000-memory.dmp

memory/516-293-0x00007FFF56AB0000-0x00007FFF56AC0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-09 19:10

Reported

2022-11-09 19:13

Platform

win10-20220812-en

Max time kernel

134s

Max time network

176s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\036c407c5ff8f377307e137173fd3c18e0f4b1f755fa4074442a2cc2a6df88ef.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\036c407c5ff8f377307e137173fd3c18e0f4b1f755fa4074442a2cc2a6df88ef.xls"

Network

Country Destination Domain Proto
US 20.42.65.85:443 tcp

Files

memory/5052-119-0x00007FFE4C930000-0x00007FFE4C940000-memory.dmp

memory/5052-118-0x00007FFE4C930000-0x00007FFE4C940000-memory.dmp

memory/5052-117-0x00007FFE4C930000-0x00007FFE4C940000-memory.dmp

memory/5052-116-0x00007FFE4C930000-0x00007FFE4C940000-memory.dmp

memory/5052-128-0x00007FFE48FF0000-0x00007FFE49000000-memory.dmp

memory/5052-129-0x00007FFE48FF0000-0x00007FFE49000000-memory.dmp

memory/5052-289-0x00007FFE4C930000-0x00007FFE4C940000-memory.dmp

memory/5052-290-0x00007FFE4C930000-0x00007FFE4C940000-memory.dmp

memory/5052-291-0x00007FFE4C930000-0x00007FFE4C940000-memory.dmp

memory/5052-292-0x00007FFE4C930000-0x00007FFE4C940000-memory.dmp