Analysis Overview
SHA256
036c407c5ff8f377307e137173fd3c18e0f4b1f755fa4074442a2cc2a6df88ef
Threat Level: Likely malicious
The file 036c407c5ff8f377307e137173fd3c18e0f4b1f755fa4074442a2cc2a6df88ef.xls was found to be: Likely malicious.
Malicious Activity Summary
Suspicious Office macro
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-09 19:10
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-09 19:10
Reported
2022-11-09 19:13
Platform
win10-20220812-en
Max time kernel
126s
Max time network
141s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\036c407c5ff8f377307e137173fd3c18e0f4b1f755fa4074442a2cc2a6df88ef.xls"
Network
| Country | Destination | Domain | Proto |
| FR | 51.11.192.50:443 | tcp | |
| NL | 8.238.23.254:80 | tcp | |
| US | 93.184.220.29:80 | tcp |
Files
memory/516-116-0x00007FFF56AB0000-0x00007FFF56AC0000-memory.dmp
memory/516-119-0x00007FFF56AB0000-0x00007FFF56AC0000-memory.dmp
memory/516-118-0x00007FFF56AB0000-0x00007FFF56AC0000-memory.dmp
memory/516-117-0x00007FFF56AB0000-0x00007FFF56AC0000-memory.dmp
memory/516-128-0x00007FFF533C0000-0x00007FFF533D0000-memory.dmp
memory/516-129-0x00007FFF533C0000-0x00007FFF533D0000-memory.dmp
memory/516-290-0x00007FFF56AB0000-0x00007FFF56AC0000-memory.dmp
memory/516-291-0x00007FFF56AB0000-0x00007FFF56AC0000-memory.dmp
memory/516-292-0x00007FFF56AB0000-0x00007FFF56AC0000-memory.dmp
memory/516-293-0x00007FFF56AB0000-0x00007FFF56AC0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-09 19:10
Reported
2022-11-09 19:13
Platform
win10-20220812-en
Max time kernel
134s
Max time network
176s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\036c407c5ff8f377307e137173fd3c18e0f4b1f755fa4074442a2cc2a6df88ef.xls"
Network
| Country | Destination | Domain | Proto |
| US | 20.42.65.85:443 | tcp |
Files
memory/5052-119-0x00007FFE4C930000-0x00007FFE4C940000-memory.dmp
memory/5052-118-0x00007FFE4C930000-0x00007FFE4C940000-memory.dmp
memory/5052-117-0x00007FFE4C930000-0x00007FFE4C940000-memory.dmp
memory/5052-116-0x00007FFE4C930000-0x00007FFE4C940000-memory.dmp
memory/5052-128-0x00007FFE48FF0000-0x00007FFE49000000-memory.dmp
memory/5052-129-0x00007FFE48FF0000-0x00007FFE49000000-memory.dmp
memory/5052-289-0x00007FFE4C930000-0x00007FFE4C940000-memory.dmp
memory/5052-290-0x00007FFE4C930000-0x00007FFE4C940000-memory.dmp
memory/5052-291-0x00007FFE4C930000-0x00007FFE4C940000-memory.dmp
memory/5052-292-0x00007FFE4C930000-0x00007FFE4C940000-memory.dmp