Malware Analysis Report

2025-03-15 07:08

Sample ID 230228-t5x5dacc38
Target 7df06f0d1cb53d8ad793f5f1906a65fa0c80bd1d8719f55aa7f26f9b89c1226e
SHA256 7df06f0d1cb53d8ad793f5f1906a65fa0c80bd1d8719f55aa7f26f9b89c1226e
Tags
macro xlm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7df06f0d1cb53d8ad793f5f1906a65fa0c80bd1d8719f55aa7f26f9b89c1226e

Threat Level: Known bad

The file 7df06f0d1cb53d8ad793f5f1906a65fa0c80bd1d8719f55aa7f26f9b89c1226e was found to be: Known bad.

Malicious Activity Summary

macro xlm

Process spawned unexpected child process

Suspicious Office macro

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-28 16:39

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-28 16:39

Reported

2023-02-28 16:41

Platform

win10-20230220-en

Max time kernel

133s

Max time network

136s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7df06f0d1cb53d8ad793f5f1906a65fa0c80bd1d8719f55aa7f26f9b89c1226e.xlsm"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7df06f0d1cb53d8ad793f5f1906a65fa0c80bd1d8719f55aa7f26f9b89c1226e.xlsm"

Network

Country Destination Domain Proto
US 8.8.8.8:53 103.161.106.100.in-addr.arpa udp
US 8.8.8.8:53 145.18.101.100.in-addr.arpa udp
US 8.8.8.8:53 166.47.122.100.in-addr.arpa udp
US 8.8.8.8:53 eles-tech.com udp
N/A 100.92.106.246:80 eles-tech.com tcp
US 8.8.8.8:53 gonorthhalifax.com udp
N/A 100.66.238.12:80 gonorthhalifax.com tcp
US 8.8.8.8:53 txpcrescue.com udp
N/A 100.90.166.181:443 txpcrescue.com tcp
US 8.8.8.8:53 hadramout21.com udp
N/A 100.124.105.156:80 hadramout21.com tcp
US 8.8.8.8:53 haribuilders.com udp
N/A 100.117.255.115:80 haribuilders.com tcp
US 8.8.8.8:53 hansen-arnal.com udp
N/A 100.68.223.57:80 hansen-arnal.com tcp
US 8.8.8.8:53 246.106.92.100.in-addr.arpa udp
US 8.8.8.8:53 12.238.66.100.in-addr.arpa udp
US 8.8.8.8:53 187.1.65.100.in-addr.arpa udp
US 8.8.8.8:53 156.105.124.100.in-addr.arpa udp
US 8.8.8.8:53 115.255.117.100.in-addr.arpa udp
US 8.8.8.8:53 57.223.68.100.in-addr.arpa udp
US 8.8.8.8:53 181.166.90.100.in-addr.arpa udp
US 8.8.8.8:53 34.229.90.100.in-addr.arpa udp
US 20.189.173.7:443 tcp
US 8.8.8.8:53 204.15.86.100.in-addr.arpa udp
US 209.197.3.8:80 tcp

Files

memory/4100-118-0x00007FF88C5F0000-0x00007FF88C600000-memory.dmp

memory/4100-119-0x00007FF88C5F0000-0x00007FF88C600000-memory.dmp

memory/4100-120-0x00007FF88C5F0000-0x00007FF88C600000-memory.dmp

memory/4100-121-0x00007FF88C5F0000-0x00007FF88C600000-memory.dmp

memory/4100-130-0x00007FF889A50000-0x00007FF889A60000-memory.dmp

memory/4100-131-0x00007FF889A50000-0x00007FF889A60000-memory.dmp

memory/4100-287-0x00007FF88C5F0000-0x00007FF88C600000-memory.dmp

memory/4100-288-0x00007FF88C5F0000-0x00007FF88C600000-memory.dmp

memory/4100-289-0x00007FF88C5F0000-0x00007FF88C600000-memory.dmp

memory/4100-290-0x00007FF88C5F0000-0x00007FF88C600000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-28 16:39

Reported

2023-02-28 16:41

Platform

win10-20230220-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7df06f0d1cb53d8ad793f5f1906a65fa0c80bd1d8719f55aa7f26f9b89c1226e.xlsm"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWow64\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7df06f0d1cb53d8ad793f5f1906a65fa0c80bd1d8719f55aa7f26f9b89c1226e.xlsm"

C:\Windows\SysWow64\regsvr32.exe

C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 24.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
US 8.8.8.8:53 16.42.107.13.in-addr.arpa udp
US 8.8.8.8:53 eles-tech.com udp
US 8.8.8.8:53 gonorthhalifax.com udp
US 216.239.34.21:80 gonorthhalifax.com tcp
US 8.8.8.8:53 www.gonorthhalifax.ca udp
US 34.117.168.233:443 www.gonorthhalifax.ca tcp
US 8.8.8.8:53 21.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 233.168.117.34.in-addr.arpa udp
US 8.8.8.8:53 83.211.2.23.in-addr.arpa udp
US 8.8.8.8:53 19.101.122.92.in-addr.arpa udp
US 13.89.179.8:443 tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
NL 8.253.208.120:80 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 240.232.18.117.in-addr.arpa udp

Files

memory/2452-121-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmp

memory/2452-122-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmp

memory/2452-123-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmp

memory/2452-124-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmp

memory/2452-133-0x00007FF9CCC40000-0x00007FF9CCC50000-memory.dmp

memory/2452-134-0x00007FF9CCC40000-0x00007FF9CCC50000-memory.dmp

C:\Users\Admin\xewn.dll

MD5 f44b9ad94ac545b3b1f6c56a10638677
SHA1 0e924bb931a1262d171683406e5098bcd52ab1d5
SHA256 89636a5eaed2d81bfee9e7d0f19bee686dd651c2f232d70354d2879d79b1b0d3
SHA512 d96d21dadfcdcac38337852f37c9bacf0442e27f6131ef3aa1cbb29ae9c9e686d455cef7d278486af8154445df727c35e886e56bf160c486856ad4c93ceb661e