Analysis Overview
SHA256
7df06f0d1cb53d8ad793f5f1906a65fa0c80bd1d8719f55aa7f26f9b89c1226e
Threat Level: Known bad
The file 7df06f0d1cb53d8ad793f5f1906a65fa0c80bd1d8719f55aa7f26f9b89c1226e was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Suspicious Office macro
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-28 16:39
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-28 16:39
Reported
2023-02-28 16:41
Platform
win10-20230220-en
Max time kernel
133s
Max time network
136s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7df06f0d1cb53d8ad793f5f1906a65fa0c80bd1d8719f55aa7f26f9b89c1226e.xlsm"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 103.161.106.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.18.101.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.47.122.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | eles-tech.com | udp |
| N/A | 100.92.106.246:80 | eles-tech.com | tcp |
| US | 8.8.8.8:53 | gonorthhalifax.com | udp |
| N/A | 100.66.238.12:80 | gonorthhalifax.com | tcp |
| US | 8.8.8.8:53 | txpcrescue.com | udp |
| N/A | 100.90.166.181:443 | txpcrescue.com | tcp |
| US | 8.8.8.8:53 | hadramout21.com | udp |
| N/A | 100.124.105.156:80 | hadramout21.com | tcp |
| US | 8.8.8.8:53 | haribuilders.com | udp |
| N/A | 100.117.255.115:80 | haribuilders.com | tcp |
| US | 8.8.8.8:53 | hansen-arnal.com | udp |
| N/A | 100.68.223.57:80 | hansen-arnal.com | tcp |
| US | 8.8.8.8:53 | 246.106.92.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.238.66.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.1.65.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.105.124.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.255.117.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.223.68.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.166.90.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.229.90.100.in-addr.arpa | udp |
| US | 20.189.173.7:443 | tcp | |
| US | 8.8.8.8:53 | 204.15.86.100.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp |
Files
memory/4100-118-0x00007FF88C5F0000-0x00007FF88C600000-memory.dmp
memory/4100-119-0x00007FF88C5F0000-0x00007FF88C600000-memory.dmp
memory/4100-120-0x00007FF88C5F0000-0x00007FF88C600000-memory.dmp
memory/4100-121-0x00007FF88C5F0000-0x00007FF88C600000-memory.dmp
memory/4100-130-0x00007FF889A50000-0x00007FF889A60000-memory.dmp
memory/4100-131-0x00007FF889A50000-0x00007FF889A60000-memory.dmp
memory/4100-287-0x00007FF88C5F0000-0x00007FF88C600000-memory.dmp
memory/4100-288-0x00007FF88C5F0000-0x00007FF88C600000-memory.dmp
memory/4100-289-0x00007FF88C5F0000-0x00007FF88C600000-memory.dmp
memory/4100-290-0x00007FF88C5F0000-0x00007FF88C600000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-28 16:39
Reported
2023-02-28 16:41
Platform
win10-20230220-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWow64\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2452 wrote to memory of 3876 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2452 wrote to memory of 3876 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2452 wrote to memory of 3876 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7df06f0d1cb53d8ad793f5f1906a65fa0c80bd1d8719f55aa7f26f9b89c1226e.xlsm"
C:\Windows\SysWow64\regsvr32.exe
C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 24.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.151.224.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.42.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | eles-tech.com | udp |
| US | 8.8.8.8:53 | gonorthhalifax.com | udp |
| US | 216.239.34.21:80 | gonorthhalifax.com | tcp |
| US | 8.8.8.8:53 | www.gonorthhalifax.ca | udp |
| US | 34.117.168.233:443 | www.gonorthhalifax.ca | tcp |
| US | 8.8.8.8:53 | 21.34.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.168.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.211.2.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.101.122.92.in-addr.arpa | udp |
| US | 13.89.179.8:443 | tcp | |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| NL | 8.253.208.120:80 | tcp | |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.232.18.117.in-addr.arpa | udp |
Files
memory/2452-121-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmp
memory/2452-122-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmp
memory/2452-123-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmp
memory/2452-124-0x00007FF9D0620000-0x00007FF9D0630000-memory.dmp
memory/2452-133-0x00007FF9CCC40000-0x00007FF9CCC50000-memory.dmp
memory/2452-134-0x00007FF9CCC40000-0x00007FF9CCC50000-memory.dmp
C:\Users\Admin\xewn.dll
| MD5 | f44b9ad94ac545b3b1f6c56a10638677 |
| SHA1 | 0e924bb931a1262d171683406e5098bcd52ab1d5 |
| SHA256 | 89636a5eaed2d81bfee9e7d0f19bee686dd651c2f232d70354d2879d79b1b0d3 |
| SHA512 | d96d21dadfcdcac38337852f37c9bacf0442e27f6131ef3aa1cbb29ae9c9e686d455cef7d278486af8154445df727c35e886e56bf160c486856ad4c93ceb661e |