Analysis Overview
SHA256
0fc32d8073d5217cab57b0fd47fae5a0d72d41963131c298f156f82161eb6c9b
Threat Level: Known bad
The file 10113442583.zip was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Suspicious Office macro
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-17 07:21
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-17 07:21
Reported
2023-04-17 07:22
Platform
win10-20230220-en
Max time kernel
8s
Max time network
39s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\Wbem\wmic.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\mshta.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\60f73d833a4d034333994526e1762e2e8ed23856646b51af0abfa90f44c1941d.xlsb"
C:\Windows\System32\Wbem\wmic.exe
wmic process call create 'mshta C:\ProgramData\rGBOA.sct'
C:\Windows\system32\mshta.exe
mshta C:\ProgramData\rGBOA.sct
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 141.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | easipeasytech.xyz | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/2204-121-0x00007FF7EC640000-0x00007FF7EC650000-memory.dmp
memory/2204-122-0x00007FF7EC640000-0x00007FF7EC650000-memory.dmp
memory/2204-123-0x00007FF7EC640000-0x00007FF7EC650000-memory.dmp
memory/2204-124-0x00007FF7EC640000-0x00007FF7EC650000-memory.dmp
memory/2204-133-0x00007FF7E8F10000-0x00007FF7E8F20000-memory.dmp
memory/2204-134-0x00007FF7E8F10000-0x00007FF7E8F20000-memory.dmp
C:\ProgramData\rGBOA.sct
| MD5 | 25147623901b7d82be9586f2ccd3f17a |
| SHA1 | 83d6afc39a788836d6f37a88a860837156e55d44 |
| SHA256 | 47d93bc9f692b077a5bbad028d24d50f003a4a57806b8b08c8c9a09c47494c9c |
| SHA512 | 8b39c1960ba2aaecd677cac8737e924878cd655ac129f274eb3a81ee943a21b61b3602ac045834543ff2ee9c494b3e60ccdfe9591d5a1b7f70181def21123023 |
memory/2204-344-0x00007FF7EC640000-0x00007FF7EC650000-memory.dmp
memory/2204-345-0x00007FF7EC640000-0x00007FF7EC650000-memory.dmp
memory/2204-346-0x00007FF7EC640000-0x00007FF7EC650000-memory.dmp
memory/2204-347-0x00007FF7EC640000-0x00007FF7EC650000-memory.dmp