Malware Analysis Report

2024-10-24 17:08

Sample ID 240229-ldb4tsce3t
Target 9785e072ecc643a10511ccf47e721bf8.zip
SHA256 1b5859d09b5e7cfe5cd7c37bde8e29ddc97ecadb442bac954d44f7342ec4b52c
Tags
macro xlm
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1b5859d09b5e7cfe5cd7c37bde8e29ddc97ecadb442bac954d44f7342ec4b52c

Threat Level: Likely malicious

The file 9785e072ecc643a10511ccf47e721bf8.zip was found to be: Likely malicious.

Malicious Activity Summary

macro xlm

Suspicious Office macro

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-29 09:24

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 09:24

Reported

2024-02-29 09:30

Platform

win10v2004-20240226-en

Max time kernel

194s

Max time network

277s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\9785e072ecc643a10511ccf47e721bf8.tnef

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4828 wrote to memory of 4716 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE
PID 4828 wrote to memory of 4716 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\9785e072ecc643a10511ccf47e721bf8.tnef

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\9785e072ecc643a10511ccf47e721bf8.tnef

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 188.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 09:24

Reported

2024-02-29 09:30

Platform

win10v2004-20240226-en

Max time kernel

272s

Max time network

281s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Levi Strauss (India) Pvt. Ltd.- RRL(Ajio) Recon upto Sep23.xlsb"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Levi Strauss (India) Pvt. Ltd.- RRL(Ajio) Recon upto Sep23.xlsb"

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp

Files

memory/556-0-0x00007FFB8C3D0000-0x00007FFB8C3E0000-memory.dmp

memory/556-1-0x00007FFB8C3D0000-0x00007FFB8C3E0000-memory.dmp

memory/556-2-0x00007FFB8C3D0000-0x00007FFB8C3E0000-memory.dmp

memory/556-3-0x00007FFB8C3D0000-0x00007FFB8C3E0000-memory.dmp

memory/556-4-0x00007FFBCC350000-0x00007FFBCC545000-memory.dmp

memory/556-5-0x00007FFBCC350000-0x00007FFBCC545000-memory.dmp

memory/556-7-0x00007FFBCC350000-0x00007FFBCC545000-memory.dmp

memory/556-6-0x00007FFB8C3D0000-0x00007FFB8C3E0000-memory.dmp

memory/556-8-0x00007FFBCC350000-0x00007FFBCC545000-memory.dmp

memory/556-9-0x00007FFBCC350000-0x00007FFBCC545000-memory.dmp

memory/556-10-0x00007FFBCC350000-0x00007FFBCC545000-memory.dmp

memory/556-11-0x00007FFBCC350000-0x00007FFBCC545000-memory.dmp

memory/556-12-0x00007FFB89F30000-0x00007FFB89F40000-memory.dmp

memory/556-13-0x00007FFB89F30000-0x00007FFB89F40000-memory.dmp

memory/556-23-0x00007FFBCC350000-0x00007FFBCC545000-memory.dmp