Malware Analysis Report

2024-10-16 06:28

Sample ID 240526-mthrzsfe3t
Target Office.doc
SHA256 9d137fe924afa089e4c80e28c550de9efd8792116c009db22e23ecee16ea74c2
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9d137fe924afa089e4c80e28c550de9efd8792116c009db22e23ecee16ea74c2

Threat Level: Likely malicious

The file Office.doc was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Office macro that triggers on suspicious action

Suspicious Office macro

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 10:45

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 10:45

Reported

2024-05-26 10:50

Platform

win10-20240404-en

Max time kernel

137s

Max time network

299s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Office.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Office.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/5096-1-0x00007FF960710000-0x00007FF960720000-memory.dmp

memory/5096-2-0x00007FF9A0725000-0x00007FF9A0726000-memory.dmp

memory/5096-0-0x00007FF960710000-0x00007FF960720000-memory.dmp

memory/5096-3-0x00007FF960710000-0x00007FF960720000-memory.dmp

memory/5096-4-0x00007FF960710000-0x00007FF960720000-memory.dmp

memory/5096-7-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp

memory/5096-8-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp

memory/5096-9-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp

memory/5096-11-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp

memory/5096-10-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp

memory/5096-12-0x00007FF95CC10000-0x00007FF95CC20000-memory.dmp

memory/5096-13-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp

memory/5096-14-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp

memory/5096-15-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp

memory/5096-17-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp

memory/5096-18-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp

memory/5096-16-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp

memory/5096-21-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp

memory/5096-22-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp

memory/5096-24-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp

memory/5096-26-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp

memory/5096-27-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp

memory/5096-25-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp

memory/5096-23-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp

memory/5096-20-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp

memory/5096-19-0x00007FF95CC10000-0x00007FF95CC20000-memory.dmp

memory/5096-172-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp

memory/5096-173-0x00007FF9A0680000-0x00007FF9A085B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 10:45

Reported

2024-05-26 10:50

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

270s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Office.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Office.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/208-0-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp

memory/208-2-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp

memory/208-1-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp

memory/208-4-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp

memory/208-3-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp

memory/208-6-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

memory/208-5-0x00007FFDD130D000-0x00007FFDD130E000-memory.dmp

memory/208-9-0x00007FFD8EA90000-0x00007FFD8EAA0000-memory.dmp

memory/208-11-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

memory/208-10-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

memory/208-8-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

memory/208-12-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

memory/208-7-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

memory/208-13-0x00007FFD8EA90000-0x00007FFD8EAA0000-memory.dmp

memory/208-17-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

memory/208-20-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

memory/208-21-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

memory/208-19-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

memory/208-18-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

memory/208-16-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

memory/208-15-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

memory/208-14-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

memory/208-36-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

memory/208-50-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp

memory/208-51-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp

memory/208-53-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp

memory/208-52-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp

memory/208-54-0x00007FFDD1270000-0x00007FFDD1465000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-26 10:45

Reported

2024-05-26 10:50

Platform

win11-20240426-en

Max time kernel

101s

Max time network

202s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Office.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Office.xls"

Network

Country Destination Domain Proto
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp

Files

memory/4468-1-0x00007FFE9EA90000-0x00007FFE9EAA0000-memory.dmp

memory/4468-2-0x00007FFE9EA90000-0x00007FFE9EAA0000-memory.dmp

memory/4468-0-0x00007FFE9EA90000-0x00007FFE9EAA0000-memory.dmp

memory/4468-3-0x00007FFE9EA90000-0x00007FFE9EAA0000-memory.dmp

memory/4468-4-0x00007FFEDEAA3000-0x00007FFEDEAA4000-memory.dmp

memory/4468-5-0x00007FFE9EA90000-0x00007FFE9EAA0000-memory.dmp

memory/4468-6-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp

memory/4468-9-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp

memory/4468-8-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp

memory/4468-7-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp

memory/4468-12-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp

memory/4468-11-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp

memory/4468-10-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp

memory/4468-14-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp

memory/4468-13-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp

memory/4468-16-0x00007FFE9C660000-0x00007FFE9C670000-memory.dmp

memory/4468-17-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp

memory/4468-15-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp

memory/4468-18-0x00007FFE9C660000-0x00007FFE9C670000-memory.dmp

memory/4468-20-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp

memory/4468-19-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp

memory/4468-30-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp

memory/4468-31-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp

memory/4468-45-0x00007FFE9EA90000-0x00007FFE9EAA0000-memory.dmp

memory/4468-46-0x00007FFE9EA90000-0x00007FFE9EAA0000-memory.dmp

memory/4468-48-0x00007FFE9EA90000-0x00007FFE9EAA0000-memory.dmp

memory/4468-47-0x00007FFE9EA90000-0x00007FFE9EAA0000-memory.dmp

memory/4468-49-0x00007FFEDEA00000-0x00007FFEDEC09000-memory.dmp