Malware Analysis Report

2024-10-16 02:52

Sample ID 240621-rhfkpstajg
Target cv_jones.doc
SHA256 93007a0c3c67f537fd876265394819a2e739d8cdd79792e3d1ad1aabe3789083
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

93007a0c3c67f537fd876265394819a2e739d8cdd79792e3d1ad1aabe3789083

Threat Level: Likely malicious

The file cv_jones.doc was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Office macro that triggers on suspicious action

Suspicious Office macro

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-21 14:11

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 14:11

Reported

2024-06-21 14:14

Platform

win7-20240419-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cv_jones.doc"

Signatures

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cv_jones.doc"

Network

Country Destination Domain Proto
US 8.8.8.8:53 update.microsoft.local udp

Files

memory/2256-0-0x000000002FDB1000-0x000000002FDB2000-memory.dmp

memory/2256-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2256-2-0x0000000070D2D000-0x0000000070D38000-memory.dmp

memory/2256-5-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2256-6-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2256-7-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2256-8-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2256-13-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2256-11-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2256-12-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2256-10-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2256-9-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2256-14-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2256-15-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2256-23-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2256-22-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2256-21-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2256-20-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2256-19-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2256-18-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2256-16-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2256-17-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2256-24-0x0000000070D2D000-0x0000000070D38000-memory.dmp

memory/2256-25-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2256-26-0x0000000000450000-0x0000000000550000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 14:11

Reported

2024-06-21 14:14

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cv_jones.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cv_jones.doc" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 update.microsoft.local udp
US 8.8.8.8:53 roaming.officeapps.live.com udp

Files

memory/2424-0-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmp

memory/2424-2-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmp

memory/2424-1-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmp

memory/2424-4-0x00007FF8794CD000-0x00007FF8794CE000-memory.dmp

memory/2424-6-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmp

memory/2424-5-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/2424-3-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmp

memory/2424-9-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/2424-8-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/2424-7-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/2424-12-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/2424-11-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/2424-10-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/2424-13-0x00007FF836C90000-0x00007FF836CA0000-memory.dmp

memory/2424-14-0x00007FF836C90000-0x00007FF836CA0000-memory.dmp

memory/2424-48-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/2424-36-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/2424-49-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/2424-34-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/2424-57-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/2424-58-0x00007FF879430000-0x00007FF879625000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2424-65-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/2424-66-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/2424-67-0x00007FF879430000-0x00007FF879625000-memory.dmp

memory/2424-86-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmp

memory/2424-85-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmp

memory/2424-87-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmp

memory/2424-88-0x00007FF8394B0000-0x00007FF8394C0000-memory.dmp

memory/2424-89-0x00007FF879430000-0x00007FF879625000-memory.dmp