Malware Analysis Report

2025-01-22 19:16

Sample ID 240719-15plkasgjl
Target 3bbce05da00ef578bc794cde651aa7bc6f189ce6a298e4a4f8471ffce35255ea
SHA256 3bbce05da00ef578bc794cde651aa7bc6f189ce6a298e4a4f8471ffce35255ea
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3bbce05da00ef578bc794cde651aa7bc6f189ce6a298e4a4f8471ffce35255ea

Threat Level: Likely malicious

The file 3bbce05da00ef578bc794cde651aa7bc6f189ce6a298e4a4f8471ffce35255ea was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Office macro that triggers on suspicious action

Suspicious Office macro

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-19 22:14

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-19 22:14

Reported

2024-07-19 22:15

Platform

win7-20240708-en

Max time kernel

24s

Max time network

18s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\3bbce05da00ef578bc794cde651aa7bc6f189ce6a298e4a4f8471ffce35255ea.xls

Signatures

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\3bbce05da00ef578bc794cde651aa7bc6f189ce6a298e4a4f8471ffce35255ea.xls

Network

N/A

Files

memory/2516-1-0x00000000721ED000-0x00000000721F8000-memory.dmp

memory/2516-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2516-3-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2516-2-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2516-4-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2516-5-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2516-6-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2516-8-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2516-9-0x00000000721ED000-0x00000000721F8000-memory.dmp

memory/2516-10-0x0000000000470000-0x0000000000570000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-19 22:14

Reported

2024-07-19 22:15

Platform

win10v2004-20240709-en

Max time kernel

42s

Max time network

45s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\3bbce05da00ef578bc794cde651aa7bc6f189ce6a298e4a4f8471ffce35255ea.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\3bbce05da00ef578bc794cde651aa7bc6f189ce6a298e4a4f8471ffce35255ea.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/1372-0-0x00007FFB89C30000-0x00007FFB89C40000-memory.dmp

memory/1372-2-0x00007FFB89C30000-0x00007FFB89C40000-memory.dmp

memory/1372-4-0x00007FFB89C30000-0x00007FFB89C40000-memory.dmp

memory/1372-5-0x00007FFB89C30000-0x00007FFB89C40000-memory.dmp

memory/1372-3-0x00007FFBC9C4D000-0x00007FFBC9C4E000-memory.dmp

memory/1372-1-0x00007FFB89C30000-0x00007FFB89C40000-memory.dmp

memory/1372-8-0x00007FFBC9BB0000-0x00007FFBC9DA5000-memory.dmp

memory/1372-6-0x00007FFBC9BB0000-0x00007FFBC9DA5000-memory.dmp

memory/1372-7-0x00007FFBC9BB0000-0x00007FFBC9DA5000-memory.dmp

memory/1372-10-0x00007FFBC9BB0000-0x00007FFBC9DA5000-memory.dmp

memory/1372-12-0x00007FFBC9BB0000-0x00007FFBC9DA5000-memory.dmp

memory/1372-13-0x00007FFBC9BB0000-0x00007FFBC9DA5000-memory.dmp

memory/1372-15-0x00007FFB87430000-0x00007FFB87440000-memory.dmp

memory/1372-14-0x00007FFBC9BB0000-0x00007FFBC9DA5000-memory.dmp

memory/1372-17-0x00007FFBC9BB0000-0x00007FFBC9DA5000-memory.dmp

memory/1372-19-0x00007FFBC9BB0000-0x00007FFBC9DA5000-memory.dmp

memory/1372-18-0x00007FFB87430000-0x00007FFB87440000-memory.dmp

memory/1372-16-0x00007FFBC9BB0000-0x00007FFBC9DA5000-memory.dmp

memory/1372-11-0x00007FFBC9BB0000-0x00007FFBC9DA5000-memory.dmp

memory/1372-9-0x00007FFBC9BB0000-0x00007FFBC9DA5000-memory.dmp

memory/1372-33-0x00007FFBC9BB0000-0x00007FFBC9DA5000-memory.dmp

memory/1372-34-0x00007FFBC9BB0000-0x00007FFBC9DA5000-memory.dmp

memory/1372-32-0x00007FFBC9BB0000-0x00007FFBC9DA5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 da422eefe346fc8d1a3dd39259ff529b
SHA1 a785ae7ce1e097d3cd845589e344954ba6ab4a3a
SHA256 2bb35f0cd378e892a54c09ca888823170595aff65867e3b4a87df95f4c6f5dc2
SHA512 9c0558bb64f9378183d70f111ec6a6ec82b5ef78f47484e2ec49a938db4fc880e10d09e0ca5be32de8af894ecb31486555ea7f2c8161d3ea63864b7e214c375b

memory/1372-48-0x00007FFBC9BB0000-0x00007FFBC9DA5000-memory.dmp