Malware Analysis Report

2025-01-22 19:07

Sample ID 240719-1ata9svaja
Target a302ad97fd022e8949e1e1b4f437f65e68e5757e3a30a56647a56a10d88b0a96
SHA256 a302ad97fd022e8949e1e1b4f437f65e68e5757e3a30a56647a56a10d88b0a96
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a302ad97fd022e8949e1e1b4f437f65e68e5757e3a30a56647a56a10d88b0a96

Threat Level: Likely malicious

The file a302ad97fd022e8949e1e1b4f437f65e68e5757e3a30a56647a56a10d88b0a96 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Suspicious Office macro

Office macro that triggers on suspicious action

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-19 21:27

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-19 21:27

Reported

2024-07-19 21:28

Platform

win7-20240705-en

Max time kernel

23s

Max time network

17s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\a302ad97fd022e8949e1e1b4f437f65e68e5757e3a30a56647a56a10d88b0a96.xls

Signatures

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\a302ad97fd022e8949e1e1b4f437f65e68e5757e3a30a56647a56a10d88b0a96.xls

Network

N/A

Files

memory/2232-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2232-1-0x000000007207D000-0x0000000072088000-memory.dmp

memory/2232-3-0x0000000000540000-0x0000000000640000-memory.dmp

memory/2232-2-0x0000000000540000-0x0000000000640000-memory.dmp

memory/2232-5-0x0000000000540000-0x0000000000640000-memory.dmp

memory/2232-8-0x0000000000540000-0x0000000000640000-memory.dmp

memory/2232-4-0x0000000000540000-0x0000000000640000-memory.dmp

memory/2232-9-0x000000007207D000-0x0000000072088000-memory.dmp

memory/2232-10-0x0000000000540000-0x0000000000640000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-19 21:27

Reported

2024-07-19 21:28

Platform

win10v2004-20240709-en

Max time kernel

42s

Max time network

45s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a302ad97fd022e8949e1e1b4f437f65e68e5757e3a30a56647a56a10d88b0a96.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a302ad97fd022e8949e1e1b4f437f65e68e5757e3a30a56647a56a10d88b0a96.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 121.170.16.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/1448-0-0x00007FFE18790000-0x00007FFE187A0000-memory.dmp

memory/1448-2-0x00007FFE18790000-0x00007FFE187A0000-memory.dmp

memory/1448-3-0x00007FFE587AD000-0x00007FFE587AE000-memory.dmp

memory/1448-4-0x00007FFE18790000-0x00007FFE187A0000-memory.dmp

memory/1448-1-0x00007FFE18790000-0x00007FFE187A0000-memory.dmp

memory/1448-7-0x00007FFE58710000-0x00007FFE58905000-memory.dmp

memory/1448-5-0x00007FFE18790000-0x00007FFE187A0000-memory.dmp

memory/1448-6-0x00007FFE58710000-0x00007FFE58905000-memory.dmp

memory/1448-11-0x00007FFE58710000-0x00007FFE58905000-memory.dmp

memory/1448-12-0x00007FFE58710000-0x00007FFE58905000-memory.dmp

memory/1448-13-0x00007FFE58710000-0x00007FFE58905000-memory.dmp

memory/1448-14-0x00007FFE166A0000-0x00007FFE166B0000-memory.dmp

memory/1448-10-0x00007FFE58710000-0x00007FFE58905000-memory.dmp

memory/1448-15-0x00007FFE58710000-0x00007FFE58905000-memory.dmp

memory/1448-16-0x00007FFE58710000-0x00007FFE58905000-memory.dmp

memory/1448-17-0x00007FFE166A0000-0x00007FFE166B0000-memory.dmp

memory/1448-9-0x00007FFE58710000-0x00007FFE58905000-memory.dmp

memory/1448-18-0x00007FFE58710000-0x00007FFE58905000-memory.dmp

memory/1448-19-0x00007FFE58710000-0x00007FFE58905000-memory.dmp

memory/1448-8-0x00007FFE58710000-0x00007FFE58905000-memory.dmp

memory/1448-32-0x00007FFE58710000-0x00007FFE58905000-memory.dmp

memory/1448-33-0x00007FFE58710000-0x00007FFE58905000-memory.dmp

memory/1448-34-0x00007FFE58710000-0x00007FFE58905000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 7cc1d7dd8d68da87d0d5cc4235bb5acb
SHA1 a5b5597c502543e2c640000ebc9f0067f044f884
SHA256 7a69c68604cf013922d047fa86dc41b3c0b119096664f2073678537fefaaf5e5
SHA512 b44885df2d99de0edd96a0965b65740deac0cc450f67dc91238a242072d81d51bb531de8f6366f7acda7183713a45da19088ee614700bf949598fc5e738078c4

memory/1448-48-0x00007FFE58710000-0x00007FFE58905000-memory.dmp