Malware Analysis Report

2025-01-22 19:14

Sample ID 240719-1h36fa1dnl
Target a515d869a75da322c87985158750d4e12f5556b0785379d558d778e3ef481eac
SHA256 a515d869a75da322c87985158750d4e12f5556b0785379d558d778e3ef481eac
Tags
macro macro_on_action
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a515d869a75da322c87985158750d4e12f5556b0785379d558d778e3ef481eac

Threat Level: Known bad

The file a515d869a75da322c87985158750d4e12f5556b0785379d558d778e3ef481eac was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action

Process spawned unexpected child process

Office macro that triggers on suspicious action

Suspicious Office macro

Drops startup file

Enumerates connected drives

Drops file in Windows directory

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-19 21:39

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-19 21:39

Reported

2024-07-19 21:40

Platform

win7-20240708-en

Max time kernel

57s

Max time network

19s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a515d869a75da322c87985158750d4e12f5556b0785379d558d778e3ef481eac.doc"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\WScript.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.vbe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\WScript.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a515d869a75da322c87985158750d4e12f5556b0785379d558d778e3ef481eac.doc"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.vbe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2884-0-0x000000002FA41000-0x000000002FA42000-memory.dmp

memory/2884-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2884-2-0x000000007181D000-0x0000000071828000-memory.dmp

memory/2884-7-0x0000000000760000-0x0000000000860000-memory.dmp

memory/2884-6-0x0000000000760000-0x0000000000860000-memory.dmp

memory/2884-5-0x0000000000760000-0x0000000000860000-memory.dmp

memory/2884-8-0x0000000000760000-0x0000000000860000-memory.dmp

memory/2884-4-0x0000000000760000-0x0000000000860000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sysrar.doc

MD5 430bd48eaf3c24c495cf21ac41423687
SHA1 c1ad5f378bcc8749840f8d802c308f3f60f262e5
SHA256 78deb02ca875ca1baff357251187799659b1bdc09cb406e79c05c6437b80beca
SHA512 ddd8b1038967ebd1367a8513017cf3e9956946dc117e62e043d2e40733ff1e568a308a0f6f2d5e8c924ed13ad97947947842f8c56212f4a8d725c2d39294bd64

memory/2884-19-0x0000000000760000-0x0000000000860000-memory.dmp

memory/2884-20-0x0000000000760000-0x0000000000860000-memory.dmp

memory/2884-23-0x0000000000760000-0x0000000000860000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.vbe

MD5 b3ae7487667beac7edd4a7d0c19e61ba
SHA1 7daca93828c48c37bf2414f20ca5ccaf04b56f7d
SHA256 2ab9d2edb0855a80276c2ed821f9427d8ff87ee23cde0211d96b55faacfe1b8c
SHA512 1ce18cdbbb7fe830c3c78b41eb7862f15a919a1187846ea3f25f0071a26018a1600e78228aed1382387006e3b5e213bad5cdf8d214a7252418d1cf03c8ea3537

memory/2884-39-0x000000007181D000-0x0000000071828000-memory.dmp

memory/2884-40-0x0000000000760000-0x0000000000860000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-19 21:39

Reported

2024-07-19 21:40

Platform

win10v2004-20240709-en

Max time kernel

40s

Max time network

41s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a515d869a75da322c87985158750d4e12f5556b0785379d558d778e3ef481eac.doc" /o ""

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a515d869a75da322c87985158750d4e12f5556b0785379d558d778e3ef481eac.doc" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/5108-0-0x00007FFDD1830000-0x00007FFDD1840000-memory.dmp

memory/5108-4-0x00007FFE1184D000-0x00007FFE1184E000-memory.dmp

memory/5108-3-0x00007FFDD1830000-0x00007FFDD1840000-memory.dmp

memory/5108-5-0x00007FFDD1830000-0x00007FFDD1840000-memory.dmp

memory/5108-2-0x00007FFDD1830000-0x00007FFDD1840000-memory.dmp

memory/5108-1-0x00007FFDD1830000-0x00007FFDD1840000-memory.dmp

memory/5108-8-0x00007FFE117B0000-0x00007FFE119A5000-memory.dmp

memory/5108-9-0x00007FFE117B0000-0x00007FFE119A5000-memory.dmp

memory/5108-7-0x00007FFE117B0000-0x00007FFE119A5000-memory.dmp

memory/5108-10-0x00007FFE117B0000-0x00007FFE119A5000-memory.dmp

memory/5108-6-0x00007FFE117B0000-0x00007FFE119A5000-memory.dmp

memory/5108-13-0x00007FFE117B0000-0x00007FFE119A5000-memory.dmp

memory/5108-14-0x00007FFE117B0000-0x00007FFE119A5000-memory.dmp

memory/5108-16-0x00007FFE117B0000-0x00007FFE119A5000-memory.dmp

memory/5108-15-0x00007FFE117B0000-0x00007FFE119A5000-memory.dmp

memory/5108-12-0x00007FFDCF390000-0x00007FFDCF3A0000-memory.dmp

memory/5108-11-0x00007FFE117B0000-0x00007FFE119A5000-memory.dmp

memory/5108-17-0x00007FFDCF390000-0x00007FFDCF3A0000-memory.dmp

memory/5108-36-0x00007FFE117B0000-0x00007FFE119A5000-memory.dmp

memory/5108-37-0x00007FFE117B0000-0x00007FFE119A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sysrar.doc

MD5 91e070fcd4bb4ce1cc7912ee2b5a2a94
SHA1 9c85f3dac46b1614f2c2d8df6249aa586a3978bd
SHA256 c9e25e3aadfeec236b0604dcfc1320ffcfac90738e44b4204aadd5453dbd656d
SHA512 461c13f794f521eb7fdec391495b168876746ee6ac84932e2f9009421b8b2208fc8820ef187b75a9fcad8b538c4a65355030bb6fb54335d06a8e189bb09d0b2d

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 23c3d79081663996fda4b20ac3999aa9
SHA1 5461b8bd7c643a7a2f497d88406eeb4075ab35fe
SHA256 47aa6d04bb72893636a2cb6d3ed1fe6341667911d12dedb9c888551b6d21fdcd
SHA512 69656786e454743a19199d2c8fe43ab73a74ec92033ab28a6c4100087d58bfe93b3255c2df9f45756c187e70980863f0430989fe2c56d724b1f8b6ee7eebb9d3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 b039f4f7bb7faf97483c0956c8348474
SHA1 313da140eeac8caa12143cf4509e9c61ccabfcaf
SHA256 a3996cc497e898d6d8e57b37a98fedab20389cc8fbe55e4426155f4596d57040
SHA512 e8bec4dbbc44edbeffe8b75b3fcde09006fbc57ffb09646b1e481b1c78df34402adb3a57ee8ee7677189821340f2b73de3cefd425c1fe8959c81c240ff0c3479

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 424c965899e05360f2c340c3a5f03c3d
SHA1 a2393b8e09fe9b1499a029babb784f72141c6bed
SHA256 add9bffa9f3b2b8226ee0e14a748571caccfce1b1434c4f43ab846c67bbd4b41
SHA512 743b2dfb493419436b67b693feea84d1bf42f1b9cb748bd7c961d1993a0826d841137fe9f53feee0fffa19be565a7f3f62b449bbc4983cc7b43f685e84dd8250

memory/5108-86-0x00007FFE117B0000-0x00007FFE119A5000-memory.dmp