Malware Analysis Report

2025-01-22 19:12

Sample ID 240720-m6mxgascmc
Target a2f17c1641ee546b3d4578d2ff77b976d7ba8a10a0e302ea328f5e54762cb225.doc
SHA256 a2f17c1641ee546b3d4578d2ff77b976d7ba8a10a0e302ea328f5e54762cb225
Tags
macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a2f17c1641ee546b3d4578d2ff77b976d7ba8a10a0e302ea328f5e54762cb225

Threat Level: Likely malicious

The file a2f17c1641ee546b3d4578d2ff77b976d7ba8a10a0e302ea328f5e54762cb225.doc was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action

Office macro that triggers on suspicious action

Suspicious Office macro

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-20 11:04

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-20 11:04

Reported

2024-07-20 11:07

Platform

win7-20240704-en

Max time kernel

144s

Max time network

120s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a2f17c1641ee546b3d4578d2ff77b976d7ba8a10a0e302ea328f5e54762cb225.doc"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a2f17c1641ee546b3d4578d2ff77b976d7ba8a10a0e302ea328f5e54762cb225.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 laurameronl.us udp

Files

memory/2252-0-0x000000002F481000-0x000000002F482000-memory.dmp

memory/2252-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2252-2-0x000000007183D000-0x0000000071848000-memory.dmp

memory/2252-5-0x000000007183D000-0x0000000071848000-memory.dmp

memory/2252-10-0x0000000005B60000-0x0000000005C60000-memory.dmp

memory/2252-11-0x000000006AA21000-0x000000006AA22000-memory.dmp

memory/2252-14-0x000000006AA20000-0x000000006AFCB000-memory.dmp

memory/2252-15-0x000000006AA20000-0x000000006AFCB000-memory.dmp

memory/2252-16-0x000000006AA20000-0x000000006AFCB000-memory.dmp

memory/2252-17-0x000000006AA20000-0x000000006AFCB000-memory.dmp

memory/2252-18-0x0000000005B60000-0x0000000005C60000-memory.dmp

memory/2252-19-0x000000006AA20000-0x000000006AFCB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-20 11:04

Reported

2024-07-20 11:07

Platform

win10v2004-20240709-en

Max time kernel

147s

Max time network

126s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a2f17c1641ee546b3d4578d2ff77b976d7ba8a10a0e302ea328f5e54762cb225.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a2f17c1641ee546b3d4578d2ff77b976d7ba8a10a0e302ea328f5e54762cb225.doc" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 23.40.43.41:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
GB 173.222.211.24:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 41.43.40.23.in-addr.arpa udp
US 8.8.8.8:53 24.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 laurameronl.us udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4696-0-0x00007FFF27170000-0x00007FFF27180000-memory.dmp

memory/4696-2-0x00007FFF27170000-0x00007FFF27180000-memory.dmp

memory/4696-4-0x00007FFF27170000-0x00007FFF27180000-memory.dmp

memory/4696-5-0x00007FFF6718D000-0x00007FFF6718E000-memory.dmp

memory/4696-3-0x00007FFF27170000-0x00007FFF27180000-memory.dmp

memory/4696-7-0x00007FFF670F0000-0x00007FFF672E5000-memory.dmp

memory/4696-1-0x00007FFF27170000-0x00007FFF27180000-memory.dmp

memory/4696-8-0x00007FFF670F0000-0x00007FFF672E5000-memory.dmp

memory/4696-10-0x00007FFF670F0000-0x00007FFF672E5000-memory.dmp

memory/4696-9-0x00007FFF670F0000-0x00007FFF672E5000-memory.dmp

memory/4696-6-0x00007FFF670F0000-0x00007FFF672E5000-memory.dmp

memory/4696-13-0x00007FFF670F0000-0x00007FFF672E5000-memory.dmp

memory/4696-14-0x00007FFF670F0000-0x00007FFF672E5000-memory.dmp

memory/4696-18-0x00007FFF670F0000-0x00007FFF672E5000-memory.dmp

memory/4696-19-0x00007FFF670F0000-0x00007FFF672E5000-memory.dmp

memory/4696-17-0x00007FFF670F0000-0x00007FFF672E5000-memory.dmp

memory/4696-16-0x00007FFF670F0000-0x00007FFF672E5000-memory.dmp

memory/4696-15-0x00007FFF670F0000-0x00007FFF672E5000-memory.dmp

memory/4696-12-0x00007FFF670F0000-0x00007FFF672E5000-memory.dmp

memory/4696-11-0x00007FFF24AA0000-0x00007FFF24AB0000-memory.dmp

memory/4696-20-0x00007FFF24AA0000-0x00007FFF24AB0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

C:\Users\Admin\AppData\Local\Temp\TCDC9BD.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

memory/4696-520-0x00007FFF670F0000-0x00007FFF672E5000-memory.dmp

memory/4696-535-0x00007FFF670F0000-0x00007FFF672E5000-memory.dmp

memory/4696-536-0x00007FFF670F0000-0x00007FFF672E5000-memory.dmp

memory/4696-537-0x00007FFF670F0000-0x00007FFF672E5000-memory.dmp

memory/4696-538-0x00007FFF670F0000-0x00007FFF672E5000-memory.dmp

memory/4696-544-0x0000000000D30000-0x0000000000D49000-memory.dmp

memory/4696-545-0x00007FFF670F0000-0x00007FFF672E5000-memory.dmp