Analysis Overview
SHA256
a908acf29dde8279b28c8b1b15892cf602a90a0d387b904176d63d7eac0203b9
Threat Level: Likely malicious
The file a908acf29dde8279b28c8b1b15892cf602a90a0d387b904176d63d7eac0203b9.xls was found to be: Likely malicious.
Malicious Activity Summary
Office macro that triggers on suspicious action
System Location Discovery: System Language Discovery
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-24 19:29
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-24 19:29
Reported
2024-07-24 19:32
Platform
win7-20240704-en
Max time kernel
144s
Max time network
122s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1864 wrote to memory of 2296 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\splwow64.exe |
| PID 1864 wrote to memory of 2296 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\splwow64.exe |
| PID 1864 wrote to memory of 2296 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\splwow64.exe |
| PID 1864 wrote to memory of 2296 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\a908acf29dde8279b28c8b1b15892cf602a90a0d387b904176d63d7eac0203b9.xls
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
Files
memory/1864-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1864-1-0x00000000727CD000-0x00000000727D8000-memory.dmp
memory/1864-11-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-23-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-34-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-38-0x0000000007520000-0x0000000007720000-memory.dmp
memory/1864-33-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-32-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-31-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-30-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-29-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-28-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-27-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-26-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-25-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-24-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-22-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-21-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-20-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-19-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-18-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-17-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-16-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-14-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-13-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-12-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-15-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-10-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-9-0x0000000000360000-0x0000000000460000-memory.dmp
memory/1864-39-0x00000000727CD000-0x00000000727D8000-memory.dmp
memory/1864-40-0x0000000007520000-0x0000000007720000-memory.dmp
memory/1864-44-0x0000000007520000-0x0000000007720000-memory.dmp
memory/1864-45-0x0000000007520000-0x0000000007720000-memory.dmp
memory/1864-46-0x0000000007520000-0x0000000007720000-memory.dmp
memory/1864-47-0x0000000007520000-0x0000000007720000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-24 19:29
Reported
2024-07-24 19:32
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
125s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3160 wrote to memory of 4920 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\splwow64.exe |
| PID 3160 wrote to memory of 4920 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a908acf29dde8279b28c8b1b15892cf602a90a0d387b904176d63d7eac0203b9.xls"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 240.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/3160-0-0x00007FFC33A70000-0x00007FFC33A80000-memory.dmp
memory/3160-2-0x00007FFC33A70000-0x00007FFC33A80000-memory.dmp
memory/3160-1-0x00007FFC33A70000-0x00007FFC33A80000-memory.dmp
memory/3160-4-0x00007FFC33A70000-0x00007FFC33A80000-memory.dmp
memory/3160-3-0x00007FFC33A70000-0x00007FFC33A80000-memory.dmp
memory/3160-5-0x00007FFC73A8D000-0x00007FFC73A8E000-memory.dmp
memory/3160-7-0x00007FFC739F0000-0x00007FFC73BE5000-memory.dmp
memory/3160-9-0x00007FFC739F0000-0x00007FFC73BE5000-memory.dmp
memory/3160-8-0x00007FFC739F0000-0x00007FFC73BE5000-memory.dmp
memory/3160-6-0x00007FFC739F0000-0x00007FFC73BE5000-memory.dmp
memory/3160-12-0x00007FFC739F0000-0x00007FFC73BE5000-memory.dmp
memory/3160-11-0x00007FFC739F0000-0x00007FFC73BE5000-memory.dmp
memory/3160-14-0x00007FFC314F0000-0x00007FFC31500000-memory.dmp
memory/3160-13-0x00007FFC739F0000-0x00007FFC73BE5000-memory.dmp
memory/3160-15-0x00007FFC314F0000-0x00007FFC31500000-memory.dmp
memory/3160-10-0x00007FFC739F0000-0x00007FFC73BE5000-memory.dmp
memory/3160-16-0x00007FFC739F0000-0x00007FFC73BE5000-memory.dmp
memory/3160-17-0x00007FFC739F0000-0x00007FFC73BE5000-memory.dmp
memory/3160-18-0x00007FFC739F0000-0x00007FFC73BE5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | d29962abc88624befc0135579ae485ec |
| SHA1 | e40a6458296ec6a2427bcb280572d023a9862b31 |
| SHA256 | a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866 |
| SHA512 | 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | a46a354abd9f27b13e92b26be0dd58ba |
| SHA1 | da4d9147b1355dde467d51b2f988353940af0419 |
| SHA256 | fcf3abfe10332bda952c6208e3dd9b9d2e1b76a0869dfa7897595051c766311d |
| SHA512 | 66bb92ecf4c065719dc9e75df62b19bce97734219dee9211fc36924d147dc58e862675b32b881dfa9e9ba5da1e23685624a9a0a142a2951d113d90c6ec18c60f |
memory/3160-54-0x00007FFC739F0000-0x00007FFC73BE5000-memory.dmp