Analysis Overview
SHA256
bca761b018dd3bc40d87eb4be34d23720b2f187bcda5816a825abe8fe24d75b1
Threat Level: Likely malicious
The file bca761b018dd3bc40d87eb4be34d23720b2f187bcda5816a825abe8fe24d75b1 was found to be: Likely malicious.
Malicious Activity Summary
Office macro that triggers on suspicious action
Suspicious Office macro
System Location Discovery: System Language Discovery
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-05 21:43
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-05 21:43
Reported
2024-08-05 21:44
Platform
win7-20240729-en
Max time kernel
23s
Max time network
17s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\bca761b018dd3bc40d87eb4be34d23720b2f187bcda5816a825abe8fe24d75b1.xls
Network
Files
memory/2020-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2020-1-0x00000000728AD000-0x00000000728B8000-memory.dmp
memory/2020-4-0x0000000000300000-0x0000000000400000-memory.dmp
memory/2020-5-0x0000000000300000-0x0000000000400000-memory.dmp
memory/2020-8-0x0000000000300000-0x0000000000400000-memory.dmp
memory/2020-3-0x0000000000300000-0x0000000000400000-memory.dmp
memory/2020-2-0x0000000000300000-0x0000000000400000-memory.dmp
memory/2020-9-0x00000000728AD000-0x00000000728B8000-memory.dmp
memory/2020-10-0x0000000000300000-0x0000000000400000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-05 21:43
Reported
2024-08-05 21:44
Platform
win10v2004-20240802-en
Max time kernel
46s
Max time network
37s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\bca761b018dd3bc40d87eb4be34d23720b2f187bcda5816a825abe8fe24d75b1.xls"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
Files
memory/920-0-0x00007FFAB6B90000-0x00007FFAB6BA0000-memory.dmp
memory/920-2-0x00007FFAB6B90000-0x00007FFAB6BA0000-memory.dmp
memory/920-1-0x00007FFAB6B90000-0x00007FFAB6BA0000-memory.dmp
memory/920-3-0x00007FFAB6B90000-0x00007FFAB6BA0000-memory.dmp
memory/920-4-0x00007FFAB6B90000-0x00007FFAB6BA0000-memory.dmp
memory/920-5-0x00007FFAF6BAD000-0x00007FFAF6BAE000-memory.dmp
memory/920-6-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp
memory/920-11-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp
memory/920-10-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp
memory/920-9-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp
memory/920-12-0x00007FFAB4B30000-0x00007FFAB4B40000-memory.dmp
memory/920-8-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp
memory/920-7-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp
memory/920-14-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp
memory/920-13-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp
memory/920-15-0x00007FFAB4B30000-0x00007FFAB4B40000-memory.dmp
memory/920-19-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp
memory/920-20-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp
memory/920-18-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp
memory/920-17-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp
memory/920-16-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp
memory/920-35-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp
memory/920-36-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp
memory/920-37-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp
memory/920-38-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | a59b2b9547c9bd091af0cb7c4cc8a8a4 |
| SHA1 | 3441f23c62e6d288c37dca08ab495185e098f945 |
| SHA256 | a1822b6d09f2a157e697bb45bda77f1a79836441cc36a0c3bab94c985e6d7c70 |
| SHA512 | 72f4735b9f0aabc27ba9d67bce50eb4ccaf1b68e06a73790148f018f767cb6ceef29463295888ad799b678d8c69b0bbf382a099b7d40a1c5bc0bf906cbf7cb60 |
memory/920-44-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp