Malware Analysis Report

2025-03-15 07:55

Sample ID 240805-1k9e8stakb
Target bca761b018dd3bc40d87eb4be34d23720b2f187bcda5816a825abe8fe24d75b1
SHA256 bca761b018dd3bc40d87eb4be34d23720b2f187bcda5816a825abe8fe24d75b1
Tags
macro macro_on_action discovery
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

bca761b018dd3bc40d87eb4be34d23720b2f187bcda5816a825abe8fe24d75b1

Threat Level: Likely malicious

The file bca761b018dd3bc40d87eb4be34d23720b2f187bcda5816a825abe8fe24d75b1 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action discovery

Office macro that triggers on suspicious action

Suspicious Office macro

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-05 21:43

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-05 21:43

Reported

2024-08-05 21:44

Platform

win7-20240729-en

Max time kernel

23s

Max time network

17s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\bca761b018dd3bc40d87eb4be34d23720b2f187bcda5816a825abe8fe24d75b1.xls

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\bca761b018dd3bc40d87eb4be34d23720b2f187bcda5816a825abe8fe24d75b1.xls

Network

N/A

Files

memory/2020-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2020-1-0x00000000728AD000-0x00000000728B8000-memory.dmp

memory/2020-4-0x0000000000300000-0x0000000000400000-memory.dmp

memory/2020-5-0x0000000000300000-0x0000000000400000-memory.dmp

memory/2020-8-0x0000000000300000-0x0000000000400000-memory.dmp

memory/2020-3-0x0000000000300000-0x0000000000400000-memory.dmp

memory/2020-2-0x0000000000300000-0x0000000000400000-memory.dmp

memory/2020-9-0x00000000728AD000-0x00000000728B8000-memory.dmp

memory/2020-10-0x0000000000300000-0x0000000000400000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-05 21:43

Reported

2024-08-05 21:44

Platform

win10v2004-20240802-en

Max time kernel

46s

Max time network

37s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\bca761b018dd3bc40d87eb4be34d23720b2f187bcda5816a825abe8fe24d75b1.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\bca761b018dd3bc40d87eb4be34d23720b2f187bcda5816a825abe8fe24d75b1.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp

Files

memory/920-0-0x00007FFAB6B90000-0x00007FFAB6BA0000-memory.dmp

memory/920-2-0x00007FFAB6B90000-0x00007FFAB6BA0000-memory.dmp

memory/920-1-0x00007FFAB6B90000-0x00007FFAB6BA0000-memory.dmp

memory/920-3-0x00007FFAB6B90000-0x00007FFAB6BA0000-memory.dmp

memory/920-4-0x00007FFAB6B90000-0x00007FFAB6BA0000-memory.dmp

memory/920-5-0x00007FFAF6BAD000-0x00007FFAF6BAE000-memory.dmp

memory/920-6-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp

memory/920-11-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp

memory/920-10-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp

memory/920-9-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp

memory/920-12-0x00007FFAB4B30000-0x00007FFAB4B40000-memory.dmp

memory/920-8-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp

memory/920-7-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp

memory/920-14-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp

memory/920-13-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp

memory/920-15-0x00007FFAB4B30000-0x00007FFAB4B40000-memory.dmp

memory/920-19-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp

memory/920-20-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp

memory/920-18-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp

memory/920-17-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp

memory/920-16-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp

memory/920-35-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp

memory/920-36-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp

memory/920-37-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp

memory/920-38-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 a59b2b9547c9bd091af0cb7c4cc8a8a4
SHA1 3441f23c62e6d288c37dca08ab495185e098f945
SHA256 a1822b6d09f2a157e697bb45bda77f1a79836441cc36a0c3bab94c985e6d7c70
SHA512 72f4735b9f0aabc27ba9d67bce50eb4ccaf1b68e06a73790148f018f767cb6ceef29463295888ad799b678d8c69b0bbf382a099b7d40a1c5bc0bf906cbf7cb60

memory/920-44-0x00007FFAF6B10000-0x00007FFAF6D05000-memory.dmp