Malware Analysis Report

2025-03-15 07:56

Sample ID 240806-1qrsdavhjg
Target 02113aba83264dccaa4d2be39b11de1b3caf90d9420babe29fc0e26d86c5c190
SHA256 02113aba83264dccaa4d2be39b11de1b3caf90d9420babe29fc0e26d86c5c190
Tags
discovery macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

02113aba83264dccaa4d2be39b11de1b3caf90d9420babe29fc0e26d86c5c190

Threat Level: Likely malicious

The file 02113aba83264dccaa4d2be39b11de1b3caf90d9420babe29fc0e26d86c5c190 was found to be: Likely malicious.

Malicious Activity Summary

discovery macro macro_on_action

Office macro that triggers on suspicious action

Suspicious Office macro

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-06 21:51

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 21:51

Reported

2024-08-06 21:52

Platform

win7-20240705-en

Max time kernel

24s

Max time network

20s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\02113aba83264dccaa4d2be39b11de1b3caf90d9420babe29fc0e26d86c5c190.xls

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\02113aba83264dccaa4d2be39b11de1b3caf90d9420babe29fc0e26d86c5c190.xls

Network

N/A

Files

memory/2396-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2396-1-0x000000007297D000-0x0000000072988000-memory.dmp

memory/2396-8-0x0000000006580000-0x0000000006680000-memory.dmp

memory/2396-9-0x000000007297D000-0x0000000072988000-memory.dmp

memory/2396-10-0x0000000006580000-0x0000000006680000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 21:51

Reported

2024-08-06 21:52

Platform

win10v2004-20240802-en

Max time kernel

46s

Max time network

38s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\02113aba83264dccaa4d2be39b11de1b3caf90d9420babe29fc0e26d86c5c190.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\02113aba83264dccaa4d2be39b11de1b3caf90d9420babe29fc0e26d86c5c190.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 106.246.116.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp

Files

memory/1084-0-0x00007FFEFF490000-0x00007FFEFF4A0000-memory.dmp

memory/1084-1-0x00007FFEFF490000-0x00007FFEFF4A0000-memory.dmp

memory/1084-2-0x00007FFEFF490000-0x00007FFEFF4A0000-memory.dmp

memory/1084-3-0x00007FFEFF490000-0x00007FFEFF4A0000-memory.dmp

memory/1084-4-0x00007FFF3F4AD000-0x00007FFF3F4AE000-memory.dmp

memory/1084-5-0x00007FFEFF490000-0x00007FFEFF4A0000-memory.dmp

memory/1084-6-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp

memory/1084-8-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp

memory/1084-9-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp

memory/1084-11-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp

memory/1084-10-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp

memory/1084-7-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp

memory/1084-12-0x00007FFEFCED0000-0x00007FFEFCEE0000-memory.dmp

memory/1084-13-0x00007FFEFCED0000-0x00007FFEFCEE0000-memory.dmp

memory/1084-15-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp

memory/1084-16-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp

memory/1084-14-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp

memory/1084-17-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp

memory/1084-18-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp

memory/1084-20-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp

memory/1084-19-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp

memory/1084-32-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp

memory/1084-33-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp

memory/1084-34-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp

memory/1084-35-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 9859a826766aa19bd62185e01379ed05
SHA1 e57a721d2442044ef13dd9cec916dee7ee195ff1
SHA256 b39e1f8a4fd95fb190c30105868a548822e6c67909111199d520c8d4e8d2fd0e
SHA512 51342b13306bc93fd1c85bbe174369aff9c048abf276d0760c78004f980edb863b4ff7b33ec8060173d67f0748fa43135e63a723e7872f445b0e4dc0587c2fb7

memory/1084-44-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp

memory/1084-45-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp

memory/1084-46-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp