Analysis Overview
SHA256
02113aba83264dccaa4d2be39b11de1b3caf90d9420babe29fc0e26d86c5c190
Threat Level: Likely malicious
The file 02113aba83264dccaa4d2be39b11de1b3caf90d9420babe29fc0e26d86c5c190 was found to be: Likely malicious.
Malicious Activity Summary
Office macro that triggers on suspicious action
Suspicious Office macro
System Location Discovery: System Language Discovery
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-06 21:51
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 21:51
Reported
2024-08-06 21:52
Platform
win7-20240705-en
Max time kernel
24s
Max time network
20s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\02113aba83264dccaa4d2be39b11de1b3caf90d9420babe29fc0e26d86c5c190.xls
Network
Files
memory/2396-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2396-1-0x000000007297D000-0x0000000072988000-memory.dmp
memory/2396-8-0x0000000006580000-0x0000000006680000-memory.dmp
memory/2396-9-0x000000007297D000-0x0000000072988000-memory.dmp
memory/2396-10-0x0000000006580000-0x0000000006680000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 21:51
Reported
2024-08-06 21:52
Platform
win10v2004-20240802-en
Max time kernel
46s
Max time network
38s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\02113aba83264dccaa4d2be39b11de1b3caf90d9420babe29fc0e26d86c5c190.xls"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.246.116.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
Files
memory/1084-0-0x00007FFEFF490000-0x00007FFEFF4A0000-memory.dmp
memory/1084-1-0x00007FFEFF490000-0x00007FFEFF4A0000-memory.dmp
memory/1084-2-0x00007FFEFF490000-0x00007FFEFF4A0000-memory.dmp
memory/1084-3-0x00007FFEFF490000-0x00007FFEFF4A0000-memory.dmp
memory/1084-4-0x00007FFF3F4AD000-0x00007FFF3F4AE000-memory.dmp
memory/1084-5-0x00007FFEFF490000-0x00007FFEFF4A0000-memory.dmp
memory/1084-6-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp
memory/1084-8-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp
memory/1084-9-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp
memory/1084-11-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp
memory/1084-10-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp
memory/1084-7-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp
memory/1084-12-0x00007FFEFCED0000-0x00007FFEFCEE0000-memory.dmp
memory/1084-13-0x00007FFEFCED0000-0x00007FFEFCEE0000-memory.dmp
memory/1084-15-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp
memory/1084-16-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp
memory/1084-14-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp
memory/1084-17-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp
memory/1084-18-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp
memory/1084-20-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp
memory/1084-19-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp
memory/1084-32-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp
memory/1084-33-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp
memory/1084-34-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp
memory/1084-35-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 9859a826766aa19bd62185e01379ed05 |
| SHA1 | e57a721d2442044ef13dd9cec916dee7ee195ff1 |
| SHA256 | b39e1f8a4fd95fb190c30105868a548822e6c67909111199d520c8d4e8d2fd0e |
| SHA512 | 51342b13306bc93fd1c85bbe174369aff9c048abf276d0760c78004f980edb863b4ff7b33ec8060173d67f0748fa43135e63a723e7872f445b0e4dc0587c2fb7 |
memory/1084-44-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp
memory/1084-45-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp
memory/1084-46-0x00007FFF3F410000-0x00007FFF3F605000-memory.dmp