Malware Analysis Report

2025-03-15 07:55

Sample ID 240808-1vwl5azhqr
Target a647dc37879b9756f34e4db9682cd14a0dde8e4fa852c3726971476d33abe825
SHA256 a647dc37879b9756f34e4db9682cd14a0dde8e4fa852c3726971476d33abe825
Tags
macro macro_on_action discovery
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a647dc37879b9756f34e4db9682cd14a0dde8e4fa852c3726971476d33abe825

Threat Level: Likely malicious

The file a647dc37879b9756f34e4db9682cd14a0dde8e4fa852c3726971476d33abe825 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action discovery

Suspicious Office macro

Office macro that triggers on suspicious action

Process spawned suspicious child process

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-08 21:58

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-08 21:58

Reported

2024-08-08 21:59

Platform

win7-20240708-en

Max time kernel

23s

Max time network

18s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\a647dc37879b9756f34e4db9682cd14a0dde8e4fa852c3726971476d33abe825.xls

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\a647dc37879b9756f34e4db9682cd14a0dde8e4fa852c3726971476d33abe825.xls

Network

N/A

Files

memory/2796-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2796-1-0x00000000727BD000-0x00000000727C8000-memory.dmp

memory/2796-8-0x0000000000630000-0x0000000000730000-memory.dmp

memory/2796-5-0x0000000000630000-0x0000000000730000-memory.dmp

memory/2796-4-0x0000000000630000-0x0000000000730000-memory.dmp

memory/2796-3-0x0000000000630000-0x0000000000730000-memory.dmp

memory/2796-2-0x0000000000630000-0x0000000000730000-memory.dmp

memory/2796-9-0x00000000727BD000-0x00000000727C8000-memory.dmp

memory/2796-10-0x0000000000630000-0x0000000000730000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-08 21:58

Reported

2024-08-08 21:59

Platform

win10v2004-20240802-en

Max time kernel

59s

Max time network

38s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a647dc37879b9756f34e4db9682cd14a0dde8e4fa852c3726971476d33abe825.xls"

Signatures

Process spawned suspicious child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\dwwin.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\dwwin.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\dwwin.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\dwwin.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwwin.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a647dc37879b9756f34e4db9682cd14a0dde8e4fa852c3726971476d33abe825.xls"

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE

"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 4300

C:\Windows\system32\dwwin.exe

C:\Windows\system32\dwwin.exe -x -s 4300

Network

Country Destination Domain Proto
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp

Files

memory/5064-0-0x00007FFC92E70000-0x00007FFC92E80000-memory.dmp

memory/5064-1-0x00007FFCD2E8D000-0x00007FFCD2E8E000-memory.dmp

memory/5064-3-0x00007FFC92E70000-0x00007FFC92E80000-memory.dmp

memory/5064-2-0x00007FFC92E70000-0x00007FFC92E80000-memory.dmp

memory/5064-4-0x00007FFC92E70000-0x00007FFC92E80000-memory.dmp

memory/5064-5-0x00007FFC92E70000-0x00007FFC92E80000-memory.dmp

memory/5064-9-0x00007FFCD2DF0000-0x00007FFCD2FE5000-memory.dmp

memory/5064-8-0x00007FFCD2DF0000-0x00007FFCD2FE5000-memory.dmp

memory/5064-11-0x00007FFCD2DF0000-0x00007FFCD2FE5000-memory.dmp

memory/5064-12-0x00007FFC90A90000-0x00007FFC90AA0000-memory.dmp

memory/5064-10-0x00007FFCD2DF0000-0x00007FFCD2FE5000-memory.dmp

memory/5064-7-0x00007FFCD2DF0000-0x00007FFCD2FE5000-memory.dmp

memory/5064-13-0x00007FFC90A90000-0x00007FFC90AA0000-memory.dmp

memory/5064-14-0x00007FFCD2DF0000-0x00007FFCD2FE5000-memory.dmp

memory/5064-16-0x00007FFCD2DF0000-0x00007FFCD2FE5000-memory.dmp

memory/5064-20-0x00007FFCD2DF0000-0x00007FFCD2FE5000-memory.dmp

memory/5064-21-0x00007FFCD2DF0000-0x00007FFCD2FE5000-memory.dmp

memory/5064-19-0x00007FFCD2DF0000-0x00007FFCD2FE5000-memory.dmp

memory/5064-18-0x00007FFCD2DF0000-0x00007FFCD2FE5000-memory.dmp

memory/5064-17-0x00007FFCD2DF0000-0x00007FFCD2FE5000-memory.dmp

memory/5064-15-0x00007FFCD2DF0000-0x00007FFCD2FE5000-memory.dmp

memory/5064-6-0x00007FFCD2DF0000-0x00007FFCD2FE5000-memory.dmp

memory/5064-30-0x00007FFCD2DF0000-0x00007FFCD2FE5000-memory.dmp

memory/1228-36-0x00007FFCD2DF0000-0x00007FFCD2FE5000-memory.dmp

memory/1228-35-0x00007FFCD2DF0000-0x00007FFCD2FE5000-memory.dmp

memory/1228-38-0x00007FFCD2DF0000-0x00007FFCD2FE5000-memory.dmp

memory/1228-47-0x00007FFC92E70000-0x00007FFC92E80000-memory.dmp

memory/1228-48-0x00007FFC92E70000-0x00007FFC92E80000-memory.dmp

memory/1228-46-0x00007FFC92E70000-0x00007FFC92E80000-memory.dmp

memory/1228-45-0x00007FFC92E70000-0x00007FFC92E80000-memory.dmp

memory/1228-49-0x00007FFCD2DF0000-0x00007FFCD2FE5000-memory.dmp

memory/5064-50-0x00007FFCD2DF0000-0x00007FFCD2FE5000-memory.dmp