Analysis Overview
SHA256
d51356160393737c4a8c94bdb02b24c97c4a4dc581a372ef134a3aba38c3bcfc
Threat Level: Known bad
The file ClickMePlease.xls was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Office macro that triggers on suspicious action
Suspicious Office macro
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-11 23:49
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-11 23:49
Reported
2024-08-11 23:54
Platform
win10v2004-20240802-en
Max time kernel
187s
Max time network
178s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4960 wrote to memory of 1716 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\cmd.exe |
| PID 4960 wrote to memory of 1716 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\cmd.exe |
| PID 4960 wrote to memory of 1244 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\cmd.exe |
| PID 4960 wrote to memory of 1244 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\cmd.exe |
| PID 4960 wrote to memory of 4780 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\cmd.exe |
| PID 4960 wrote to memory of 4780 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\cmd.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ClickMePlease.xls"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c echo "MetaCTF{is_this_a_very_hidden_feature_or_flag}"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4360,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c echo "MetaCTF{is_this_a_very_hidden_feature_or_flag}"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c echo "MetaCTF{is_this_a_very_hidden_feature_or_flag}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| IE | 52.109.76.243:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
Files
memory/4960-0-0x00007FFBD2910000-0x00007FFBD2920000-memory.dmp
memory/4960-3-0x00007FFBD2910000-0x00007FFBD2920000-memory.dmp
memory/4960-2-0x00007FFBD2910000-0x00007FFBD2920000-memory.dmp
memory/4960-1-0x00007FFBD2910000-0x00007FFBD2920000-memory.dmp
memory/4960-4-0x00007FFC1292D000-0x00007FFC1292E000-memory.dmp
memory/4960-5-0x00007FFBD2910000-0x00007FFBD2920000-memory.dmp
memory/4960-6-0x00007FFC12890000-0x00007FFC12A85000-memory.dmp
memory/4960-8-0x00007FFC12890000-0x00007FFC12A85000-memory.dmp
memory/4960-7-0x00007FFC12890000-0x00007FFC12A85000-memory.dmp
memory/4960-12-0x00007FFC12890000-0x00007FFC12A85000-memory.dmp
memory/4960-11-0x00007FFC12890000-0x00007FFC12A85000-memory.dmp
memory/4960-13-0x00007FFBD02E0000-0x00007FFBD02F0000-memory.dmp
memory/4960-10-0x00007FFC12890000-0x00007FFC12A85000-memory.dmp
memory/4960-9-0x00007FFC12890000-0x00007FFC12A85000-memory.dmp
memory/4960-14-0x00007FFBD02E0000-0x00007FFBD02F0000-memory.dmp
memory/4960-18-0x00007FFC12890000-0x00007FFC12A85000-memory.dmp
memory/4960-17-0x00007FFC12890000-0x00007FFC12A85000-memory.dmp
memory/4960-16-0x00007FFC12890000-0x00007FFC12A85000-memory.dmp
memory/4960-15-0x00007FFC12890000-0x00007FFC12A85000-memory.dmp
memory/4960-29-0x00007FFC12890000-0x00007FFC12A85000-memory.dmp
memory/4960-30-0x00007FFC12890000-0x00007FFC12A85000-memory.dmp
memory/4960-28-0x00007FFC12890000-0x00007FFC12A85000-memory.dmp
memory/4960-27-0x00007FFC12890000-0x00007FFC12A85000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | a332ec9d31a0765506d21f1b9010b401 |
| SHA1 | e5c86a472b6c0975c4b3a6e68772e3c67f89f416 |
| SHA256 | e36038b2cba9b10ff4051969733b0b7e072877ef922f6a01cf553e122502e3ef |
| SHA512 | 21e19b882d1099d6cce39ce81944417c51413e318b0ab133bc629edec2e6e7e16ec20c5614c6bc3221fdbc1e0a309d101441ca1379053a66896c7c5c91e5a6f9 |
memory/4960-47-0x00007FFC12890000-0x00007FFC12A85000-memory.dmp
memory/4960-48-0x00007FFC12890000-0x00007FFC12A85000-memory.dmp
memory/4960-49-0x00007FFC12890000-0x00007FFC12A85000-memory.dmp
memory/4960-50-0x00007FFC12890000-0x00007FFC12A85000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |