Malware Analysis Report

2025-03-15 07:58

Sample ID 240815-c888da1ale
Target 6ab4d37d9d6731c1f1945d2dfcd63450ba79920a5b6ca4542c0c95d5d8899d22
SHA256 6ab4d37d9d6731c1f1945d2dfcd63450ba79920a5b6ca4542c0c95d5d8899d22
Tags
macro macro_on_action discovery
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6ab4d37d9d6731c1f1945d2dfcd63450ba79920a5b6ca4542c0c95d5d8899d22

Threat Level: Likely malicious

The file 6ab4d37d9d6731c1f1945d2dfcd63450ba79920a5b6ca4542c0c95d5d8899d22 was found to be: Likely malicious.

Malicious Activity Summary

macro macro_on_action discovery

Office macro that triggers on suspicious action

Suspicious Office macro

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 02:45

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 02:45

Reported

2024-08-15 02:47

Platform

win7-20240705-en

Max time kernel

41s

Max time network

43s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\6ab4d37d9d6731c1f1945d2dfcd63450ba79920a5b6ca4542c0c95d5d8899d22.xls

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\6ab4d37d9d6731c1f1945d2dfcd63450ba79920a5b6ca4542c0c95d5d8899d22.xls

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.js-hurling.com udp
US 75.98.175.107:443 www.js-hurling.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.71:80 crl.microsoft.com tcp

Files

memory/1320-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1320-1-0x00000000729FD000-0x0000000072A08000-memory.dmp

memory/1320-28-0x0000000006350000-0x0000000006450000-memory.dmp

memory/1320-42-0x0000000006350000-0x0000000006450000-memory.dmp

memory/1320-43-0x0000000006350000-0x0000000006450000-memory.dmp

memory/1320-58-0x0000000006F40000-0x0000000006F41000-memory.dmp

memory/1320-59-0x00000000729FD000-0x0000000072A08000-memory.dmp

memory/1320-60-0x0000000006350000-0x0000000006450000-memory.dmp

memory/1320-61-0x0000000006350000-0x0000000006450000-memory.dmp

memory/1320-62-0x0000000006F40000-0x0000000006F41000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 02:45

Reported

2024-08-15 02:47

Platform

win10v2004-20240802-en

Max time kernel

46s

Max time network

52s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\6ab4d37d9d6731c1f1945d2dfcd63450ba79920a5b6ca4542c0c95d5d8899d22.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\6ab4d37d9d6731c1f1945d2dfcd63450ba79920a5b6ca4542c0c95d5d8899d22.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 www.js-hurling.com udp
US 75.98.175.107:443 www.js-hurling.com tcp
US 8.8.8.8:53 107.175.98.75.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp

Files

memory/3452-0-0x00007FFB72A50000-0x00007FFB72A60000-memory.dmp

memory/3452-4-0x00007FFBB2A6D000-0x00007FFBB2A6E000-memory.dmp

memory/3452-5-0x00007FFB72A50000-0x00007FFB72A60000-memory.dmp

memory/3452-3-0x00007FFB72A50000-0x00007FFB72A60000-memory.dmp

memory/3452-2-0x00007FFB72A50000-0x00007FFB72A60000-memory.dmp

memory/3452-6-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp

memory/3452-9-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp

memory/3452-10-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp

memory/3452-13-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp

memory/3452-14-0x00007FFB700F0000-0x00007FFB70100000-memory.dmp

memory/3452-12-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp

memory/3452-15-0x00007FFB700F0000-0x00007FFB70100000-memory.dmp

memory/3452-11-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp

memory/3452-8-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp

memory/3452-17-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp

memory/3452-16-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp

memory/3452-18-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp

memory/3452-7-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp

memory/3452-1-0x00007FFB72A50000-0x00007FFB72A60000-memory.dmp

memory/3452-38-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\LXEBKCNFK.exe

MD5 de037033432a0987c112d8df7e3a91f6
SHA1 1e7d9460f05eb2a7e9c220fa07ae4cafe83bc877
SHA256 770b938122a1d507f97f6c731f4f00f30bdad44ef114fb15b69ec07172c55e66
SHA512 3d280671432f635e636e816ded5c1df0204f879406596de5a45554e0c5cbcb0473f185886eecdaf111c588bcf926fd8161b1cb08b3e0ab9c0e765fcf9e46fa8d

memory/3452-100-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 e72fea9f48334f5c98c8965cfce82ac4
SHA1 6ba7f7ea0002a75df064e0a17be788885301f43a
SHA256 02d5bda0ee75581c4714b22d0b12c907348b79dd930556e0cea6ff5fd739c8b3
SHA512 3e96aaba941bb02fea73a68f534227b3d262de4aa8362082bb946b2de286edca2a17d7fa9d590e708412920c07aaedbf6523d51a146347dab19f9600cc247dad

memory/3452-106-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp