Analysis Overview
SHA256
6ab4d37d9d6731c1f1945d2dfcd63450ba79920a5b6ca4542c0c95d5d8899d22
Threat Level: Likely malicious
The file 6ab4d37d9d6731c1f1945d2dfcd63450ba79920a5b6ca4542c0c95d5d8899d22 was found to be: Likely malicious.
Malicious Activity Summary
Office macro that triggers on suspicious action
Suspicious Office macro
System Location Discovery: System Language Discovery
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-15 02:45
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 02:45
Reported
2024-08-15 02:47
Platform
win7-20240705-en
Max time kernel
41s
Max time network
43s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\6ab4d37d9d6731c1f1945d2dfcd63450ba79920a5b6ca4542c0c95d5d8899d22.xls
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.js-hurling.com | udp |
| US | 75.98.175.107:443 | www.js-hurling.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.71:80 | crl.microsoft.com | tcp |
Files
memory/1320-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1320-1-0x00000000729FD000-0x0000000072A08000-memory.dmp
memory/1320-28-0x0000000006350000-0x0000000006450000-memory.dmp
memory/1320-42-0x0000000006350000-0x0000000006450000-memory.dmp
memory/1320-43-0x0000000006350000-0x0000000006450000-memory.dmp
memory/1320-58-0x0000000006F40000-0x0000000006F41000-memory.dmp
memory/1320-59-0x00000000729FD000-0x0000000072A08000-memory.dmp
memory/1320-60-0x0000000006350000-0x0000000006450000-memory.dmp
memory/1320-61-0x0000000006350000-0x0000000006450000-memory.dmp
memory/1320-62-0x0000000006F40000-0x0000000006F41000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 02:45
Reported
2024-08-15 02:47
Platform
win10v2004-20240802-en
Max time kernel
46s
Max time network
52s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\6ab4d37d9d6731c1f1945d2dfcd63450ba79920a5b6ca4542c0c95d5d8899d22.xls"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| NL | 52.109.89.19:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.js-hurling.com | udp |
| US | 75.98.175.107:443 | www.js-hurling.com | tcp |
| US | 8.8.8.8:53 | 107.175.98.75.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
Files
memory/3452-0-0x00007FFB72A50000-0x00007FFB72A60000-memory.dmp
memory/3452-4-0x00007FFBB2A6D000-0x00007FFBB2A6E000-memory.dmp
memory/3452-5-0x00007FFB72A50000-0x00007FFB72A60000-memory.dmp
memory/3452-3-0x00007FFB72A50000-0x00007FFB72A60000-memory.dmp
memory/3452-2-0x00007FFB72A50000-0x00007FFB72A60000-memory.dmp
memory/3452-6-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp
memory/3452-9-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp
memory/3452-10-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp
memory/3452-13-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp
memory/3452-14-0x00007FFB700F0000-0x00007FFB70100000-memory.dmp
memory/3452-12-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp
memory/3452-15-0x00007FFB700F0000-0x00007FFB70100000-memory.dmp
memory/3452-11-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp
memory/3452-8-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp
memory/3452-17-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp
memory/3452-16-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp
memory/3452-18-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp
memory/3452-7-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp
memory/3452-1-0x00007FFB72A50000-0x00007FFB72A60000-memory.dmp
memory/3452-38-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\LXEBKCNFK.exe
| MD5 | de037033432a0987c112d8df7e3a91f6 |
| SHA1 | 1e7d9460f05eb2a7e9c220fa07ae4cafe83bc877 |
| SHA256 | 770b938122a1d507f97f6c731f4f00f30bdad44ef114fb15b69ec07172c55e66 |
| SHA512 | 3d280671432f635e636e816ded5c1df0204f879406596de5a45554e0c5cbcb0473f185886eecdaf111c588bcf926fd8161b1cb08b3e0ab9c0e765fcf9e46fa8d |
memory/3452-100-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | e72fea9f48334f5c98c8965cfce82ac4 |
| SHA1 | 6ba7f7ea0002a75df064e0a17be788885301f43a |
| SHA256 | 02d5bda0ee75581c4714b22d0b12c907348b79dd930556e0cea6ff5fd739c8b3 |
| SHA512 | 3e96aaba941bb02fea73a68f534227b3d262de4aa8362082bb946b2de286edca2a17d7fa9d590e708412920c07aaedbf6523d51a146347dab19f9600cc247dad |
memory/3452-106-0x00007FFBB29D0000-0x00007FFBB2BC5000-memory.dmp