Malware Analysis Report

2025-01-18 12:24

Sample ID 240912-q3ecpsxbqa
Target Swift Payment.xls
SHA256 eaf3b9c1bdaf72da0a5d2a1a8c4f128712463c558e8af23830126bf07ef63847
Tags
discovery
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

eaf3b9c1bdaf72da0a5d2a1a8c4f128712463c558e8af23830126bf07ef63847

Threat Level: Likely benign

The file Swift Payment.xls was found to be: Likely benign.

Malicious Activity Summary

discovery

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-12 13:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-12 13:46

Reported

2024-09-12 13:49

Platform

win7-20240903-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Swift Payment.xls"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Swift Payment.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 zhort.de udp
DE 88.99.66.38:443 zhort.de tcp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 173.222.211.43:80 e6.o.lencr.org tcp
NL 45.89.247.151:80 tcp
NL 45.89.247.151:80 tcp

Files

memory/2280-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2280-1-0x000000007221D000-0x0000000072228000-memory.dmp

memory/2280-21-0x000000007221D000-0x0000000072228000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-12 13:46

Reported

2024-09-12 13:49

Platform

win10v2004-20240802-en

Max time kernel

102s

Max time network

124s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Swift Payment.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Swift Payment.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 zhort.de udp
DE 88.99.66.38:443 zhort.de tcp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 173.222.211.43:80 e6.o.lencr.org tcp
US 8.8.8.8:53 38.66.99.88.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
NL 45.89.247.151:80 tcp
US 8.8.8.8:53 43.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3036-0-0x00007FF7E8790000-0x00007FF7E87A0000-memory.dmp

memory/3036-3-0x00007FF7E8790000-0x00007FF7E87A0000-memory.dmp

memory/3036-4-0x00007FF7E8790000-0x00007FF7E87A0000-memory.dmp

memory/3036-1-0x00007FF8287AD000-0x00007FF8287AE000-memory.dmp

memory/3036-5-0x00007FF7E8790000-0x00007FF7E87A0000-memory.dmp

memory/3036-6-0x00007FF828710000-0x00007FF828905000-memory.dmp

memory/3036-7-0x00007FF828710000-0x00007FF828905000-memory.dmp

memory/3036-10-0x00007FF828710000-0x00007FF828905000-memory.dmp

memory/3036-9-0x00007FF828710000-0x00007FF828905000-memory.dmp

memory/3036-8-0x00007FF828710000-0x00007FF828905000-memory.dmp

memory/3036-2-0x00007FF7E8790000-0x00007FF7E87A0000-memory.dmp

memory/3036-11-0x00007FF828710000-0x00007FF828905000-memory.dmp

memory/3036-12-0x00007FF828710000-0x00007FF828905000-memory.dmp

memory/3036-13-0x00007FF7E6550000-0x00007FF7E6560000-memory.dmp

memory/3036-14-0x00007FF7E6550000-0x00007FF7E6560000-memory.dmp

memory/3036-33-0x00007FF828710000-0x00007FF828905000-memory.dmp

memory/3036-35-0x00007FF828710000-0x00007FF828905000-memory.dmp

memory/3036-34-0x00007FF8287AD000-0x00007FF8287AE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 cbe1192a51ad0c5813d60af74a15e2f6
SHA1 6081c245ac047c635eb3d58d8728b3ce865ef0c6
SHA256 eb77e0f199b3a0b47e7b925fb84070dbc10f902d30a4477ad2c6c2911af89e74
SHA512 47fed7419a8f9d4fa7179ce3fe3d2fe0650db718613dcf357f2ccd6a19feb439d876929d24086c54fefc3f84c3a6714a23bb05b16e3ab88f4def5febc0f69af1

memory/3036-64-0x00007FF7E8790000-0x00007FF7E87A0000-memory.dmp

memory/3036-63-0x00007FF7E8790000-0x00007FF7E87A0000-memory.dmp

memory/3036-65-0x00007FF7E8790000-0x00007FF7E87A0000-memory.dmp

memory/3036-62-0x00007FF7E8790000-0x00007FF7E87A0000-memory.dmp

memory/3036-66-0x00007FF828710000-0x00007FF828905000-memory.dmp