Malware Analysis Report

2025-05-06 01:19

Sample ID 241109-1g2afsshjl
Target 06f956c0f8307b2acc402fa737ca82bfc6b35c8512a938987e024c945c0e235c
SHA256 06f956c0f8307b2acc402fa737ca82bfc6b35c8512a938987e024c945c0e235c
Tags
discovery
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

06f956c0f8307b2acc402fa737ca82bfc6b35c8512a938987e024c945c0e235c

Threat Level: Likely benign

The file 06f956c0f8307b2acc402fa737ca82bfc6b35c8512a938987e024c945c0e235c was found to be: Likely benign.

Malicious Activity Summary

discovery

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:38

Reported

2024-11-09 21:39

Platform

win7-20241010-en

Max time kernel

14s

Max time network

19s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\06f956c0f8307b2acc402fa737ca82bfc6b35c8512a938987e024c945c0e235c.xls

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\06f956c0f8307b2acc402fa737ca82bfc6b35c8512a938987e024c945c0e235c.xls

Network

N/A

Files

memory/2060-1-0x0000000072C7D000-0x0000000072C88000-memory.dmp

memory/2060-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2060-2-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2060-4-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2060-6-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2060-3-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2060-7-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2060-9-0x0000000000690000-0x0000000000790000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VB7A31.tmp

MD5 ce318cba2666697d3f053e5a2a57792f
SHA1 2768aca25d207d1a5027367075dda9a945f99c98
SHA256 a5646b849f96bcd8753aedcbae21819b67dfe6bc60200aa46145ee6eaeac6d74
SHA512 09661804275b0f70393fff2caeb456d10964fb42ba5485783a25747ca9f4f241dee2ad3431d5588bf9351ec91576aa17000d84ba56b1f522acad988c3be6b821

memory/2060-32-0x0000000072C7D000-0x0000000072C88000-memory.dmp

memory/2060-33-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2060-34-0x0000000000690000-0x0000000000790000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 21:38

Reported

2024-11-09 21:39

Platform

win10v2004-20241007-en

Max time kernel

56s

Max time network

59s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\06f956c0f8307b2acc402fa737ca82bfc6b35c8512a938987e024c945c0e235c.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\06f956c0f8307b2acc402fa737ca82bfc6b35c8512a938987e024c945c0e235c.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp

Files

memory/3552-1-0x00007FFA9FC8D000-0x00007FFA9FC8E000-memory.dmp

memory/3552-3-0x00007FFA5FC70000-0x00007FFA5FC80000-memory.dmp

memory/3552-2-0x00007FFA5FC70000-0x00007FFA5FC80000-memory.dmp

memory/3552-4-0x00007FFA5FC70000-0x00007FFA5FC80000-memory.dmp

memory/3552-5-0x00007FFA5FC70000-0x00007FFA5FC80000-memory.dmp

memory/3552-0-0x00007FFA5FC70000-0x00007FFA5FC80000-memory.dmp

memory/3552-8-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/3552-9-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/3552-11-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/3552-10-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/3552-7-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/3552-12-0x00007FFA5D5A0000-0x00007FFA5D5B0000-memory.dmp

memory/3552-6-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/3552-13-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/3552-14-0x00007FFA5D5A0000-0x00007FFA5D5B0000-memory.dmp

memory/3552-17-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/3552-18-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/3552-19-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/3552-21-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/3552-20-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/3552-16-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/3552-15-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/3552-38-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/3552-39-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/3552-40-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VBA375.tmp

MD5 ce318cba2666697d3f053e5a2a57792f
SHA1 2768aca25d207d1a5027367075dda9a945f99c98
SHA256 a5646b849f96bcd8753aedcbae21819b67dfe6bc60200aa46145ee6eaeac6d74
SHA512 09661804275b0f70393fff2caeb456d10964fb42ba5485783a25747ca9f4f241dee2ad3431d5588bf9351ec91576aa17000d84ba56b1f522acad988c3be6b821

memory/3552-49-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/3552-50-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 48da198f090972c6b14f7a81a0a590a1
SHA1 a08e3e3ad58b14adb99d032a270f442106db5052
SHA256 7759b7a4f5fb153b96f9586a37b0779562df21dc9c0c3550cc2a5fe65ea764cb
SHA512 1e2484df89e23a4d6c32ba1addeb7400c946d19b02dedd6fe5b176b16da4f5d71c9c094685d9564da3139dcbfc0df1afe2129bc4608aab3ac2c9b475451ecb81

memory/3552-75-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/3552-76-0x00007FFA9FC8D000-0x00007FFA9FC8E000-memory.dmp

memory/3552-77-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/3552-78-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/3552-79-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/3552-83-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

memory/3552-84-0x00007FFA9FBF0000-0x00007FFA9FDE5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 5729f6b312136d066e53bdde7e8e95f8
SHA1 3e07a732ec91f5728dd1158a50a05f581690eb63
SHA256 82ac332cc32d55648876eb995bb8d9e54562480c074a663bd789c74db1b9878d
SHA512 e2acec710d7655f36c63367c5fb888ce4c7d493bc6403c6cc6b7839a953b314a25ac93e54bdfcbdba79588379598b62890a6a0d7607e6f9491f9730725cf80af