Analysis Overview
SHA256
87ec8b6572dcbffe635e0727af61a071b6f38a52a009f93c5b9b6016c77f1ec2
Threat Level: Known bad
The file 87ec8b6572dcbffe635e0727af61a071b6f38a52a009f93c5b9b6016c77f1ec2 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Suspicious Office macro
System Location Discovery: System Language Discovery
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 21:27
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 21:27
Reported
2024-11-11 21:30
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWow64\regsvr32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWow64\regsvr32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2396 wrote to memory of 2872 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2396 wrote to memory of 2872 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2396 wrote to memory of 2872 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2396 wrote to memory of 2872 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2396 wrote to memory of 2872 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2396 wrote to memory of 2872 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2396 wrote to memory of 2872 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\87ec8b6572dcbffe635e0727af61a071b6f38a52a009f93c5b9b6016c77f1ec2.xls
C:\Windows\SysWow64\regsvr32.exe
C:\Windows\SysWow64\regsvr32.exe -s ..\lnau.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.certika-bolivia.com | udp |
| US | 69.167.186.185:443 | www.certika-bolivia.com | tcp |
| US | 69.167.186.185:443 | www.certika-bolivia.com | tcp |
| US | 69.167.186.185:443 | www.certika-bolivia.com | tcp |
| US | 69.167.186.185:443 | www.certika-bolivia.com | tcp |
| US | 8.8.8.8:53 | www.cfoodsnepal.com | udp |
| US | 8.8.8.8:53 | www.cgaei.com | udp |
| US | 67.225.147.209:443 | www.cgaei.com | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.82:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | www.chotdonhang.com | udp |
| US | 104.21.32.193:443 | www.chotdonhang.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | chotdonhang.com | udp |
| US | 172.67.154.110:443 | chotdonhang.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
Files
memory/2396-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2396-1-0x0000000072CED000-0x0000000072CF8000-memory.dmp
C:\Users\Admin\lnau.dll
| MD5 | 6fc3ffa704f60b13e573a7500bafa340 |
| SHA1 | 59e4f640f6d5182405bba02609f61748c09186c3 |
| SHA256 | 42419aa4985bfebd61be3c227cce2045ee89db918492e16266aac6597cd7bcaa |
| SHA512 | fe0d57871cd27272e5e312fffc3fb8377797f19c3472caae2eb9ca91c2b65adbff8b99f1c7c253a37621417e4e43a3e4593c6a3f660d8085f58ac7b935bfe8d8 |
memory/2396-26-0x0000000072CED000-0x0000000072CF8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 21:27
Reported
2024-11-11 21:30
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
150s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWow64\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWow64\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2572 wrote to memory of 4768 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2572 wrote to memory of 4768 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2572 wrote to memory of 4768 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\87ec8b6572dcbffe635e0727af61a071b6f38a52a009f93c5b9b6016c77f1ec2.xls"
C:\Windows\SysWow64\regsvr32.exe
C:\Windows\SysWow64\regsvr32.exe -s ..\lnau.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | www.certika-bolivia.com | udp |
| US | 69.167.186.185:443 | www.certika-bolivia.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.68.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.75:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.186.167.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | certika-bolivia.com | udp |
| US | 69.167.186.185:443 | certika-bolivia.com | tcp |
| US | 8.8.8.8:53 | www.cfoodsnepal.com | udp |
| US | 8.8.8.8:53 | www.cgaei.com | udp |
| US | 67.225.147.209:443 | www.cgaei.com | tcp |
| US | 8.8.8.8:53 | www.chotdonhang.com | udp |
| US | 104.21.32.193:443 | www.chotdonhang.com | tcp |
| US | 8.8.8.8:53 | 209.147.225.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.32.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chotdonhang.com | udp |
| US | 172.67.154.110:443 | chotdonhang.com | tcp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.154.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/2572-0-0x00007FFB44A10000-0x00007FFB44A20000-memory.dmp
memory/2572-1-0x00007FFB84A2D000-0x00007FFB84A2E000-memory.dmp
memory/2572-3-0x00007FFB44A10000-0x00007FFB44A20000-memory.dmp
memory/2572-2-0x00007FFB44A10000-0x00007FFB44A20000-memory.dmp
memory/2572-4-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp
memory/2572-5-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp
memory/2572-7-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp
memory/2572-11-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp
memory/2572-13-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp
memory/2572-15-0x00007FFB42650000-0x00007FFB42660000-memory.dmp
memory/2572-14-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp
memory/2572-12-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp
memory/2572-10-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp
memory/2572-9-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp
memory/2572-8-0x00007FFB44A10000-0x00007FFB44A20000-memory.dmp
memory/2572-6-0x00007FFB44A10000-0x00007FFB44A20000-memory.dmp
memory/2572-16-0x00007FFB42650000-0x00007FFB42660000-memory.dmp
memory/2572-32-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp
memory/2572-33-0x00007FFB84A2D000-0x00007FFB84A2E000-memory.dmp
memory/2572-34-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp
C:\Users\Admin\lnau.dll
| MD5 | 6bc8a28d166f55a88509b0ae07a019fc |
| SHA1 | 9f565474e4ac1269eeb796874ad4e644d4a6d0fa |
| SHA256 | 78f353e278bc0e5aa860301e4566645aabf58bc9db5f14020d6e4f87af4a3eb8 |
| SHA512 | 23661130130959bd8b3134b01bc70f2a3de71eb69ab1f7c109045eddec510a60af7278c878f8e51dd5e740da8357a558a66efd57719b3f137f88c2c83a04e6c7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | a9999af2f5ce86d7a7caf4d36dc4ace6 |
| SHA1 | 10192e1fe87e1993d766ff6903b1a87b8d72d797 |
| SHA256 | e64c1ca6b48b1254dd6e8937a8ef7927c97f8359b46dc3dabb31610787335980 |
| SHA512 | 8ec5953bb9d9652b04f61ba347ebfbc0db19a11772f8b50410166118d238a8b36e3a2badefa18acae3312597a9432f32f036443b0ea19ec6dbc1d6861b407b6d |