Malware Analysis Report

2025-03-15 07:24

Sample ID 241111-1azs2szpcm
Target 87ec8b6572dcbffe635e0727af61a071b6f38a52a009f93c5b9b6016c77f1ec2
SHA256 87ec8b6572dcbffe635e0727af61a071b6f38a52a009f93c5b9b6016c77f1ec2
Tags
macro xlm discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

87ec8b6572dcbffe635e0727af61a071b6f38a52a009f93c5b9b6016c77f1ec2

Threat Level: Known bad

The file 87ec8b6572dcbffe635e0727af61a071b6f38a52a009f93c5b9b6016c77f1ec2 was found to be: Known bad.

Malicious Activity Summary

macro xlm discovery

Process spawned unexpected child process

Suspicious Office macro

System Location Discovery: System Language Discovery

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 21:27

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 21:27

Reported

2024-11-11 21:30

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\87ec8b6572dcbffe635e0727af61a071b6f38a52a009f93c5b9b6016c77f1ec2.xls

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWow64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWow64\regsvr32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\87ec8b6572dcbffe635e0727af61a071b6f38a52a009f93c5b9b6016c77f1ec2.xls

C:\Windows\SysWow64\regsvr32.exe

C:\Windows\SysWow64\regsvr32.exe -s ..\lnau.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.certika-bolivia.com udp
US 69.167.186.185:443 www.certika-bolivia.com tcp
US 69.167.186.185:443 www.certika-bolivia.com tcp
US 69.167.186.185:443 www.certika-bolivia.com tcp
US 69.167.186.185:443 www.certika-bolivia.com tcp
US 8.8.8.8:53 www.cfoodsnepal.com udp
US 8.8.8.8:53 www.cgaei.com udp
US 67.225.147.209:443 www.cgaei.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.82:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.chotdonhang.com udp
US 104.21.32.193:443 www.chotdonhang.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 chotdonhang.com udp
US 172.67.154.110:443 chotdonhang.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp

Files

memory/2396-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2396-1-0x0000000072CED000-0x0000000072CF8000-memory.dmp

C:\Users\Admin\lnau.dll

MD5 6fc3ffa704f60b13e573a7500bafa340
SHA1 59e4f640f6d5182405bba02609f61748c09186c3
SHA256 42419aa4985bfebd61be3c227cce2045ee89db918492e16266aac6597cd7bcaa
SHA512 fe0d57871cd27272e5e312fffc3fb8377797f19c3472caae2eb9ca91c2b65adbff8b99f1c7c253a37621417e4e43a3e4593c6a3f660d8085f58ac7b935bfe8d8

memory/2396-26-0x0000000072CED000-0x0000000072CF8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 21:27

Reported

2024-11-11 21:30

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\87ec8b6572dcbffe635e0727af61a071b6f38a52a009f93c5b9b6016c77f1ec2.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWow64\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWow64\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\87ec8b6572dcbffe635e0727af61a071b6f38a52a009f93c5b9b6016c77f1ec2.xls"

C:\Windows\SysWow64\regsvr32.exe

C:\Windows\SysWow64\regsvr32.exe -s ..\lnau.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 www.certika-bolivia.com udp
US 69.167.186.185:443 www.certika-bolivia.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.75:80 r11.o.lencr.org tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 185.186.167.69.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 75.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 certika-bolivia.com udp
US 69.167.186.185:443 certika-bolivia.com tcp
US 8.8.8.8:53 www.cfoodsnepal.com udp
US 8.8.8.8:53 www.cgaei.com udp
US 67.225.147.209:443 www.cgaei.com tcp
US 8.8.8.8:53 www.chotdonhang.com udp
US 104.21.32.193:443 www.chotdonhang.com tcp
US 8.8.8.8:53 209.147.225.67.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 193.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 chotdonhang.com udp
US 172.67.154.110:443 chotdonhang.com tcp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 110.154.67.172.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/2572-0-0x00007FFB44A10000-0x00007FFB44A20000-memory.dmp

memory/2572-1-0x00007FFB84A2D000-0x00007FFB84A2E000-memory.dmp

memory/2572-3-0x00007FFB44A10000-0x00007FFB44A20000-memory.dmp

memory/2572-2-0x00007FFB44A10000-0x00007FFB44A20000-memory.dmp

memory/2572-4-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp

memory/2572-5-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp

memory/2572-7-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp

memory/2572-11-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp

memory/2572-13-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp

memory/2572-15-0x00007FFB42650000-0x00007FFB42660000-memory.dmp

memory/2572-14-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp

memory/2572-12-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp

memory/2572-10-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp

memory/2572-9-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp

memory/2572-8-0x00007FFB44A10000-0x00007FFB44A20000-memory.dmp

memory/2572-6-0x00007FFB44A10000-0x00007FFB44A20000-memory.dmp

memory/2572-16-0x00007FFB42650000-0x00007FFB42660000-memory.dmp

memory/2572-32-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp

memory/2572-33-0x00007FFB84A2D000-0x00007FFB84A2E000-memory.dmp

memory/2572-34-0x00007FFB84990000-0x00007FFB84B85000-memory.dmp

C:\Users\Admin\lnau.dll

MD5 6bc8a28d166f55a88509b0ae07a019fc
SHA1 9f565474e4ac1269eeb796874ad4e644d4a6d0fa
SHA256 78f353e278bc0e5aa860301e4566645aabf58bc9db5f14020d6e4f87af4a3eb8
SHA512 23661130130959bd8b3134b01bc70f2a3de71eb69ab1f7c109045eddec510a60af7278c878f8e51dd5e740da8357a558a66efd57719b3f137f88c2c83a04e6c7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 a9999af2f5ce86d7a7caf4d36dc4ace6
SHA1 10192e1fe87e1993d766ff6903b1a87b8d72d797
SHA256 e64c1ca6b48b1254dd6e8937a8ef7927c97f8359b46dc3dabb31610787335980
SHA512 8ec5953bb9d9652b04f61ba347ebfbc0db19a11772f8b50410166118d238a8b36e3a2badefa18acae3312597a9432f32f036443b0ea19ec6dbc1d6861b407b6d