Malware Analysis Report

2025-03-15 07:24

Sample ID 241111-1ex51sxbrp
Target d6a32b4c3a38decfc3e3e7f8a11035ae4c518a904fc6b39486d6c7bba335e19e
SHA256 d6a32b4c3a38decfc3e3e7f8a11035ae4c518a904fc6b39486d6c7bba335e19e
Tags
macro xlm discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d6a32b4c3a38decfc3e3e7f8a11035ae4c518a904fc6b39486d6c7bba335e19e

Threat Level: Known bad

The file d6a32b4c3a38decfc3e3e7f8a11035ae4c518a904fc6b39486d6c7bba335e19e was found to be: Known bad.

Malicious Activity Summary

macro xlm discovery

Suspicious Office macro

System Location Discovery: System Language Discovery

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 21:34

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 21:34

Reported

2024-11-11 21:36

Platform

win7-20240903-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\d6a32b4c3a38decfc3e3e7f8a11035ae4c518a904fc6b39486d6c7bba335e19e.xlsm

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\d6a32b4c3a38decfc3e3e7f8a11035ae4c518a904fc6b39486d6c7bba335e19e.xlsm

Network

Country Destination Domain Proto
US 8.8.8.8:53 realitevirtuelleguadeloupe.com udp
FR 51.91.236.193:443 realitevirtuelleguadeloupe.com tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.75:80 r10.o.lencr.org tcp
US 8.8.8.8:53 nuugebeya.com udp
US 8.8.8.8:53 larassatistore.com udp
US 8.8.8.8:53 bimbeladzkia.com udp
GB 185.77.97.98:443 bimbeladzkia.com tcp
GB 185.77.97.98:443 bimbeladzkia.com tcp
GB 185.77.97.98:443 bimbeladzkia.com tcp
US 8.8.8.8:53 vendedoramigo.com.br udp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp

Files

memory/2196-1-0x000000007227D000-0x0000000072288000-memory.dmp

memory/2196-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2196-19-0x000000007227D000-0x0000000072288000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 21:34

Reported

2024-11-11 21:36

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d6a32b4c3a38decfc3e3e7f8a11035ae4c518a904fc6b39486d6c7bba335e19e.xlsm"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d6a32b4c3a38decfc3e3e7f8a11035ae4c518a904fc6b39486d6c7bba335e19e.xlsm"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 realitevirtuelleguadeloupe.com udp
FR 51.91.236.193:443 realitevirtuelleguadeloupe.com tcp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 193.236.91.51.in-addr.arpa udp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.75:80 r10.o.lencr.org tcp
US 8.8.8.8:53 nuugebeya.com udp
US 8.8.8.8:53 larassatistore.com udp
US 8.8.8.8:53 bimbeladzkia.com udp
GB 91.108.103.107:443 bimbeladzkia.com tcp
US 8.8.8.8:53 69.194.219.23.in-addr.arpa udp
US 8.8.8.8:53 75.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 107.103.108.91.in-addr.arpa udp
US 8.8.8.8:53 vendedoramigo.com.br udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3324-0-0x00007FFD561B0000-0x00007FFD561C0000-memory.dmp

memory/3324-1-0x00007FFD961CD000-0x00007FFD961CE000-memory.dmp

memory/3324-3-0x00007FFD561B0000-0x00007FFD561C0000-memory.dmp

memory/3324-2-0x00007FFD561B0000-0x00007FFD561C0000-memory.dmp

memory/3324-4-0x00007FFD561B0000-0x00007FFD561C0000-memory.dmp

memory/3324-5-0x00007FFD561B0000-0x00007FFD561C0000-memory.dmp

memory/3324-6-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/3324-9-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/3324-8-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/3324-13-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/3324-12-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/3324-14-0x00007FFD53FF0000-0x00007FFD54000000-memory.dmp

memory/3324-11-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/3324-10-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/3324-15-0x00007FFD53FF0000-0x00007FFD54000000-memory.dmp

memory/3324-16-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/3324-20-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/3324-19-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/3324-18-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/3324-17-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/3324-7-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/3324-37-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/3324-38-0x00007FFD961CD000-0x00007FFD961CE000-memory.dmp

memory/3324-39-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

memory/3324-43-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 59569e9ee510ab0fe5cfe84de92e0c4f
SHA1 532e0e6bcb39c4c47255a9c6abeb00d16c2cca15
SHA256 f2e2c9fb0cdcaed04cd39bd35bd15e6a75aa7a12b91c71b41973de74c1c48f61
SHA512 bb57b2425bb547c1404278574281b2af6afd81c2a7ae9ff5357c9b1ad7ffc0ad9bc2bd8a3888b02b7ad0d44b7b8b666cbe60ef66dd8bce73bc2e1c6e5ac6e7cb