Analysis Overview
SHA256
d6a32b4c3a38decfc3e3e7f8a11035ae4c518a904fc6b39486d6c7bba335e19e
Threat Level: Known bad
The file d6a32b4c3a38decfc3e3e7f8a11035ae4c518a904fc6b39486d6c7bba335e19e was found to be: Known bad.
Malicious Activity Summary
Suspicious Office macro
System Location Discovery: System Language Discovery
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 21:34
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 21:34
Reported
2024-11-11 21:36
Platform
win7-20240903-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\d6a32b4c3a38decfc3e3e7f8a11035ae4c518a904fc6b39486d6c7bba335e19e.xlsm
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | realitevirtuelleguadeloupe.com | udp |
| FR | 51.91.236.193:443 | realitevirtuelleguadeloupe.com | tcp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 2.23.210.75:80 | r10.o.lencr.org | tcp |
| US | 8.8.8.8:53 | nuugebeya.com | udp |
| US | 8.8.8.8:53 | larassatistore.com | udp |
| US | 8.8.8.8:53 | bimbeladzkia.com | udp |
| GB | 185.77.97.98:443 | bimbeladzkia.com | tcp |
| GB | 185.77.97.98:443 | bimbeladzkia.com | tcp |
| GB | 185.77.97.98:443 | bimbeladzkia.com | tcp |
| US | 8.8.8.8:53 | vendedoramigo.com.br | udp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
Files
memory/2196-1-0x000000007227D000-0x0000000072288000-memory.dmp
memory/2196-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2196-19-0x000000007227D000-0x0000000072288000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 21:34
Reported
2024-11-11 21:36
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d6a32b4c3a38decfc3e3e7f8a11035ae4c518a904fc6b39486d6c7bba335e19e.xlsm"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | realitevirtuelleguadeloupe.com | udp |
| FR | 51.91.236.193:443 | realitevirtuelleguadeloupe.com | tcp |
| US | 8.8.8.8:53 | 129.68.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.236.91.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 2.23.210.75:80 | r10.o.lencr.org | tcp |
| US | 8.8.8.8:53 | nuugebeya.com | udp |
| US | 8.8.8.8:53 | larassatistore.com | udp |
| US | 8.8.8.8:53 | bimbeladzkia.com | udp |
| GB | 91.108.103.107:443 | bimbeladzkia.com | tcp |
| US | 8.8.8.8:53 | 69.194.219.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.103.108.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vendedoramigo.com.br | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/3324-0-0x00007FFD561B0000-0x00007FFD561C0000-memory.dmp
memory/3324-1-0x00007FFD961CD000-0x00007FFD961CE000-memory.dmp
memory/3324-3-0x00007FFD561B0000-0x00007FFD561C0000-memory.dmp
memory/3324-2-0x00007FFD561B0000-0x00007FFD561C0000-memory.dmp
memory/3324-4-0x00007FFD561B0000-0x00007FFD561C0000-memory.dmp
memory/3324-5-0x00007FFD561B0000-0x00007FFD561C0000-memory.dmp
memory/3324-6-0x00007FFD96130000-0x00007FFD96325000-memory.dmp
memory/3324-9-0x00007FFD96130000-0x00007FFD96325000-memory.dmp
memory/3324-8-0x00007FFD96130000-0x00007FFD96325000-memory.dmp
memory/3324-13-0x00007FFD96130000-0x00007FFD96325000-memory.dmp
memory/3324-12-0x00007FFD96130000-0x00007FFD96325000-memory.dmp
memory/3324-14-0x00007FFD53FF0000-0x00007FFD54000000-memory.dmp
memory/3324-11-0x00007FFD96130000-0x00007FFD96325000-memory.dmp
memory/3324-10-0x00007FFD96130000-0x00007FFD96325000-memory.dmp
memory/3324-15-0x00007FFD53FF0000-0x00007FFD54000000-memory.dmp
memory/3324-16-0x00007FFD96130000-0x00007FFD96325000-memory.dmp
memory/3324-20-0x00007FFD96130000-0x00007FFD96325000-memory.dmp
memory/3324-19-0x00007FFD96130000-0x00007FFD96325000-memory.dmp
memory/3324-18-0x00007FFD96130000-0x00007FFD96325000-memory.dmp
memory/3324-17-0x00007FFD96130000-0x00007FFD96325000-memory.dmp
memory/3324-7-0x00007FFD96130000-0x00007FFD96325000-memory.dmp
memory/3324-37-0x00007FFD96130000-0x00007FFD96325000-memory.dmp
memory/3324-38-0x00007FFD961CD000-0x00007FFD961CE000-memory.dmp
memory/3324-39-0x00007FFD96130000-0x00007FFD96325000-memory.dmp
memory/3324-43-0x00007FFD96130000-0x00007FFD96325000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 59569e9ee510ab0fe5cfe84de92e0c4f |
| SHA1 | 532e0e6bcb39c4c47255a9c6abeb00d16c2cca15 |
| SHA256 | f2e2c9fb0cdcaed04cd39bd35bd15e6a75aa7a12b91c71b41973de74c1c48f61 |
| SHA512 | bb57b2425bb547c1404278574281b2af6afd81c2a7ae9ff5357c9b1ad7ffc0ad9bc2bd8a3888b02b7ad0d44b7b8b666cbe60ef66dd8bce73bc2e1c6e5ac6e7cb |