Analysis Overview
SHA256
de186acb16395ab13e5667112e5339c74c12429b458acee74acbcd0afd198e95
Threat Level: Known bad
The file de186acb16395ab13e5667112e5339c74c12429b458acee74acbcd0afd198e95 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Suspicious Office macro
System Location Discovery: System Language Discovery
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 21:39
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 21:39
Reported
2024-11-11 21:42
Platform
win7-20240903-en
Max time kernel
137s
Max time network
140s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWow64\regsvr32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWow64\regsvr32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3044 wrote to memory of 2320 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 3044 wrote to memory of 2320 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 3044 wrote to memory of 2320 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 3044 wrote to memory of 2320 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 3044 wrote to memory of 2320 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 3044 wrote to memory of 2320 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 3044 wrote to memory of 2320 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\de186acb16395ab13e5667112e5339c74c12429b458acee74acbcd0afd198e95.xlsm
C:\Windows\SysWow64\regsvr32.exe
C:\Windows\SysWow64\regsvr32.exe -s ..\roil.ocx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | landingpageis.com | udp |
| US | 103.224.212.212:443 | landingpageis.com | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.75:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | ww25.landingpageis.com | udp |
| US | 199.59.243.227:80 | ww25.landingpageis.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
Files
memory/3044-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/3044-1-0x0000000071EAD000-0x0000000071EB8000-memory.dmp
C:\Users\Admin\roil.ocx
| MD5 | 4ba662b867ded919a3f4f1ab5df23762 |
| SHA1 | eba66e5236dde7581568ea24ff78202c09c67173 |
| SHA256 | b10a76c7908dde4d171cbb920b5f339747c07cbb7d03d8b4385eb08b68759cef |
| SHA512 | 669a8dd735a99f2ae2240817c2497a6b812e19f3e0ff69b1f12d0f43562512fcb0bcf3d6dbaf1e3a39095afa7fef1d0a2d8126a13061b87b46fb7186b63613da |
memory/3044-22-0x0000000071EAD000-0x0000000071EB8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 21:39
Reported
2024-11-11 21:42
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWow64\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWow64\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1652 wrote to memory of 3888 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 1652 wrote to memory of 3888 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 1652 wrote to memory of 3888 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\de186acb16395ab13e5667112e5339c74c12429b458acee74acbcd0afd198e95.xlsm"
C:\Windows\SysWow64\regsvr32.exe
C:\Windows\SysWow64\regsvr32.exe -s ..\roil.ocx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | landingpageis.com | udp |
| US | 103.224.212.212:443 | landingpageis.com | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.68.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.75:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 212.212.224.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ww25.landingpageis.com | udp |
| US | 199.59.243.227:80 | ww25.landingpageis.com | tcp |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
memory/1652-3-0x00007FFDAD3ED000-0x00007FFDAD3EE000-memory.dmp
memory/1652-4-0x00007FFD6D3D0000-0x00007FFD6D3E0000-memory.dmp
memory/1652-2-0x00007FFD6D3D0000-0x00007FFD6D3E0000-memory.dmp
memory/1652-1-0x00007FFD6D3D0000-0x00007FFD6D3E0000-memory.dmp
memory/1652-0-0x00007FFD6D3D0000-0x00007FFD6D3E0000-memory.dmp
memory/1652-6-0x00007FFD6D3D0000-0x00007FFD6D3E0000-memory.dmp
memory/1652-5-0x00007FFDAD350000-0x00007FFDAD545000-memory.dmp
memory/1652-7-0x00007FFDAD350000-0x00007FFDAD545000-memory.dmp
memory/1652-8-0x00007FFDAD350000-0x00007FFDAD545000-memory.dmp
memory/1652-9-0x00007FFD6AB80000-0x00007FFD6AB90000-memory.dmp
memory/1652-10-0x00007FFDAD350000-0x00007FFDAD545000-memory.dmp
memory/1652-12-0x00007FFDAD350000-0x00007FFDAD545000-memory.dmp
memory/1652-13-0x00007FFDAD350000-0x00007FFDAD545000-memory.dmp
memory/1652-11-0x00007FFDAD350000-0x00007FFDAD545000-memory.dmp
memory/1652-14-0x00007FFD6AB80000-0x00007FFD6AB90000-memory.dmp
memory/1652-15-0x00007FFDAD350000-0x00007FFDAD545000-memory.dmp
memory/1652-16-0x00007FFDAD350000-0x00007FFDAD545000-memory.dmp
C:\Users\Admin\roil.ocx
| MD5 | d46d1d058b8afb9fbd69a541b6d5b227 |
| SHA1 | b61f6862ec275ee4ea22cc02b7f7b60a0982d729 |
| SHA256 | a2b38b1926151e8bd682386541704821ee48279eac2a7e30ec73e1ae958748d5 |
| SHA512 | e804e12c99d568c727a4aa42e040c5345241c2e3fbd42698210adea6f88621ad981f8f9501e835f2c95445f06fed16e554c320ea9d9ec5d83db4f96aa299fb65 |
memory/1652-40-0x00007FFDAD350000-0x00007FFDAD545000-memory.dmp