Malware Analysis Report

2025-03-15 07:24

Sample ID 241111-1h36fawmft
Target de186acb16395ab13e5667112e5339c74c12429b458acee74acbcd0afd198e95
SHA256 de186acb16395ab13e5667112e5339c74c12429b458acee74acbcd0afd198e95
Tags
macro xlm discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de186acb16395ab13e5667112e5339c74c12429b458acee74acbcd0afd198e95

Threat Level: Known bad

The file de186acb16395ab13e5667112e5339c74c12429b458acee74acbcd0afd198e95 was found to be: Known bad.

Malicious Activity Summary

macro xlm discovery

Process spawned unexpected child process

Suspicious Office macro

System Location Discovery: System Language Discovery

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 21:39

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 21:39

Reported

2024-11-11 21:42

Platform

win7-20240903-en

Max time kernel

137s

Max time network

140s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\de186acb16395ab13e5667112e5339c74c12429b458acee74acbcd0afd198e95.xlsm

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWow64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWow64\regsvr32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\de186acb16395ab13e5667112e5339c74c12429b458acee74acbcd0afd198e95.xlsm

C:\Windows\SysWow64\regsvr32.exe

C:\Windows\SysWow64\regsvr32.exe -s ..\roil.ocx

Network

Country Destination Domain Proto
US 8.8.8.8:53 landingpageis.com udp
US 103.224.212.212:443 landingpageis.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.75:80 r11.o.lencr.org tcp
US 8.8.8.8:53 ww25.landingpageis.com udp
US 199.59.243.227:80 ww25.landingpageis.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp

Files

memory/3044-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/3044-1-0x0000000071EAD000-0x0000000071EB8000-memory.dmp

C:\Users\Admin\roil.ocx

MD5 4ba662b867ded919a3f4f1ab5df23762
SHA1 eba66e5236dde7581568ea24ff78202c09c67173
SHA256 b10a76c7908dde4d171cbb920b5f339747c07cbb7d03d8b4385eb08b68759cef
SHA512 669a8dd735a99f2ae2240817c2497a6b812e19f3e0ff69b1f12d0f43562512fcb0bcf3d6dbaf1e3a39095afa7fef1d0a2d8126a13061b87b46fb7186b63613da

memory/3044-22-0x0000000071EAD000-0x0000000071EB8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 21:39

Reported

2024-11-11 21:42

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\de186acb16395ab13e5667112e5339c74c12429b458acee74acbcd0afd198e95.xlsm"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWow64\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWow64\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\de186acb16395ab13e5667112e5339c74c12429b458acee74acbcd0afd198e95.xlsm"

C:\Windows\SysWow64\regsvr32.exe

C:\Windows\SysWow64\regsvr32.exe -s ..\roil.ocx

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 landingpageis.com udp
US 103.224.212.212:443 landingpageis.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.75:80 r11.o.lencr.org tcp
US 8.8.8.8:53 212.212.224.103.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 75.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 ww25.landingpageis.com udp
US 199.59.243.227:80 ww25.landingpageis.com tcp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 227.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

memory/1652-3-0x00007FFDAD3ED000-0x00007FFDAD3EE000-memory.dmp

memory/1652-4-0x00007FFD6D3D0000-0x00007FFD6D3E0000-memory.dmp

memory/1652-2-0x00007FFD6D3D0000-0x00007FFD6D3E0000-memory.dmp

memory/1652-1-0x00007FFD6D3D0000-0x00007FFD6D3E0000-memory.dmp

memory/1652-0-0x00007FFD6D3D0000-0x00007FFD6D3E0000-memory.dmp

memory/1652-6-0x00007FFD6D3D0000-0x00007FFD6D3E0000-memory.dmp

memory/1652-5-0x00007FFDAD350000-0x00007FFDAD545000-memory.dmp

memory/1652-7-0x00007FFDAD350000-0x00007FFDAD545000-memory.dmp

memory/1652-8-0x00007FFDAD350000-0x00007FFDAD545000-memory.dmp

memory/1652-9-0x00007FFD6AB80000-0x00007FFD6AB90000-memory.dmp

memory/1652-10-0x00007FFDAD350000-0x00007FFDAD545000-memory.dmp

memory/1652-12-0x00007FFDAD350000-0x00007FFDAD545000-memory.dmp

memory/1652-13-0x00007FFDAD350000-0x00007FFDAD545000-memory.dmp

memory/1652-11-0x00007FFDAD350000-0x00007FFDAD545000-memory.dmp

memory/1652-14-0x00007FFD6AB80000-0x00007FFD6AB90000-memory.dmp

memory/1652-15-0x00007FFDAD350000-0x00007FFDAD545000-memory.dmp

memory/1652-16-0x00007FFDAD350000-0x00007FFDAD545000-memory.dmp

C:\Users\Admin\roil.ocx

MD5 d46d1d058b8afb9fbd69a541b6d5b227
SHA1 b61f6862ec275ee4ea22cc02b7f7b60a0982d729
SHA256 a2b38b1926151e8bd682386541704821ee48279eac2a7e30ec73e1ae958748d5
SHA512 e804e12c99d568c727a4aa42e040c5345241c2e3fbd42698210adea6f88621ad981f8f9501e835f2c95445f06fed16e554c320ea9d9ec5d83db4f96aa299fb65

memory/1652-40-0x00007FFDAD350000-0x00007FFDAD545000-memory.dmp