Analysis Overview
SHA256
07a98089398de2fc53be1f29d53ed801744860517f346cc8662ee95480576153
Threat Level: Known bad
The file 07a98089398de2fc53be1f29d53ed801744860517f346cc8662ee95480576153 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Suspicious Office macro
System Location Discovery: System Language Discovery
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 16:35
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 16:35
Reported
2024-11-11 16:38
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\07a98089398de2fc53be1f29d53ed801744860517f346cc8662ee95480576153.xls
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\cui1.ocx
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\cui2.ocx
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\cui3.ocx
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\cui4.ocx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | beeslandkerman.ir | udp |
| US | 8.8.8.8:53 | cerdi.com | udp |
| DK | 46.30.215.80:80 | cerdi.com | tcp |
| US | 8.8.8.8:53 | www.chasingmavericks.co.ke | udp |
| DE | 88.198.22.18:443 | www.chasingmavericks.co.ke | tcp |
| DE | 88.198.22.18:443 | www.chasingmavericks.co.ke | tcp |
| DE | 88.198.22.18:443 | www.chasingmavericks.co.ke | tcp |
| DE | 88.198.22.18:443 | www.chasingmavericks.co.ke | tcp |
| US | 8.8.8.8:53 | bsbmakina.com.tr | udp |
Files
memory/876-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/876-1-0x00000000723FD000-0x0000000072408000-memory.dmp
memory/876-2-0x00000000723FD000-0x0000000072408000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 16:35
Reported
2024-11-11 16:38
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
149s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\07a98089398de2fc53be1f29d53ed801744860517f346cc8662ee95480576153.xls"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\cui1.ocx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\cui2.ocx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\cui3.ocx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\cui4.ocx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| IE | 52.109.76.243:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beeslandkerman.ir | udp |
| US | 8.8.8.8:53 | cerdi.com | udp |
| DK | 46.30.215.80:80 | cerdi.com | tcp |
| US | 8.8.8.8:53 | www.chasingmavericks.co.ke | udp |
| DE | 88.198.22.18:443 | www.chasingmavericks.co.ke | tcp |
| US | 8.8.8.8:53 | 243.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.215.30.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.22.198.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chasingmavericks.co.ke | udp |
| DE | 88.198.22.18:443 | chasingmavericks.co.ke | tcp |
| US | 8.8.8.8:53 | bsbmakina.com.tr | udp |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/1708-1-0x00007FFED88AD000-0x00007FFED88AE000-memory.dmp
memory/1708-2-0x00007FFE98890000-0x00007FFE988A0000-memory.dmp
memory/1708-3-0x00007FFE98890000-0x00007FFE988A0000-memory.dmp
memory/1708-0-0x00007FFE98890000-0x00007FFE988A0000-memory.dmp
memory/1708-4-0x00007FFE98890000-0x00007FFE988A0000-memory.dmp
memory/1708-10-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/1708-9-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/1708-8-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/1708-7-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/1708-6-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/1708-5-0x00007FFE98890000-0x00007FFE988A0000-memory.dmp
memory/1708-12-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/1708-11-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/1708-13-0x00007FFE96650000-0x00007FFE96660000-memory.dmp
memory/1708-14-0x00007FFE96650000-0x00007FFE96660000-memory.dmp
memory/1708-27-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/1708-28-0x00007FFED88AD000-0x00007FFED88AE000-memory.dmp
memory/1708-29-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
memory/1708-30-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 78b9164c5486e09b81b8433066991849 |
| SHA1 | 24a43e1b67515ed0e5e30e4fab5f6c9806c4c90e |
| SHA256 | b86222e2b725a5ebaf8bf0a394d1df4bf2b494318a9e8aa7d3e380dc970fb6b6 |
| SHA512 | 5c07add6e36671b4ecfc693a039dba47230460e9a81f1da9cd0cd0b41f2a20bec0a49d73bd788bc132e2ab8e224b493aa8ec7abe9107e50c48373c0a344ff709 |