Analysis Overview
SHA256
8c57ba9959766f78ec198da3596ad57c8e701d4b2939607e2a50b48716dd0656
Threat Level: Known bad
The file 8c57ba9959766f78ec198da3596ad57c8e701d4b2939607e2a50b48716dd0656 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Suspicious Office macro
System Location Discovery: System Language Discovery
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 16:52
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 16:52
Reported
2024-11-11 16:54
Platform
win7-20241010-en
Max time kernel
61s
Max time network
129s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\8c57ba9959766f78ec198da3596ad57c8e701d4b2939607e2a50b48716dd0656.xlsm
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | astroadvicebaba.com | udp |
| US | 8.8.8.8:53 | physioacademy.co.uk | udp |
| FR | 92.205.239.100:443 | physioacademy.co.uk | tcp |
| FR | 92.205.239.100:443 | physioacademy.co.uk | tcp |
| FR | 92.205.239.100:443 | physioacademy.co.uk | tcp |
| FR | 92.205.239.100:443 | physioacademy.co.uk | tcp |
| US | 8.8.8.8:53 | orchidbg.com | udp |
| US | 192.254.225.105:80 | orchidbg.com | tcp |
| US | 8.8.8.8:53 | westthamesphysio.com | udp |
| FR | 92.205.239.100:443 | westthamesphysio.com | tcp |
| FR | 92.205.239.100:443 | westthamesphysio.com | tcp |
| FR | 92.205.239.100:443 | westthamesphysio.com | tcp |
| FR | 92.205.239.100:443 | westthamesphysio.com | tcp |
| US | 8.8.8.8:53 | snappylookphotobooth.com | udp |
| US | 192.124.249.17:80 | snappylookphotobooth.com | tcp |
| SG | 194.59.165.91:80 | 194.59.165.91 | tcp |
| US | 8.8.8.8:53 | casadorothea.com | udp |
Files
memory/1680-1-0x0000000071DBD000-0x0000000071DC8000-memory.dmp
memory/1680-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1680-4-0x0000000071DBD000-0x0000000071DC8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 16:52
Reported
2024-11-11 16:55
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWow64\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWow64\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 852 wrote to memory of 4160 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 852 wrote to memory of 4160 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 852 wrote to memory of 4160 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8c57ba9959766f78ec198da3596ad57c8e701d4b2939607e2a50b48716dd0656.xlsm"
C:\Windows\SysWow64\regsvr32.exe
C:\Windows\SysWow64\regsvr32.exe -s ..\rfs.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| IE | 52.109.76.243:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | astroadvicebaba.com | udp |
| US | 8.8.8.8:53 | physioacademy.co.uk | udp |
| FR | 92.205.239.100:443 | physioacademy.co.uk | tcp |
| US | 8.8.8.8:53 | orchidbg.com | udp |
| US | 192.254.225.105:80 | orchidbg.com | tcp |
| US | 8.8.8.8:53 | 243.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.239.205.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | westthamesphysio.com | udp |
| FR | 92.205.239.100:443 | westthamesphysio.com | tcp |
| US | 8.8.8.8:53 | 105.225.254.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.162.46.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/852-0-0x00007FF825530000-0x00007FF825540000-memory.dmp
memory/852-1-0x00007FF86554D000-0x00007FF86554E000-memory.dmp
memory/852-3-0x00007FF825530000-0x00007FF825540000-memory.dmp
memory/852-2-0x00007FF825530000-0x00007FF825540000-memory.dmp
memory/852-5-0x00007FF825530000-0x00007FF825540000-memory.dmp
memory/852-4-0x00007FF825530000-0x00007FF825540000-memory.dmp
memory/852-9-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp
memory/852-8-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp
memory/852-7-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp
memory/852-6-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp
memory/852-12-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp
memory/852-11-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp
memory/852-10-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp
memory/852-13-0x00007FF8234D0000-0x00007FF8234E0000-memory.dmp
memory/852-14-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp
memory/852-15-0x00007FF8234D0000-0x00007FF8234E0000-memory.dmp
memory/852-16-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp
memory/852-18-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp
memory/852-19-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp
memory/852-17-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp
memory/852-21-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp
memory/852-20-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp
C:\Users\Admin\rfs.dll
| MD5 | 1a8978d9d37041fe0089728cd6c23233 |
| SHA1 | f0485019f25ee50bb77f23081a8964e28e56cfb2 |
| SHA256 | 87a97454942b85b5afc9cb9733bb7ce96cdf3422f6bfc95823f8edf6b2e2c607 |
| SHA512 | 9ea43ede1eab73d3ac65bc3e9c13836c51d768daf5e300a0f57a26c0ca9cb2655455e5731664a92c969520dc05f7c71292d6a947405e06c2b1f88a399cd8d42b |
memory/852-39-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp
memory/852-40-0x00007FF86554D000-0x00007FF86554E000-memory.dmp
memory/852-41-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 10823be806b3a78d6eba077eedeb693c |
| SHA1 | cd620726b716093d28fa443d8c11f974378aa3fe |
| SHA256 | 0ccc92c56dc23c538d69da3bf83e3f2d9e44567e522aa7e633dbea1e19116d10 |
| SHA512 | f71e5e9e8876f702610b55ec87d9655a63c1f04618853ec1c7010700695a6c799f973d4e06464ba522928de28325f352d643b942c86c0086101ed4b51f74ff1b |