Malware Analysis Report

2025-01-22 16:09

Sample ID 241111-vdepds1kcw
Target 8c57ba9959766f78ec198da3596ad57c8e701d4b2939607e2a50b48716dd0656
SHA256 8c57ba9959766f78ec198da3596ad57c8e701d4b2939607e2a50b48716dd0656
Tags
macro xlm discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8c57ba9959766f78ec198da3596ad57c8e701d4b2939607e2a50b48716dd0656

Threat Level: Known bad

The file 8c57ba9959766f78ec198da3596ad57c8e701d4b2939607e2a50b48716dd0656 was found to be: Known bad.

Malicious Activity Summary

macro xlm discovery

Process spawned unexpected child process

Suspicious Office macro

System Location Discovery: System Language Discovery

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 16:52

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 16:52

Reported

2024-11-11 16:54

Platform

win7-20241010-en

Max time kernel

61s

Max time network

129s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\8c57ba9959766f78ec198da3596ad57c8e701d4b2939607e2a50b48716dd0656.xlsm

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\8c57ba9959766f78ec198da3596ad57c8e701d4b2939607e2a50b48716dd0656.xlsm

Network

Country Destination Domain Proto
US 8.8.8.8:53 astroadvicebaba.com udp
US 8.8.8.8:53 physioacademy.co.uk udp
FR 92.205.239.100:443 physioacademy.co.uk tcp
FR 92.205.239.100:443 physioacademy.co.uk tcp
FR 92.205.239.100:443 physioacademy.co.uk tcp
FR 92.205.239.100:443 physioacademy.co.uk tcp
US 8.8.8.8:53 orchidbg.com udp
US 192.254.225.105:80 orchidbg.com tcp
US 8.8.8.8:53 westthamesphysio.com udp
FR 92.205.239.100:443 westthamesphysio.com tcp
FR 92.205.239.100:443 westthamesphysio.com tcp
FR 92.205.239.100:443 westthamesphysio.com tcp
FR 92.205.239.100:443 westthamesphysio.com tcp
US 8.8.8.8:53 snappylookphotobooth.com udp
US 192.124.249.17:80 snappylookphotobooth.com tcp
SG 194.59.165.91:80 194.59.165.91 tcp
US 8.8.8.8:53 casadorothea.com udp

Files

memory/1680-1-0x0000000071DBD000-0x0000000071DC8000-memory.dmp

memory/1680-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1680-4-0x0000000071DBD000-0x0000000071DC8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 16:52

Reported

2024-11-11 16:55

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8c57ba9959766f78ec198da3596ad57c8e701d4b2939607e2a50b48716dd0656.xlsm"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWow64\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWow64\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8c57ba9959766f78ec198da3596ad57c8e701d4b2939607e2a50b48716dd0656.xlsm"

C:\Windows\SysWow64\regsvr32.exe

C:\Windows\SysWow64\regsvr32.exe -s ..\rfs.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 astroadvicebaba.com udp
US 8.8.8.8:53 physioacademy.co.uk udp
FR 92.205.239.100:443 physioacademy.co.uk tcp
US 8.8.8.8:53 orchidbg.com udp
US 192.254.225.105:80 orchidbg.com tcp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 100.239.205.92.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 westthamesphysio.com udp
FR 92.205.239.100:443 westthamesphysio.com tcp
US 8.8.8.8:53 105.225.254.192.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/852-0-0x00007FF825530000-0x00007FF825540000-memory.dmp

memory/852-1-0x00007FF86554D000-0x00007FF86554E000-memory.dmp

memory/852-3-0x00007FF825530000-0x00007FF825540000-memory.dmp

memory/852-2-0x00007FF825530000-0x00007FF825540000-memory.dmp

memory/852-5-0x00007FF825530000-0x00007FF825540000-memory.dmp

memory/852-4-0x00007FF825530000-0x00007FF825540000-memory.dmp

memory/852-9-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp

memory/852-8-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp

memory/852-7-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp

memory/852-6-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp

memory/852-12-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp

memory/852-11-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp

memory/852-10-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp

memory/852-13-0x00007FF8234D0000-0x00007FF8234E0000-memory.dmp

memory/852-14-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp

memory/852-15-0x00007FF8234D0000-0x00007FF8234E0000-memory.dmp

memory/852-16-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp

memory/852-18-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp

memory/852-19-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp

memory/852-17-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp

memory/852-21-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp

memory/852-20-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp

C:\Users\Admin\rfs.dll

MD5 1a8978d9d37041fe0089728cd6c23233
SHA1 f0485019f25ee50bb77f23081a8964e28e56cfb2
SHA256 87a97454942b85b5afc9cb9733bb7ce96cdf3422f6bfc95823f8edf6b2e2c607
SHA512 9ea43ede1eab73d3ac65bc3e9c13836c51d768daf5e300a0f57a26c0ca9cb2655455e5731664a92c969520dc05f7c71292d6a947405e06c2b1f88a399cd8d42b

memory/852-39-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp

memory/852-40-0x00007FF86554D000-0x00007FF86554E000-memory.dmp

memory/852-41-0x00007FF8654B0000-0x00007FF8656A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 10823be806b3a78d6eba077eedeb693c
SHA1 cd620726b716093d28fa443d8c11f974378aa3fe
SHA256 0ccc92c56dc23c538d69da3bf83e3f2d9e44567e522aa7e633dbea1e19116d10
SHA512 f71e5e9e8876f702610b55ec87d9655a63c1f04618853ec1c7010700695a6c799f973d4e06464ba522928de28325f352d643b942c86c0086101ed4b51f74ff1b