Malware Analysis Report

2025-01-22 16:07

Sample ID 241111-vj7blasbmp
Target a432b0bc1fd4f1db68bbece4041a0ad68535a736564d1b5801406d0f58424fec
SHA256 a432b0bc1fd4f1db68bbece4041a0ad68535a736564d1b5801406d0f58424fec
Tags
macro xlm discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a432b0bc1fd4f1db68bbece4041a0ad68535a736564d1b5801406d0f58424fec

Threat Level: Known bad

The file a432b0bc1fd4f1db68bbece4041a0ad68535a736564d1b5801406d0f58424fec was found to be: Known bad.

Malicious Activity Summary

macro xlm discovery

Suspicious Office macro

System Location Discovery: System Language Discovery

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 17:02

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 17:02

Reported

2024-11-11 17:04

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\a432b0bc1fd4f1db68bbece4041a0ad68535a736564d1b5801406d0f58424fec.xlsm

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\a432b0bc1fd4f1db68bbece4041a0ad68535a736564d1b5801406d0f58424fec.xlsm

Network

Country Destination Domain Proto
US 8.8.8.8:53 queaventurasathya.com udp
US 8.8.8.8:53 escuelageneraljosedesanmartin.com udp
US 8.8.8.8:53 indianbusinessclub.org udp
US 8.8.8.8:53 cartelac.pt udp
PT 185.32.190.5:443 cartelac.pt tcp
PT 185.32.190.5:443 cartelac.pt tcp
PT 185.32.190.5:443 cartelac.pt tcp
PT 185.32.190.5:443 cartelac.pt tcp
US 8.8.8.8:53 axial-ing.fr udp
FR 109.234.166.137:443 axial-ing.fr tcp
US 8.8.8.8:53 luape.es udp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp

Files

memory/1832-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1832-1-0x0000000071D6D000-0x0000000071D78000-memory.dmp

memory/1832-14-0x0000000071D6D000-0x0000000071D78000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 17:02

Reported

2024-11-11 17:04

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a432b0bc1fd4f1db68bbece4041a0ad68535a736564d1b5801406d0f58424fec.xlsm"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a432b0bc1fd4f1db68bbece4041a0ad68535a736564d1b5801406d0f58424fec.xlsm"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 queaventurasathya.com udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 escuelageneraljosedesanmartin.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 indianbusinessclub.org udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 cartelac.pt udp
PT 185.32.190.5:443 cartelac.pt tcp
US 8.8.8.8:53 r11.o.lencr.org udp
US 8.8.8.8:53 5.190.32.185.in-addr.arpa udp
US 8.8.8.8:53 69.194.219.23.in-addr.arpa udp
GB 2.23.210.82:80 r11.o.lencr.org tcp
US 8.8.8.8:53 82.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 axial-ing.fr udp
FR 109.234.166.137:443 axial-ing.fr tcp
US 8.8.8.8:53 luape.es udp
US 8.8.8.8:53 137.166.234.109.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4748-1-0x00007FF978AAD000-0x00007FF978AAE000-memory.dmp

memory/4748-3-0x00007FF938A90000-0x00007FF938AA0000-memory.dmp

memory/4748-4-0x00007FF938A90000-0x00007FF938AA0000-memory.dmp

memory/4748-0-0x00007FF938A90000-0x00007FF938AA0000-memory.dmp

memory/4748-2-0x00007FF938A90000-0x00007FF938AA0000-memory.dmp

memory/4748-7-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

memory/4748-11-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

memory/4748-13-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

memory/4748-14-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

memory/4748-12-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

memory/4748-15-0x00007FF9362D0000-0x00007FF9362E0000-memory.dmp

memory/4748-10-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

memory/4748-16-0x00007FF9362D0000-0x00007FF9362E0000-memory.dmp

memory/4748-9-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

memory/4748-8-0x00007FF938A90000-0x00007FF938AA0000-memory.dmp

memory/4748-6-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

memory/4748-5-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

memory/4748-33-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

memory/4748-34-0x00007FF978AAD000-0x00007FF978AAE000-memory.dmp

memory/4748-35-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

memory/4748-36-0x00007FF978A10000-0x00007FF978C05000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 6a69336456449c1b418ea9b573604d1a
SHA1 8a7d86c75ece1d8d8fd94f192c6b52b42ec1cf00
SHA256 50e6262534ffb645f524478c7d0d8ac00d5d1229d62a554bf9b5ecc0d88f80fb
SHA512 d9996d96ea9239fcbe7fb109b138968aff71d66d77d72bfad2cc6204032f4add8a3a6f67776a0577a8ffae7bfa2d7bac1cfe851d8bf65f381032b9bc8159e332