Analysis Overview
SHA256
7a90f137ac8cd1f79ecc01162d202fa1101b5e4ff929cf1900f5c1f71ffeb592
Threat Level: Known bad
The file 7a90f137ac8cd1f79ecc01162d202fa1101b5e4ff929cf1900f5c1f71ffeb592 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Suspicious Office macro
System Location Discovery: System Language Discovery
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 20:24
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 20:24
Reported
2024-11-11 20:26
Platform
win7-20240903-en
Max time kernel
136s
Max time network
139s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWow64\regsvr32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWow64\regsvr32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2524 wrote to memory of 2284 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2524 wrote to memory of 2284 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2524 wrote to memory of 2284 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2524 wrote to memory of 2284 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2524 wrote to memory of 2284 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2524 wrote to memory of 2284 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2524 wrote to memory of 2284 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\7a90f137ac8cd1f79ecc01162d202fa1101b5e4ff929cf1900f5c1f71ffeb592.xlsm
C:\Windows\SysWow64\regsvr32.exe
C:\Windows\SysWow64\regsvr32.exe /s ..\cre.ocx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | congresoapp2021.com | udp |
| US | 8.8.8.8:53 | forocavialpa.com | udp |
| US | 8.8.8.8:53 | s1.techopesolutions.com | udp |
| US | 8.8.8.8:53 | tournhatrang.asia | udp |
| US | 199.59.243.227:80 | tournhatrang.asia | tcp |
Files
memory/2524-1-0x000000007214D000-0x0000000072158000-memory.dmp
memory/2524-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
C:\Users\Admin\cre.ocx
| MD5 | bfb8c50a0eed80a4444608ead9bad604 |
| SHA1 | de0c12ec99d7a95a385e3dd234e458a9ee0bb6eb |
| SHA256 | e1d324a0510cd62ad86a414d207f21dd3479235fcb23daa9fbca2eebe299e54e |
| SHA512 | 4078800e489ba63d5447c0e84ac581a473d94330fc2d7b29313641e6076b99ad899bf50e3a306c733b7b947498df697e07e5057cc3cb34a9d8af725f9778190c |
memory/2524-8-0x000000007214D000-0x0000000072158000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 20:24
Reported
2024-11-11 20:26
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
139s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWow64\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWow64\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1672 wrote to memory of 2608 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 1672 wrote to memory of 2608 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 1672 wrote to memory of 2608 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7a90f137ac8cd1f79ecc01162d202fa1101b5e4ff929cf1900f5c1f71ffeb592.xlsm"
C:\Windows\SysWow64\regsvr32.exe
C:\Windows\SysWow64\regsvr32.exe /s ..\cre.ocx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | congresoapp2021.com | udp |
| US | 8.8.8.8:53 | forocavialpa.com | udp |
| US | 8.8.8.8:53 | s1.techopesolutions.com | udp |
| US | 8.8.8.8:53 | tournhatrang.asia | udp |
| US | 199.59.243.227:80 | tournhatrang.asia | tcp |
| US | 8.8.8.8:53 | 18.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.68.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/1672-1-0x00007FFCBCC0D000-0x00007FFCBCC0E000-memory.dmp
memory/1672-0-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp
memory/1672-2-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp
memory/1672-4-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp
memory/1672-3-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp
memory/1672-5-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp
memory/1672-6-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp
memory/1672-8-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp
memory/1672-11-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp
memory/1672-12-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp
memory/1672-13-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp
memory/1672-14-0x00007FFC7A4F0000-0x00007FFC7A500000-memory.dmp
memory/1672-10-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp
memory/1672-9-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp
memory/1672-15-0x00007FFC7A4F0000-0x00007FFC7A500000-memory.dmp
memory/1672-7-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp
memory/1672-17-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp
memory/1672-16-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp
C:\Users\Admin\cre.ocx
| MD5 | 6ee496800141585f727b5857af3ee9bc |
| SHA1 | e50e744a6f6d604372e3fa7b44ec5f6091b74bb6 |
| SHA256 | 493f1ba5b22567c898a8b940f45e420d3d9b9a5ee4a53b7e2d5647ec3293ab55 |
| SHA512 | b1f47b8c555cce706189488e2c1a187bb9a89800a260370b31832a7366f802331e4805eb5cea428df60dfd6a92b19c9a8f52dc6bfb50db5bf24290e8ab4cbfd8 |
memory/1672-32-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp
memory/1672-33-0x00007FFCBCC0D000-0x00007FFCBCC0E000-memory.dmp
memory/1672-34-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 4fcd44a4d62a19111d0efdb8ec5a5777 |
| SHA1 | 52a75b8110086ff528069905077f5bcc8a6db198 |
| SHA256 | 8c56f8f01b5901a281b474f079ed78e07cca8f94b5fec8526054fb90cf3add0f |
| SHA512 | 6c696743c332dda04a79e54e818d30f41c7b6e536bc35d8d0af5520e28399f082f2522c0437b50b3b3c9853e5a05590294f99653722d9ab0faae56f3dbcb1280 |