Malware Analysis Report

2025-03-15 07:25

Sample ID 241111-y6rq7swalk
Target 7a90f137ac8cd1f79ecc01162d202fa1101b5e4ff929cf1900f5c1f71ffeb592
SHA256 7a90f137ac8cd1f79ecc01162d202fa1101b5e4ff929cf1900f5c1f71ffeb592
Tags
macro xlm discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a90f137ac8cd1f79ecc01162d202fa1101b5e4ff929cf1900f5c1f71ffeb592

Threat Level: Known bad

The file 7a90f137ac8cd1f79ecc01162d202fa1101b5e4ff929cf1900f5c1f71ffeb592 was found to be: Known bad.

Malicious Activity Summary

macro xlm discovery

Process spawned unexpected child process

Suspicious Office macro

System Location Discovery: System Language Discovery

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 20:24

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 20:24

Reported

2024-11-11 20:26

Platform

win7-20240903-en

Max time kernel

136s

Max time network

139s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\7a90f137ac8cd1f79ecc01162d202fa1101b5e4ff929cf1900f5c1f71ffeb592.xlsm

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWow64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWow64\regsvr32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\7a90f137ac8cd1f79ecc01162d202fa1101b5e4ff929cf1900f5c1f71ffeb592.xlsm

C:\Windows\SysWow64\regsvr32.exe

C:\Windows\SysWow64\regsvr32.exe /s ..\cre.ocx

Network

Country Destination Domain Proto
US 8.8.8.8:53 congresoapp2021.com udp
US 8.8.8.8:53 forocavialpa.com udp
US 8.8.8.8:53 s1.techopesolutions.com udp
US 8.8.8.8:53 tournhatrang.asia udp
US 199.59.243.227:80 tournhatrang.asia tcp

Files

memory/2524-1-0x000000007214D000-0x0000000072158000-memory.dmp

memory/2524-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\cre.ocx

MD5 bfb8c50a0eed80a4444608ead9bad604
SHA1 de0c12ec99d7a95a385e3dd234e458a9ee0bb6eb
SHA256 e1d324a0510cd62ad86a414d207f21dd3479235fcb23daa9fbca2eebe299e54e
SHA512 4078800e489ba63d5447c0e84ac581a473d94330fc2d7b29313641e6076b99ad899bf50e3a306c733b7b947498df697e07e5057cc3cb34a9d8af725f9778190c

memory/2524-8-0x000000007214D000-0x0000000072158000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 20:24

Reported

2024-11-11 20:26

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

139s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7a90f137ac8cd1f79ecc01162d202fa1101b5e4ff929cf1900f5c1f71ffeb592.xlsm"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWow64\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWow64\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7a90f137ac8cd1f79ecc01162d202fa1101b5e4ff929cf1900f5c1f71ffeb592.xlsm"

C:\Windows\SysWow64\regsvr32.exe

C:\Windows\SysWow64\regsvr32.exe /s ..\cre.ocx

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 congresoapp2021.com udp
US 8.8.8.8:53 forocavialpa.com udp
US 8.8.8.8:53 s1.techopesolutions.com udp
US 8.8.8.8:53 tournhatrang.asia udp
US 199.59.243.227:80 tournhatrang.asia tcp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 227.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/1672-1-0x00007FFCBCC0D000-0x00007FFCBCC0E000-memory.dmp

memory/1672-0-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

memory/1672-2-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

memory/1672-4-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/1672-3-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

memory/1672-5-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

memory/1672-6-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/1672-8-0x00007FFC7CBF0000-0x00007FFC7CC00000-memory.dmp

memory/1672-11-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/1672-12-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/1672-13-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/1672-14-0x00007FFC7A4F0000-0x00007FFC7A500000-memory.dmp

memory/1672-10-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/1672-9-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/1672-15-0x00007FFC7A4F0000-0x00007FFC7A500000-memory.dmp

memory/1672-7-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/1672-17-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/1672-16-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

C:\Users\Admin\cre.ocx

MD5 6ee496800141585f727b5857af3ee9bc
SHA1 e50e744a6f6d604372e3fa7b44ec5f6091b74bb6
SHA256 493f1ba5b22567c898a8b940f45e420d3d9b9a5ee4a53b7e2d5647ec3293ab55
SHA512 b1f47b8c555cce706189488e2c1a187bb9a89800a260370b31832a7366f802331e4805eb5cea428df60dfd6a92b19c9a8f52dc6bfb50db5bf24290e8ab4cbfd8

memory/1672-32-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

memory/1672-33-0x00007FFCBCC0D000-0x00007FFCBCC0E000-memory.dmp

memory/1672-34-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 4fcd44a4d62a19111d0efdb8ec5a5777
SHA1 52a75b8110086ff528069905077f5bcc8a6db198
SHA256 8c56f8f01b5901a281b474f079ed78e07cca8f94b5fec8526054fb90cf3add0f
SHA512 6c696743c332dda04a79e54e818d30f41c7b6e536bc35d8d0af5520e28399f082f2522c0437b50b3b3c9853e5a05590294f99653722d9ab0faae56f3dbcb1280