Malware Analysis Report

2025-03-15 07:25

Sample ID 241111-yydvdavjay
Target 0c0fa037059129362689a3a0a42e34ebb9f9d403738176882e8559dd398b9b83
SHA256 0c0fa037059129362689a3a0a42e34ebb9f9d403738176882e8559dd398b9b83
Tags
macro xlm discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0c0fa037059129362689a3a0a42e34ebb9f9d403738176882e8559dd398b9b83

Threat Level: Known bad

The file 0c0fa037059129362689a3a0a42e34ebb9f9d403738176882e8559dd398b9b83 was found to be: Known bad.

Malicious Activity Summary

macro xlm discovery

Process spawned unexpected child process

Suspicious Office macro

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 20:11

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 20:11

Reported

2024-11-11 20:13

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\0c0fa037059129362689a3a0a42e34ebb9f9d403738176882e8559dd398b9b83.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\0c0fa037059129362689a3a0a42e34ebb9f9d403738176882e8559dd398b9b83.xls"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\soci1.ocx

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\soci2.ocx

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\soci3.ocx

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\soci4.ocx

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.32.7:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 yakosurf.com udp
ES 31.214.178.111:443 yakosurf.com tcp
US 8.8.8.8:53 7.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 111.178.214.31.in-addr.arpa udp
US 8.8.8.8:53 www.yakosurf.comwp-includes udp
US 8.8.8.8:53 fikti.bem.gunadarma.ac.id udp
ID 202.125.95.154:443 fikti.bem.gunadarma.ac.id tcp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 154.95.125.202.in-addr.arpa udp
US 8.8.8.8:53 69.194.219.23.in-addr.arpa udp
US 8.8.8.8:53 armannahalpersian.ir udp
DE 195.201.55.155:80 armannahalpersian.ir tcp
US 8.8.8.8:53 disweb.sk udp
SK 37.9.175.187:80 disweb.sk tcp
US 8.8.8.8:53 155.55.201.195.in-addr.arpa udp
US 8.8.8.8:53 187.175.9.37.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 101.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3260-1-0x00007FF9EDC8D000-0x00007FF9EDC8E000-memory.dmp

memory/3260-0-0x00007FF9ADC70000-0x00007FF9ADC80000-memory.dmp

memory/3260-3-0x00007FF9ADC70000-0x00007FF9ADC80000-memory.dmp

memory/3260-4-0x00007FF9ADC70000-0x00007FF9ADC80000-memory.dmp

memory/3260-2-0x00007FF9ADC70000-0x00007FF9ADC80000-memory.dmp

memory/3260-6-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/3260-9-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/3260-10-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/3260-11-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/3260-12-0x00007FF9AB3F0000-0x00007FF9AB400000-memory.dmp

memory/3260-8-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/3260-7-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/3260-13-0x00007FF9AB3F0000-0x00007FF9AB400000-memory.dmp

memory/3260-14-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/3260-19-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/3260-21-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/3260-20-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/3260-18-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/3260-17-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/3260-16-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/3260-15-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/3260-5-0x00007FF9ADC70000-0x00007FF9ADC80000-memory.dmp

memory/3260-45-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/3260-46-0x00007FF9EDC8D000-0x00007FF9EDC8E000-memory.dmp

memory/3260-47-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

memory/3260-48-0x00007FF9EDBF0000-0x00007FF9EDDE5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 c236714830be34eb669f91f2e08dcee3
SHA1 3c3f18fa65d34755bdd76ded1615df513bb8694e
SHA256 eced30909b7d4cad1b7fdf52ca45297b11fddfab14c0c777d78bd9c324d3c0d0
SHA512 82c7555e58f352e4da6e0e785daba7437bc88a8fc12c8142d48b4bddc489bd2219928c72111ff4e56c796ed86e2f68085d1dbfa894eb32a69fec69b985db3df6

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 20:11

Reported

2024-11-11 20:13

Platform

win7-20241010-en

Max time kernel

137s

Max time network

145s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\0c0fa037059129362689a3a0a42e34ebb9f9d403738176882e8559dd398b9b83.xls

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2588 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2588 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2588 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2588 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2588 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2588 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2588 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2612 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2612 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2612 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2612 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2612 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2612 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2612 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2636 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2636 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2636 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2636 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2636 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2636 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2636 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2672 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2672 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2672 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2672 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2672 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2672 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2332 wrote to memory of 2672 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\0c0fa037059129362689a3a0a42e34ebb9f9d403738176882e8559dd398b9b83.xls

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\soci1.ocx

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\soci2.ocx

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\soci3.ocx

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\soci4.ocx

Network

Country Destination Domain Proto
US 8.8.8.8:53 yakosurf.com udp
ES 31.214.178.111:443 yakosurf.com tcp
US 8.8.8.8:53 fikti.bem.gunadarma.ac.id udp
ID 202.125.95.154:443 fikti.bem.gunadarma.ac.id tcp
ID 202.125.95.154:443 fikti.bem.gunadarma.ac.id tcp
ID 202.125.95.154:443 fikti.bem.gunadarma.ac.id tcp
ID 202.125.95.154:443 fikti.bem.gunadarma.ac.id tcp
US 8.8.8.8:53 armannahalpersian.ir udp
DE 195.201.55.155:80 armannahalpersian.ir tcp
US 8.8.8.8:53 disweb.sk udp
SK 37.9.175.187:80 disweb.sk tcp

Files

memory/2332-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2332-1-0x00000000722DD000-0x00000000722E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab122D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar173E.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2332-37-0x00000000722DD000-0x00000000722E8000-memory.dmp