Malware Analysis Report

2025-03-15 07:22

Sample ID 241111-zgd99ayqen
Target d46fabccd473fce993b9aa787e2bf509bae0a792ffb2c17f6758b874f84df2ce
SHA256 d46fabccd473fce993b9aa787e2bf509bae0a792ffb2c17f6758b874f84df2ce
Tags
macro xlm discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d46fabccd473fce993b9aa787e2bf509bae0a792ffb2c17f6758b874f84df2ce

Threat Level: Known bad

The file d46fabccd473fce993b9aa787e2bf509bae0a792ffb2c17f6758b874f84df2ce was found to be: Known bad.

Malicious Activity Summary

macro xlm discovery

Process spawned unexpected child process

Suspicious Office macro

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 20:41

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 20:41

Reported

2024-11-11 20:43

Platform

win7-20241010-en

Max time kernel

61s

Max time network

138s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\d46fabccd473fce993b9aa787e2bf509bae0a792ffb2c17f6758b874f84df2ce.xlsm

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWow64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWow64\regsvr32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\d46fabccd473fce993b9aa787e2bf509bae0a792ffb2c17f6758b874f84df2ce.xlsm

C:\Windows\SysWow64\regsvr32.exe

C:\Windows\SysWow64\regsvr32.exe -s ..\si.ocx

Network

Country Destination Domain Proto
US 8.8.8.8:53 henrysfreshroast.com udp
US 138.207.69.73:80 henrysfreshroast.com tcp
US 138.207.69.73:443 henrysfreshroast.com tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.75:80 r10.o.lencr.org tcp

Files

memory/2116-1-0x000000007220D000-0x0000000072218000-memory.dmp

memory/2116-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\si.ocx

MD5 2fc1c11a3c2295b3194b1bf83b86982c
SHA1 8ae7381b0af50a07310f7ffbecfa780f7740305f
SHA256 4ac4fc0780ce238c703abf6b7193462805ecaed4e36cdc2b74a89af0e260cd6c
SHA512 58d05cc0e6f3e767156e50a4e082d86799463cf2f8f09df4d0c5e213ffed9db5e912d5f911d58454d2211a8c7c5d65216477f7bdcd9156e1f54f4f52919bb0b8

memory/2116-21-0x000000007220D000-0x0000000072218000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 20:41

Reported

2024-11-11 20:43

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

139s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d46fabccd473fce993b9aa787e2bf509bae0a792ffb2c17f6758b874f84df2ce.xlsm"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWow64\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWow64\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d46fabccd473fce993b9aa787e2bf509bae0a792ffb2c17f6758b874f84df2ce.xlsm"

C:\Windows\SysWow64\regsvr32.exe

C:\Windows\SysWow64\regsvr32.exe -s ..\si.ocx

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 henrysfreshroast.com udp
US 138.207.69.73:80 henrysfreshroast.com tcp
US 138.207.69.73:443 henrysfreshroast.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.69.207.138.in-addr.arpa udp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.82:80 r10.o.lencr.org tcp
US 8.8.8.8:53 69.194.219.23.in-addr.arpa udp
US 8.8.8.8:53 82.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 137.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 106.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4728-0-0x00007FF94DA8D000-0x00007FF94DA8E000-memory.dmp

memory/4728-1-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

memory/4728-3-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

memory/4728-2-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

memory/4728-4-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

memory/4728-5-0x00007FF90DA70000-0x00007FF90DA80000-memory.dmp

memory/4728-6-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

memory/4728-7-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

memory/4728-11-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

memory/4728-12-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

memory/4728-13-0x00007FF90B350000-0x00007FF90B360000-memory.dmp

memory/4728-10-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

memory/4728-9-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

memory/4728-14-0x00007FF90B350000-0x00007FF90B360000-memory.dmp

memory/4728-8-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

memory/4728-18-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

memory/4728-17-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

memory/4728-16-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

memory/4728-15-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

memory/4728-39-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

C:\Users\Admin\si.ocx

MD5 2fc1c11a3c2295b3194b1bf83b86982c
SHA1 8ae7381b0af50a07310f7ffbecfa780f7740305f
SHA256 4ac4fc0780ce238c703abf6b7193462805ecaed4e36cdc2b74a89af0e260cd6c
SHA512 58d05cc0e6f3e767156e50a4e082d86799463cf2f8f09df4d0c5e213ffed9db5e912d5f911d58454d2211a8c7c5d65216477f7bdcd9156e1f54f4f52919bb0b8

memory/4728-41-0x00007FF94DA8D000-0x00007FF94DA8E000-memory.dmp

memory/4728-42-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

memory/4728-44-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

memory/4728-43-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

memory/4728-48-0x00007FF94D9F0000-0x00007FF94DBE5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 604f8645b539797bad595bf685e5f681
SHA1 6bd9a30f257dd5ca361b5c2b7e2bbfb5e7e9aeab
SHA256 ecd16a9f006b643c4ce7e3bd89e2dd3cb4e4b8fb2f4253bf2e304d0f4c6addc8
SHA512 3a5122a2404e6336a8fe2f3be3ac5004ade343f2fe7e0dad9a6517caccf93e04cd689479eee564448c4381c2989abcb8d77539cd5a4e9447d38315bcb99104e6