Analysis Overview
SHA256
503f902faf75195984ff348c5c00c192e9aedf1ccfec729558038d93a057a2e1
Threat Level: Known bad
The file 503f902faf75195984ff348c5c00c192e9aedf1ccfec729558038d93a057a2e1 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Suspicious Office macro
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 20:56
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 20:56
Reported
2024-11-11 20:59
Platform
win7-20240903-en
Max time kernel
60s
Max time network
18s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\503f902faf75195984ff348c5c00c192e9aedf1ccfec729558038d93a057a2e1.xls
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\cui1.ocx
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\cui2.ocx
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\cui3.ocx
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\cui4.ocx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | beeslandkerman.ir | udp |
| US | 8.8.8.8:53 | cerdi.com | udp |
| DK | 46.30.215.80:80 | cerdi.com | tcp |
| US | 8.8.8.8:53 | www.chasingmavericks.co.ke | udp |
| DE | 88.198.22.18:443 | www.chasingmavericks.co.ke | tcp |
| DE | 88.198.22.18:443 | www.chasingmavericks.co.ke | tcp |
| DE | 88.198.22.18:443 | www.chasingmavericks.co.ke | tcp |
| DE | 88.198.22.18:443 | www.chasingmavericks.co.ke | tcp |
| US | 8.8.8.8:53 | bsbmakina.com.tr | udp |
Files
memory/2400-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2400-1-0x000000007283D000-0x0000000072848000-memory.dmp
memory/2400-2-0x000000007283D000-0x0000000072848000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 20:56
Reported
2024-11-11 20:59
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
139s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\503f902faf75195984ff348c5c00c192e9aedf1ccfec729558038d93a057a2e1.xls"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\cui1.ocx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\cui2.ocx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\cui3.ocx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\cui4.ocx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| NL | 52.109.89.19:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beeslandkerman.ir | udp |
| US | 8.8.8.8:53 | cerdi.com | udp |
| DK | 46.30.215.80:80 | cerdi.com | tcp |
| US | 8.8.8.8:53 | www.chasingmavericks.co.ke | udp |
| DE | 88.198.22.18:443 | www.chasingmavericks.co.ke | tcp |
| US | 8.8.8.8:53 | chasingmavericks.co.ke | udp |
| DE | 88.198.22.18:443 | chasingmavericks.co.ke | tcp |
| US | 8.8.8.8:53 | bsbmakina.com.tr | udp |
| US | 8.8.8.8:53 | 19.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.215.30.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.22.198.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
Files
memory/4068-0-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp
memory/4068-1-0x00007FFE2EDCD000-0x00007FFE2EDCE000-memory.dmp
memory/4068-3-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp
memory/4068-2-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp
memory/4068-4-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp
memory/4068-6-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp
memory/4068-5-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp
memory/4068-7-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp
memory/4068-10-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp
memory/4068-13-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp
memory/4068-12-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp
memory/4068-11-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp
memory/4068-14-0x00007FFDECD50000-0x00007FFDECD60000-memory.dmp
memory/4068-9-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp
memory/4068-8-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp
memory/4068-15-0x00007FFDECD50000-0x00007FFDECD60000-memory.dmp
memory/4068-17-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp
memory/4068-16-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp
memory/4068-30-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp
memory/4068-31-0x00007FFE2EDCD000-0x00007FFE2EDCE000-memory.dmp
memory/4068-32-0x00007FFE2ED30000-0x00007FFE2EF25000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 3abcb8a0b7ca6f280bd6311781a85b24 |
| SHA1 | 039317b1a53055a41121dbb2a1167af5f40ec67c |
| SHA256 | 47e8a058664ad639a925487a93736126678d5a103299ddc04b18107ab9fcd4f7 |
| SHA512 | 637b5215eebd92f020cbc3d493184cb894964fa2f3ffc151cefe77171c68b99b25bec3b653555a5ec17a3b8e2562787ac47a8104008f82209e68b0413676ba1f |