Analysis Overview
SHA256
bb7118889cc36bfef1526b86531da8b4a70cc3827a20042582c2dc074a3d8615
Threat Level: Known bad
The file bb7118889cc36bfef1526b86531da8b4a70cc3827a20042582c2dc074a3d8615 was found to be: Known bad.
Malicious Activity Summary
Suspicious Office macro
System Location Discovery: System Language Discovery
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 21:02
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 21:02
Reported
2024-11-11 21:05
Platform
win7-20240903-en
Max time kernel
143s
Max time network
145s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\bb7118889cc36bfef1526b86531da8b4a70cc3827a20042582c2dc074a3d8615.xlsm
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | buchhave.net | udp |
| DK | 94.231.103.182:80 | buchhave.net | tcp |
| US | 8.8.8.8:53 | www.bellaitaliatour.com | udp |
| IT | 86.105.14.13:443 | www.bellaitaliatour.com | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.82:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | brainora.com | udp |
| ES | 217.76.142.114:80 | brainora.com | tcp |
| US | 8.8.8.8:53 | breustchabrierarchitectes.fr | udp |
| FR | 213.186.33.24:80 | breustchabrierarchitectes.fr | tcp |
| US | 8.8.8.8:53 | www.breustchabrierarchitectes.fr | udp |
| FR | 213.186.33.24:80 | www.breustchabrierarchitectes.fr | tcp |
| US | 8.8.8.8:53 | biasikazan.hu | udp |
| HU | 5.56.35.6:443 | biasikazan.hu | tcp |
| HU | 5.56.35.6:443 | biasikazan.hu | tcp |
| HU | 5.56.35.6:443 | biasikazan.hu | tcp |
| HU | 5.56.35.6:443 | biasikazan.hu | tcp |
| US | 8.8.8.8:53 | beta.orlandofoodtours.com | udp |
| US | 66.115.130.163:80 | beta.orlandofoodtours.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | bestsafe.co.uk | udp |
| GB | 185.151.30.164:80 | bestsafe.co.uk | tcp |
| GB | 185.151.30.164:443 | bestsafe.co.uk | tcp |
| GB | 185.151.30.164:443 | bestsafe.co.uk | tcp |
| GB | 185.151.30.164:443 | bestsafe.co.uk | tcp |
| GB | 185.151.30.164:443 | bestsafe.co.uk | tcp |
Files
memory/2120-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2120-1-0x000000007260D000-0x0000000072618000-memory.dmp
memory/2120-18-0x000000007260D000-0x0000000072618000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 21:02
Reported
2024-11-11 21:05
Platform
win10v2004-20241007-en
Max time kernel
128s
Max time network
148s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\bb7118889cc36bfef1526b86531da8b4a70cc3827a20042582c2dc074a3d8615.xlsm"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | buchhave.net | udp |
| DK | 94.231.103.182:80 | buchhave.net | tcp |
| US | 8.8.8.8:53 | www.bellaitaliatour.com | udp |
| IT | 86.105.14.13:443 | www.bellaitaliatour.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.68.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.103.231.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.14.105.86.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| GB | 2.23.210.82:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 82.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brainora.com | udp |
| ES | 217.76.142.114:80 | brainora.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | breustchabrierarchitectes.fr | udp |
| FR | 213.186.33.24:80 | breustchabrierarchitectes.fr | tcp |
| US | 8.8.8.8:53 | www.breustchabrierarchitectes.fr | udp |
| FR | 213.186.33.24:80 | www.breustchabrierarchitectes.fr | tcp |
| US | 8.8.8.8:53 | 24.33.186.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | biasikazan.hu | udp |
| HU | 5.56.35.6:443 | biasikazan.hu | tcp |
| US | 8.8.8.8:53 | beta.orlandofoodtours.com | udp |
| US | 66.115.130.163:80 | beta.orlandofoodtours.com | tcp |
| US | 8.8.8.8:53 | 6.35.56.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bestsafe.co.uk | udp |
| GB | 185.151.30.164:80 | bestsafe.co.uk | tcp |
| GB | 185.151.30.164:443 | bestsafe.co.uk | tcp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 2.23.210.75:80 | r10.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 164.30.151.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.208.201.84.in-addr.arpa | udp |
Files
memory/2268-1-0x00007FFB43F2D000-0x00007FFB43F2E000-memory.dmp
memory/2268-0-0x00007FFB03F10000-0x00007FFB03F20000-memory.dmp
memory/2268-3-0x00007FFB03F10000-0x00007FFB03F20000-memory.dmp
memory/2268-2-0x00007FFB03F10000-0x00007FFB03F20000-memory.dmp
memory/2268-4-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp
memory/2268-6-0x00007FFB03F10000-0x00007FFB03F20000-memory.dmp
memory/2268-5-0x00007FFB03F10000-0x00007FFB03F20000-memory.dmp
memory/2268-8-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp
memory/2268-10-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp
memory/2268-9-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp
memory/2268-7-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp
memory/2268-12-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp
memory/2268-11-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp
memory/2268-13-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp
memory/2268-14-0x00007FFB01C50000-0x00007FFB01C60000-memory.dmp
memory/2268-15-0x00007FFB01C50000-0x00007FFB01C60000-memory.dmp
memory/2268-33-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp
memory/2268-34-0x00007FFB43F2D000-0x00007FFB43F2E000-memory.dmp
memory/2268-35-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp
memory/2268-36-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 047ee9e8d54c778920df837ecc8d31f2 |
| SHA1 | 6d2262c49a9941837290e1fd17639e4eed7ea111 |
| SHA256 | 705f421fbf0a035e9e7e5eae68cb59c818cf47fc13d41fcee958a6fc3a5ba836 |
| SHA512 | 22b9142f7ca97a5f1689afb16755b1fc58a86acacde5906d640c27c1dd7786615f25ee45f3e2224f7d0ccd1a11a39de3826999f9f20b9a640370676843e4618e |