Malware Analysis Report

2025-08-05 16:52

Sample ID 250127-sk226atrew
Target =?UTF-8?B?0KHQvtGE0LjRjzEuZG9jeA==?=
SHA256 11a6be3842bc5d9610806c9a5b5fb2e7fe6f6efb484f0e8ca0052865344d1037
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

11a6be3842bc5d9610806c9a5b5fb2e7fe6f6efb484f0e8ca0052865344d1037

Threat Level: Shows suspicious behavior

The file =?UTF-8?B?0KHQvtGE0LjRjzEuZG9jeA==?= was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Abuses OpenXML format to download file from external location

Drops file in Windows directory

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Office document contains embedded OLE objects

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy WMI provider

Uses Task Scheduler COM API

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 15:11

Signatures

Office document contains embedded OLE objects

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 15:11

Reported

2025-01-27 15:14

Platform

win7-20240903-en

Max time kernel

123s

Max time network

120s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\=_UTF-8_B_0KHQvtGE0LjRjzEuZG9jeA==_=.docx"

Signatures

Abuses OpenXML format to download file from external location

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\=_UTF-8_B_0KHQvtGE0LjRjzEuZG9jeA==_=.docx"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 isinstance.com udp
DE 130.61.73.63:443 isinstance.com tcp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 2.23.210.82:80 e6.o.lencr.org tcp
DE 130.61.73.63:443 isinstance.com tcp
DE 130.61.73.63:443 isinstance.com tcp
DE 130.61.73.63:443 isinstance.com tcp
DE 130.61.73.63:443 isinstance.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.17.5.133:80 www.microsoft.com tcp

Files

memory/2080-0-0x000000002F541000-0x000000002F542000-memory.dmp

memory/2080-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2080-2-0x0000000070CFD000-0x0000000070D08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{3127A04E-CEF4-4505-99CC-443C35F4B7F0}

MD5 f3999d5d175cba554c9f259e77c9d64c
SHA1 e6a1a72fa0bd479a24fe2118bf749603e3a3ecfe
SHA256 14832b31027b19c5357ee97315b643d41362f072f8ecc944a1d1be1a4f3dc1da
SHA512 772e9607a140d40740f4ca9aaf099bbeacd156b3e2645c5b50a84582655f1a921b1357dbb8078c33faa2fd7c27e8faae4f76876da6260d2c672d438f00a81568

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{0DF4F85E-907E-4CC7-A368-07C4DF7D7C43}.FSD

MD5 bee81e1d01d53c1948b8cb17547fac42
SHA1 7438809b72f2487328dffcedf04ff6465f0085ec
SHA256 3eb67d717f1feb2420a166d5bea7f1ac8e2818b57250135040dcc6dfb12bcc5a
SHA512 8c3720d67e6275ccc268cface15d0889b453e62af4ae5a98c8a9a72cef5c6acb4202a0fabbb1fb26961ee38c85801d727323e894382862ae69114bb320a34da0

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 5c890b8e48ac939d2c7bf9375a784b74
SHA1 a457e44b0a77eaa0cdeab668939110aab2bd1be5
SHA256 eb591fe3c9ded5d5e127dca22bc802f3b320436e0fad0661b0bb31c4efd769dd
SHA512 4c05504aaca9231814bd01b0efbde381c3dd37e323860946407f0e3d9be404a4b6c0553cbe3c7cf943eb5486c1df6785e7857db409ce615ec35183de24edbe9e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7F7A2BB7.emf

MD5 bdf9149463746634ab95eeaba5d49660
SHA1 4ccebb4488a7592ba2c3325edc9b29d8e30c6cf3
SHA256 0624386927475fa35629167480ffe83a7c8d3ba1197dfd75b625285cfc5ba316
SHA512 7dd68319fc369f993e44fd26291eada9b30e257a52a86209c96b3a1c091f147ab9f247e87d398a68e2855b65ed10199cd2de390803ef91cee09b3da1e68ebdcc

memory/2080-81-0x0000000070CFD000-0x0000000070D08000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-27 15:11

Reported

2025-01-27 15:14

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\=_UTF-8_B_0KHQvtGE0LjRjzEuZG9jeA==_=.docx" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\=_UTF-8_B_0KHQvtGE0LjRjzEuZG9jeA==_=.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 isinstance.com udp
GB 52.109.32.7:443 roaming.officeapps.live.com tcp
DE 130.61.73.63:443 isinstance.com tcp
FR 152.228.229.214:80 152.228.229.214 tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 7.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 63.73.61.130.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 214.229.228.152.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
DE 130.61.73.63:443 isinstance.com tcp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 2.23.210.75:80 e6.o.lencr.org tcp
FR 152.228.229.214:80 152.228.229.214 tcp
DE 130.61.73.63:443 isinstance.com tcp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 75.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.27.153:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.152:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 153.27.18.2.in-addr.arpa udp
US 8.8.8.8:53 152.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

memory/1072-2-0x00007FFE92270000-0x00007FFE92280000-memory.dmp

memory/1072-1-0x00007FFE92270000-0x00007FFE92280000-memory.dmp

memory/1072-4-0x00007FFE92270000-0x00007FFE92280000-memory.dmp

memory/1072-3-0x00007FFED228D000-0x00007FFED228E000-memory.dmp

memory/1072-0-0x00007FFE92270000-0x00007FFE92280000-memory.dmp

memory/1072-5-0x00007FFED21F0000-0x00007FFED23E5000-memory.dmp

memory/1072-6-0x00007FFE92270000-0x00007FFE92280000-memory.dmp

memory/1072-8-0x00007FFED21F0000-0x00007FFED23E5000-memory.dmp

memory/1072-10-0x00007FFED21F0000-0x00007FFED23E5000-memory.dmp

memory/1072-9-0x00007FFED21F0000-0x00007FFED23E5000-memory.dmp

memory/1072-7-0x00007FFED21F0000-0x00007FFED23E5000-memory.dmp

memory/1072-11-0x00007FFE8F960000-0x00007FFE8F970000-memory.dmp

memory/1072-13-0x00007FFED21F0000-0x00007FFED23E5000-memory.dmp

memory/1072-12-0x00007FFED21F0000-0x00007FFED23E5000-memory.dmp

memory/1072-14-0x00007FFED21F0000-0x00007FFED23E5000-memory.dmp

memory/1072-19-0x00007FFED21F0000-0x00007FFED23E5000-memory.dmp

memory/1072-18-0x00007FFED21F0000-0x00007FFED23E5000-memory.dmp

memory/1072-17-0x00007FFED21F0000-0x00007FFED23E5000-memory.dmp

memory/1072-16-0x00007FFED21F0000-0x00007FFED23E5000-memory.dmp

memory/1072-15-0x00007FFE8F960000-0x00007FFE8F970000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\sweetnessgoodfornicethinkingwithgreatnesswordgoodfro_____veryniceercutebabygirlwantotbecomesuchagirlfrinedforme______sheisbestthingseverdidiwithme[1].doc

MD5 c82fe4b0ec0ee31e9a16eadc90c7de61
SHA1 29e524b378de705da32a08babd69249e6c954022
SHA256 d49118093407968c9d3e72308f23c96baf7c9f4d7d3eb7d45c6e5df977313ec7
SHA512 2fdb0c8068676f808224c506d319e57bc1aa5e064c17a3209492d3cc0182ee4b45d42c5637f99a408541d28df6894f4635e6df244fdda7ba7e3b0eb9f1f4521f

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 b07c5e8d68a580255abc9a0b50edefe3
SHA1 4c9ce4379acfcc894369596c78959450ef04018d
SHA256 363bd32d03f19a9a5db65959e74253b8a61a2d721bbf7a9eaf129fc4d45c0d38
SHA512 b158a2fc5f304cc2096fa0626ea556c81370bd88f89161008a357eda76a629884ad55f328f1d20e9d4f0fbb0a0bd02d4199c2137cc448917f86c24363cbca4ee

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\ED49BE81.emf

MD5 bdf9149463746634ab95eeaba5d49660
SHA1 4ccebb4488a7592ba2c3325edc9b29d8e30c6cf3
SHA256 0624386927475fa35629167480ffe83a7c8d3ba1197dfd75b625285cfc5ba316
SHA512 7dd68319fc369f993e44fd26291eada9b30e257a52a86209c96b3a1c091f147ab9f247e87d398a68e2855b65ed10199cd2de390803ef91cee09b3da1e68ebdcc

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

memory/1072-93-0x00007FFED21F0000-0x00007FFED23E5000-memory.dmp

memory/1072-94-0x00007FFED21F0000-0x00007FFED23E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 7da9aac982f1f9c6f71617af0c8ee60b
SHA1 eba73522abc6b9ee5a5b7f6fa8025af358eced9a
SHA256 b41a3639ca3fb30ffc04f0d84511195fa13ef31851eaa11d51fa782b2ea5d686
SHA512 ac8c47b94ff3dcacde9951bbd2fac872c422339812030266698949c4b48a735a800cd1cfcb54c9a27d73b5614ed1b97810d4474449787d24735ed6547a527667

C:\Users\Admin\AppData\Local\Temp\TCD168C.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d