Analysis Overview
SHA256
9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a
Threat Level: Known bad
The file 9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Suspicious Office macro
System Location Discovery: System Language Discovery
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 13:32
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-05 13:32
Reported
2024-11-05 13:35
Platform
win10ltsc2021-20241023-en
Max time kernel
133s
Max time network
150s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWow64\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWow64\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2056 wrote to memory of 2860 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2056 wrote to memory of 2860 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2056 wrote to memory of 2860 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm"
C:\Windows\SysWow64\regsvr32.exe
C:\Windows\SysWow64\regsvr32.exe -s ..\adx.ocx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| IE | 52.109.76.243:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | blog.centerking.top | udp |
| US | 8.8.8.8:53 | lucrecomconforto.com.br | udp |
| US | 8.8.8.8:53 | academiasuccesului.ro | udp |
| RO | 46.102.146.33:80 | academiasuccesului.ro | tcp |
| US | 8.8.8.8:53 | 243.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | melekler.atspace.cc | udp |
| BG | 185.176.43.80:80 | melekler.atspace.cc | tcp |
| US | 8.8.8.8:53 | acerestoration.co.za | udp |
| ZA | 41.203.18.35:80 | acerestoration.co.za | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.146.102.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.43.176.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.18.203.41.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/2056-1-0x00007FFB7118D000-0x00007FFB7118E000-memory.dmp
memory/2056-0-0x00007FFB31170000-0x00007FFB31180000-memory.dmp
memory/2056-3-0x00007FFB31170000-0x00007FFB31180000-memory.dmp
memory/2056-2-0x00007FFB31170000-0x00007FFB31180000-memory.dmp
memory/2056-4-0x00007FFB31170000-0x00007FFB31180000-memory.dmp
memory/2056-5-0x00007FFB31170000-0x00007FFB31180000-memory.dmp
memory/2056-8-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp
memory/2056-9-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp
memory/2056-10-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp
memory/2056-11-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp
memory/2056-13-0x00007FFB2F100000-0x00007FFB2F110000-memory.dmp
memory/2056-12-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp
memory/2056-7-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp
memory/2056-14-0x00007FFB2F100000-0x00007FFB2F110000-memory.dmp
memory/2056-16-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp
memory/2056-18-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp
memory/2056-19-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp
memory/2056-21-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp
memory/2056-20-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp
memory/2056-22-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp
memory/2056-24-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp
memory/2056-23-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp
memory/2056-17-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp
memory/2056-15-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp
memory/2056-6-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp
C:\Users\Admin\adx.ocx
| MD5 | 8f7afabccec4bec42d5bf041dc45f7e5 |
| SHA1 | 614359b31a2cdf02be8a12b0254f91171c32ba54 |
| SHA256 | ff0b128a0d1f6385dc4d265684b760d92be853e938e8e2e1aed3f120a5541933 |
| SHA512 | 2b2e9b09d61e356cd569e097e2da2191e854590364141ad5f6d99c0a0910caa271100b26efa1457c8bd30cf4e82f54ed6fa6aa4d3fd0c0eccfd202bcc6bc4853 |
memory/2056-47-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp
memory/2056-48-0x00007FFB7118D000-0x00007FFB7118E000-memory.dmp
memory/2056-49-0x00007FFB710F0000-0x00007FFB712E8000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-05 13:32
Reported
2024-11-05 13:35
Platform
win11-20241007-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWow64\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWow64\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2892 wrote to memory of 2820 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2892 wrote to memory of 2820 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2892 wrote to memory of 2820 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm"
C:\Windows\SysWow64\regsvr32.exe
C:\Windows\SysWow64\regsvr32.exe -s ..\adx.ocx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| GB | 52.109.32.7:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RO | 46.102.146.33:80 | academiasuccesului.ro | tcp |
| BG | 185.176.43.80:80 | melekler.atspace.cc | tcp |
| ZA | 41.203.18.35:80 | acerestoration.co.za | tcp |
Files
memory/2892-1-0x00007FFDF2C63000-0x00007FFDF2C64000-memory.dmp
memory/2892-0-0x00007FFDB2C50000-0x00007FFDB2C60000-memory.dmp
memory/2892-3-0x00007FFDB2C50000-0x00007FFDB2C60000-memory.dmp
memory/2892-2-0x00007FFDB2C50000-0x00007FFDB2C60000-memory.dmp
memory/2892-4-0x00007FFDB2C50000-0x00007FFDB2C60000-memory.dmp
memory/2892-5-0x00007FFDB2C50000-0x00007FFDB2C60000-memory.dmp
memory/2892-6-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp
memory/2892-7-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp
memory/2892-9-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp
memory/2892-10-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp
memory/2892-8-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp
memory/2892-12-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp
memory/2892-13-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp
memory/2892-11-0x00007FFDB06C0000-0x00007FFDB06D0000-memory.dmp
memory/2892-14-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp
memory/2892-15-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp
memory/2892-16-0x00007FFDB06C0000-0x00007FFDB06D0000-memory.dmp
memory/2892-17-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp
memory/2892-18-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp
C:\Users\Admin\adx.ocx
| MD5 | 8f7afabccec4bec42d5bf041dc45f7e5 |
| SHA1 | 614359b31a2cdf02be8a12b0254f91171c32ba54 |
| SHA256 | ff0b128a0d1f6385dc4d265684b760d92be853e938e8e2e1aed3f120a5541933 |
| SHA512 | 2b2e9b09d61e356cd569e097e2da2191e854590364141ad5f6d99c0a0910caa271100b26efa1457c8bd30cf4e82f54ed6fa6aa4d3fd0c0eccfd202bcc6bc4853 |
memory/2892-30-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp
memory/2892-31-0x00007FFDF2C63000-0x00007FFDF2C64000-memory.dmp
memory/2892-32-0x00007FFDF2BC0000-0x00007FFDF2DC9000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 5e6cc251915df5d75c2ee0ac022dbeff |
| SHA1 | 95104648c14fa7e8a68b054daf8d69d5260b268d |
| SHA256 | 7e8cfc1a39ca8bfb427f020cf34173e612cb566f741f527d58ff9536d3bd20be |
| SHA512 | 75cae064b52434e3b0a09cf59f2fc02f3e4318a47b00f862c496bb4f6860dc4c60819c24c8df7ba4ae1d279d38c88f887653b3143d7d0d545c7dbfd4391890ef |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-05 13:32
Reported
2024-11-05 13:35
Platform
win7-20240903-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWow64\regsvr32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWow64\regsvr32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2332 wrote to memory of 2864 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2332 wrote to memory of 2864 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2332 wrote to memory of 2864 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2332 wrote to memory of 2864 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2332 wrote to memory of 2864 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2332 wrote to memory of 2864 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 2332 wrote to memory of 2864 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm
C:\Windows\SysWow64\regsvr32.exe
C:\Windows\SysWow64\regsvr32.exe -s ..\adx.ocx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | blog.centerking.top | udp |
| US | 8.8.8.8:53 | lucrecomconforto.com.br | udp |
| US | 8.8.8.8:53 | academiasuccesului.ro | udp |
| RO | 46.102.146.33:80 | academiasuccesului.ro | tcp |
| US | 8.8.8.8:53 | melekler.atspace.cc | udp |
| BG | 185.176.43.80:80 | melekler.atspace.cc | tcp |
| US | 8.8.8.8:53 | acerestoration.co.za | udp |
| ZA | 41.203.18.35:80 | acerestoration.co.za | tcp |
Files
memory/2332-1-0x00000000723AD000-0x00000000723B8000-memory.dmp
memory/2332-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
C:\Users\Admin\adx.ocx
| MD5 | 8f7afabccec4bec42d5bf041dc45f7e5 |
| SHA1 | 614359b31a2cdf02be8a12b0254f91171c32ba54 |
| SHA256 | ff0b128a0d1f6385dc4d265684b760d92be853e938e8e2e1aed3f120a5541933 |
| SHA512 | 2b2e9b09d61e356cd569e097e2da2191e854590364141ad5f6d99c0a0910caa271100b26efa1457c8bd30cf4e82f54ed6fa6aa4d3fd0c0eccfd202bcc6bc4853 |
memory/2332-7-0x00000000723AD000-0x00000000723B8000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 13:32
Reported
2024-11-05 13:35
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWow64\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWow64\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1444 wrote to memory of 1984 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 1444 wrote to memory of 1984 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 1444 wrote to memory of 1984 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm"
C:\Windows\SysWow64\regsvr32.exe
C:\Windows\SysWow64\regsvr32.exe -s ..\adx.ocx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blog.centerking.top | udp |
| US | 8.8.8.8:53 | lucrecomconforto.com.br | udp |
| US | 8.8.8.8:53 | academiasuccesului.ro | udp |
| RO | 46.102.146.33:80 | academiasuccesului.ro | tcp |
| US | 8.8.8.8:53 | melekler.atspace.cc | udp |
| BG | 185.176.43.80:80 | melekler.atspace.cc | tcp |
| US | 8.8.8.8:53 | acerestoration.co.za | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.146.102.46.in-addr.arpa | udp |
| ZA | 41.203.18.35:80 | acerestoration.co.za | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.43.176.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.18.203.41.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1444-1-0x00007FFA2E6AD000-0x00007FFA2E6AE000-memory.dmp
memory/1444-0-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp
memory/1444-3-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp
memory/1444-2-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp
memory/1444-5-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp
memory/1444-6-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp
memory/1444-4-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp
memory/1444-7-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp
memory/1444-8-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp
memory/1444-9-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp
memory/1444-10-0x00007FF9EC280000-0x00007FF9EC290000-memory.dmp
memory/1444-11-0x00007FF9EC280000-0x00007FF9EC290000-memory.dmp
C:\Users\Admin\adx.ocx
| MD5 | 8f7afabccec4bec42d5bf041dc45f7e5 |
| SHA1 | 614359b31a2cdf02be8a12b0254f91171c32ba54 |
| SHA256 | ff0b128a0d1f6385dc4d265684b760d92be853e938e8e2e1aed3f120a5541933 |
| SHA512 | 2b2e9b09d61e356cd569e097e2da2191e854590364141ad5f6d99c0a0910caa271100b26efa1457c8bd30cf4e82f54ed6fa6aa4d3fd0c0eccfd202bcc6bc4853 |
memory/1444-26-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp
memory/1444-27-0x00007FFA2E6AD000-0x00007FFA2E6AE000-memory.dmp
memory/1444-28-0x00007FFA2E610000-0x00007FFA2E805000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 50ffb48ec86454dfda6a9bf0c548f870 |
| SHA1 | fdb780e3b784a129e0d582f5d661705b0da10743 |
| SHA256 | 203e4302fa06cf7d14243ca3c321d40b0675b1637b608ef099e2e3f457e3c72a |
| SHA512 | e0a83ff0382cd15e72c2dbfd80c061124a8e7c48348710c6c06174d9b5338fd2174e8976af8c4cf5f65ecd15fef5f5de3c1db74e0b69c3a50b49b34f1506f24f |