55f2a42a9009f5fcdd40ff238cdb7569074c9535d23d68011230ae56aa581feb

General

Target

55f2a42a9009f5fcdd40ff238cdb7569074c9535d23d68011230ae56aa581feb.xlsm
Size

48KB
MD5

f33438430f68ded0c62197f1a012efc4
SHA1

6959879ac7c409927f1092ea5ff31a4ec77afbc4
SHA256

55f2a42a9009f5fcdd40ff238cdb7569074c9535d23d68011230ae56aa581feb
SHA512

8f7646a54e9e0c30e8c1cf1458b99142aaaf4698c34efd0209d6467b254516ddf278cd73877fb95229cc209be1d81a0a510dcb2f8d66fc0bc4c82997f363f8a0
SSDEEP

768:XO+CAEWvxRc3mlkKDNWBA7rTj+RYV8Q0RuVBR2jPrtysHRX0AOBAa:X7O2b8QkKDNck01u/R2rZyjtBl

Score

10^/10

discovery

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://suleyera.com/components/CNGhltc5v2K6/

xlm40.dropper

http://sociallysavvyseo.com/PinnacleDynamicServices/pRlYMzvfuu5B/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4992	1772	regsvr32.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1772	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1772	EXCEL.EXE
1772	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1772	EXCEL.EXE
1772	EXCEL.EXE
1772	EXCEL.EXE
1772	EXCEL.EXE
1772	EXCEL.EXE
1772	EXCEL.EXE
1772	EXCEL.EXE
1772	EXCEL.EXE
1772	EXCEL.EXE
1772	EXCEL.EXE
1772	EXCEL.EXE
1772	EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 4992	1772	EXCEL.EXE	91
PID 1772 wrote to memory of 4992	1772	EXCEL.EXE	91
PID 1772 wrote to memory of 4992	1772	EXCEL.EXE	91

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\55f2a42a9009f5fcdd40ff238cdb7569074c9535d23d68011230ae56aa581feb.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\SysWow64\regsvr32.exe
  C:\Windows\SysWow64\regsvr32.exe -s ..\ax.ocx
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
08040af382ff59d7112c8d0259e1ada1

SHA1
6ccd588c97a20888c102ad320e0360b4d33a99a9

SHA256
e4bc8c5bca8cc6a327b6f7c189ffdfcfdaaf056958349a2925d41795ee812b9d

SHA512
e2f16e2f84dd447d1895705a3188d5130bdb60e30c896346fe7b96934f6660bc83ba29b6484f9c1e1ffbb88e857a54766fb3a2f66d6d5f507f59bc46ee231657

Download Submit
C:\Users\Admin\ax.ocx

Filesize
7KB

MD5
fc250a2589e567b2a63d934ab6be1fa9

SHA1
4ba1a4afdd9488389eda5dc8a8fc1b6713ce29e4

SHA256
fb551dbf1e7abb4a0af4f82f23e423a451b977587282c521dda07e61c35cb42d

SHA512
3b53091ef2241db8bfbdacaa90c117d2929997430421d69e064f6fc4b6e0afbb5e71b1caf15a2d83d9028e3b78a99da60af50249513ca35731bbf2eafa95ed28

Download Submit
memory/1772-11-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/1772-10-0x00007FFCB4910000-0x00007FFCB4920000-memory.dmp

Filesize
64KB

Download
memory/1772-5-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/1772-7-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp

Filesize
64KB

Download
memory/1772-6-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/1772-4-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp

Filesize
64KB

Download
memory/1772-8-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/1772-13-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/1772-14-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/1772-12-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/1772-3-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp

Filesize
64KB

Download
memory/1772-0-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp

Filesize
64KB

Download
memory/1772-9-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/1772-16-0x00007FFCB4910000-0x00007FFCB4920000-memory.dmp

Filesize
64KB

Download
memory/1772-15-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/1772-18-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/1772-19-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/1772-17-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/1772-2-0x00007FFCB7270000-0x00007FFCB7280000-memory.dmp

Filesize
64KB

Download
memory/1772-43-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/1772-44-0x00007FFCF728D000-0x00007FFCF728E000-memory.dmp

Filesize
4KB

Download
memory/1772-45-0x00007FFCF71F0000-0x00007FFCF73E5000-memory.dmp

Filesize
2.0MB

Download
memory/1772-1-0x00007FFCF728D000-0x00007FFCF728E000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads