02c2a5fe14fd49e1c3433115100d19a9c8f114c38b029381033d3485c5c2a182

General

Target

02c2a5fe14fd49e1c3433115100d19a9c8f114c38b029381033d3485c5c2a182.xlsm
Size

35KB
MD5

139217018defce5394861532c5c7a064
SHA1

299dc5cb1e7760be964571a077f8c2b21db2e0e9
SHA256

02c2a5fe14fd49e1c3433115100d19a9c8f114c38b029381033d3485c5c2a182
SHA512

fdeb09fe282f0c32c6be8bf425b390a5db50edf0ea6c9df3d44865458bc34f1888148a8b5c6d3f1eccafc5f4f7e9ae545134150048bdb52a326ef41fc444841f
SSDEEP

768:6YKtm5eMn7AjOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooXLR:6YKtmg+UOZZ1ZYpoQ/pMAm

Score

10^/10

discovery

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://casinojackpotking.com/cgi-bin/47sKbklSQf31/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2024	3940	regsvr32.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3940	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3940	EXCEL.EXE
3940	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE
3940	EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 2024	3940	EXCEL.EXE	87
PID 3940 wrote to memory of 2024	3940	EXCEL.EXE	87
PID 3940 wrote to memory of 2024	3940	EXCEL.EXE	87

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\02c2a5fe14fd49e1c3433115100d19a9c8f114c38b029381033d3485c5c2a182.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Windows\SysWow64\regsvr32.exe
  C:\Windows\SysWow64\regsvr32.exe -s ..\xdha.ocx
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
2f0b863c5ddcd5f9aa3b3ccd1c910cc6

SHA1
04a314c0487d991567d214c69e51c6b6f6c8e665

SHA256
7859f25f4c8e0bacf09c4b6e03d8d854bbec499f2da8ad33dc490b24b0138c3a

SHA512
d02ed6c3557e5f19715f668544912d3c39643a6c09dadf37b6afec9f1b6ff636f4fe5d0a7fe58cd9c17d3510b9de56e809ec2d811f20bb48107469a294022450

Download Submit
C:\Users\Admin\xdha.ocx

Filesize
9B

MD5
9d1ead73e678fa2f51a70a933b0bf017

SHA1
d205cbd6783332a212c5ae92d73c77178c2d2f28

SHA256
0019dfc4b32d63c1392aa264aed2253c1e0c2fb09216f8e2cc269bbfb8bb49b5

SHA512
935b3d516e996f6d25948ba8a54c1b7f70f7f0e3f517e36481fdf0196c2c5cfc2841f86e891f3df9517746b7fb605db47cdded1b8ff78d9482ddaa621db43a34

Download Submit
memory/3940-7-0x00007FFCEA1D0000-0x00007FFCEA1E0000-memory.dmp

Filesize
64KB

Download
memory/3940-13-0x00007FFCE8110000-0x00007FFCE8120000-memory.dmp

Filesize
64KB

Download
memory/3940-5-0x00007FFD2A150000-0x00007FFD2A345000-memory.dmp

Filesize
2.0MB

Download
memory/3940-4-0x00007FFCEA1D0000-0x00007FFCEA1E0000-memory.dmp

Filesize
64KB

Download
memory/3940-0-0x00007FFCEA1D0000-0x00007FFCEA1E0000-memory.dmp

Filesize
64KB

Download
memory/3940-6-0x00007FFD2A150000-0x00007FFD2A345000-memory.dmp

Filesize
2.0MB

Download
memory/3940-9-0x00007FFD2A150000-0x00007FFD2A345000-memory.dmp

Filesize
2.0MB

Download
memory/3940-11-0x00007FFD2A150000-0x00007FFD2A345000-memory.dmp

Filesize
2.0MB

Download
memory/3940-12-0x00007FFCE8110000-0x00007FFCE8120000-memory.dmp

Filesize
64KB

Download
memory/3940-16-0x00007FFD2A150000-0x00007FFD2A345000-memory.dmp

Filesize
2.0MB

Download
memory/3940-3-0x00007FFCEA1D0000-0x00007FFCEA1E0000-memory.dmp

Filesize
64KB

Download
memory/3940-8-0x00007FFD2A150000-0x00007FFD2A345000-memory.dmp

Filesize
2.0MB

Download
memory/3940-10-0x00007FFD2A150000-0x00007FFD2A345000-memory.dmp

Filesize
2.0MB

Download
memory/3940-17-0x00007FFD2A150000-0x00007FFD2A345000-memory.dmp

Filesize
2.0MB

Download
memory/3940-15-0x00007FFD2A150000-0x00007FFD2A345000-memory.dmp

Filesize
2.0MB

Download
memory/3940-14-0x00007FFD2A150000-0x00007FFD2A345000-memory.dmp

Filesize
2.0MB

Download
memory/3940-1-0x00007FFD2A1ED000-0x00007FFD2A1EE000-memory.dmp

Filesize
4KB

Download
memory/3940-35-0x00007FFD2A150000-0x00007FFD2A345000-memory.dmp

Filesize
2.0MB

Download
memory/3940-36-0x00007FFD2A1ED000-0x00007FFD2A1EE000-memory.dmp

Filesize
4KB

Download
memory/3940-37-0x00007FFD2A150000-0x00007FFD2A345000-memory.dmp

Filesize
2.0MB

Download
memory/3940-38-0x00007FFD2A150000-0x00007FFD2A345000-memory.dmp

Filesize
2.0MB

Download
memory/3940-2-0x00007FFCEA1D0000-0x00007FFCEA1E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads