792a7b8e75aa51f90c66ee711faf429dfe3220b038cc3725ee935083fcb60e0f

General

Target

792a7b8e75aa51f90c66ee711faf429dfe3220b038cc3725ee935083fcb60e0f.xlsm
Size

83KB
MD5

7a289586cef7787e334abefa7601508c
SHA1

f4d6bb8ffcd38e7b9f8d31c7a442f0388cfe5602
SHA256

792a7b8e75aa51f90c66ee711faf429dfe3220b038cc3725ee935083fcb60e0f
SHA512

d8b236deb1e722a3a724b587db0737fa2c9cf500817a32017300d6de7541e75a571b7813f0a78a4cad1d02af685ef6acf5522990b0372612de87edc0c4e00632

Score

10^/10

suricata

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://adi.iswks.com/assets/hO1v71pqfNN/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3200	3380	rundll32.exe	EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

43 4896 rundll32.exe
44 4896 rundll32.exe
45 4896 rundll32.exe
Downloads MZ/PE file
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3200 rundll32.exe
4520 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Rxdcgaqsz\fxakrj.rgm rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
43	4896	rundll32.exe
44	4896	rundll32.exe
45	4896	rundll32.exe

pid	process
3200	rundll32.exe
4520	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Rxdcgaqsz\fxakrj.rgm	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3380 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

4896 rundll32.exe
4896 rundll32.exe

pid	process
4896	rundll32.exe
4896	rundll32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3380	EXCEL.EXE
3380	EXCEL.EXE
3380	EXCEL.EXE
3380	EXCEL.EXE
3380	EXCEL.EXE
3380	EXCEL.EXE
3380	EXCEL.EXE
3380	EXCEL.EXE
3380	EXCEL.EXE
3380	EXCEL.EXE
3380	EXCEL.EXE
3380	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

EXCEL.EXErundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 3380 wrote to memory of 3200	3380	EXCEL.EXE	rundll32.exe
PID 3380 wrote to memory of 3200	3380	EXCEL.EXE	rundll32.exe
PID 3380 wrote to memory of 3200	3380	EXCEL.EXE	rundll32.exe
PID 3200 wrote to memory of 4520	3200	rundll32.exe	rundll32.exe
PID 3200 wrote to memory of 4520	3200	rundll32.exe	rundll32.exe
PID 3200 wrote to memory of 4520	3200	rundll32.exe	rundll32.exe
PID 4520 wrote to memory of 2896	4520	rundll32.exe	rundll32.exe
PID 4520 wrote to memory of 2896	4520	rundll32.exe	rundll32.exe
PID 4520 wrote to memory of 2896	4520	rundll32.exe	rundll32.exe
PID 2896 wrote to memory of 4896	2896	rundll32.exe	rundll32.exe
PID 2896 wrote to memory of 4896	2896	rundll32.exe	rundll32.exe
PID 2896 wrote to memory of 4896	2896	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\792a7b8e75aa51f90c66ee711faf429dfe3220b038cc3725ee935083fcb60e0f.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\SysWow64\rundll32.exe
C:\Windows\SysWow64\rundll32.exe ..\wxeu.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3200

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\wxeu.ocx",DllRegisterServer
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Rxdcgaqsz\fxakrj.rgm",tfVplfTPa
4⤵
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Rxdcgaqsz\fxakrj.rgm",DllRegisterServer
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:4896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\wxeu.ocx
MD5
f3ee6c287e266d4412340b912ecfc813

SHA1
b9d3be99d2f2a48f48a7b9ce3318c8805e897827

SHA256
de6c0de31341ce1d79edf4a3b89d083c99c6fa761272ee77313db94c7641d45a

SHA512
3770e26198e327b322864d4742ec8819816ed8273aa494b5ab5e03dab783ff2f13902758089108b3fe521454bcf73f66d741ec139a2975d993c7581a90a93f1c

Download Submit
\Users\Admin\wxeu.ocx
MD5
f3ee6c287e266d4412340b912ecfc813

SHA1
b9d3be99d2f2a48f48a7b9ce3318c8805e897827

SHA256
de6c0de31341ce1d79edf4a3b89d083c99c6fa761272ee77313db94c7641d45a

SHA512
3770e26198e327b322864d4742ec8819816ed8273aa494b5ab5e03dab783ff2f13902758089108b3fe521454bcf73f66d741ec139a2975d993c7581a90a93f1c

Download Submit
\Users\Admin\wxeu.ocx
MD5
f3ee6c287e266d4412340b912ecfc813

SHA1
b9d3be99d2f2a48f48a7b9ce3318c8805e897827

SHA256
de6c0de31341ce1d79edf4a3b89d083c99c6fa761272ee77313db94c7641d45a

SHA512
3770e26198e327b322864d4742ec8819816ed8273aa494b5ab5e03dab783ff2f13902758089108b3fe521454bcf73f66d741ec139a2975d993c7581a90a93f1c

Download Submit
memory/2896-282-0x0000000000000000-mapping.dmp

Download
memory/3200-261-0x0000000000000000-mapping.dmp

Download
memory/3380-119-0x00000268569F0000-0x00000268569F2000-memory.dmp

Filesize
8KB

Download
memory/3380-121-0x00000268569F0000-0x00000268569F2000-memory.dmp

Filesize
8KB

Download
memory/3380-127-0x00007FFBCBCE0000-0x00007FFBCBCF0000-memory.dmp

Filesize
64KB

Download
memory/3380-128-0x00007FFBCBCE0000-0x00007FFBCBCF0000-memory.dmp

Filesize
64KB

Download
memory/3380-129-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmp

Filesize
64KB

Download
memory/3380-120-0x00000268569F0000-0x00000268569F2000-memory.dmp

Filesize
8KB

Download
memory/3380-115-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmp

Filesize
64KB

Download
memory/3380-118-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmp

Filesize
64KB

Download
memory/3380-117-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmp

Filesize
64KB

Download
memory/3380-116-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmp

Filesize
64KB

Download
memory/4520-266-0x0000000000000000-mapping.dmp

Download
memory/4896-287-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads