Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
13-01-2022 22:37
Behavioral task
behavioral1
Sample
792a7b8e75aa51f90c66ee711faf429dfe3220b038cc3725ee935083fcb60e0f.xlsm
Resource
win10-en-20211208
Behavioral task
behavioral2
Sample
792a7b8e75aa51f90c66ee711faf429dfe3220b038cc3725ee935083fcb60e0f.xlsm
Resource
win10-en-20211208
General
-
Target
792a7b8e75aa51f90c66ee711faf429dfe3220b038cc3725ee935083fcb60e0f.xlsm
-
Size
83KB
-
MD5
7a289586cef7787e334abefa7601508c
-
SHA1
f4d6bb8ffcd38e7b9f8d31c7a442f0388cfe5602
-
SHA256
792a7b8e75aa51f90c66ee711faf429dfe3220b038cc3725ee935083fcb60e0f
-
SHA512
d8b236deb1e722a3a724b587db0737fa2c9cf500817a32017300d6de7541e75a571b7813f0a78a4cad1d02af685ef6acf5522990b0372612de87edc0c4e00632
Malware Config
Extracted
http://adi.iswks.com/assets/hO1v71pqfNN/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3200 3380 rundll32.exe EXCEL.EXE -
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 43 4896 rundll32.exe 44 4896 rundll32.exe 45 4896 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 3200 rundll32.exe 4520 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Rxdcgaqsz\fxakrj.rgm rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3380 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4896 rundll32.exe 4896 rundll32.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3380 EXCEL.EXE 3380 EXCEL.EXE 3380 EXCEL.EXE 3380 EXCEL.EXE 3380 EXCEL.EXE 3380 EXCEL.EXE 3380 EXCEL.EXE 3380 EXCEL.EXE 3380 EXCEL.EXE 3380 EXCEL.EXE 3380 EXCEL.EXE 3380 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exerundll32.exedescription pid process target process PID 3380 wrote to memory of 3200 3380 EXCEL.EXE rundll32.exe PID 3380 wrote to memory of 3200 3380 EXCEL.EXE rundll32.exe PID 3380 wrote to memory of 3200 3380 EXCEL.EXE rundll32.exe PID 3200 wrote to memory of 4520 3200 rundll32.exe rundll32.exe PID 3200 wrote to memory of 4520 3200 rundll32.exe rundll32.exe PID 3200 wrote to memory of 4520 3200 rundll32.exe rundll32.exe PID 4520 wrote to memory of 2896 4520 rundll32.exe rundll32.exe PID 4520 wrote to memory of 2896 4520 rundll32.exe rundll32.exe PID 4520 wrote to memory of 2896 4520 rundll32.exe rundll32.exe PID 2896 wrote to memory of 4896 2896 rundll32.exe rundll32.exe PID 2896 wrote to memory of 4896 2896 rundll32.exe rundll32.exe PID 2896 wrote to memory of 4896 2896 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\792a7b8e75aa51f90c66ee711faf429dfe3220b038cc3725ee935083fcb60e0f.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\rundll32.exeC:\Windows\SysWow64\rundll32.exe ..\wxeu.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\wxeu.ocx",DllRegisterServer3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Rxdcgaqsz\fxakrj.rgm",tfVplfTPa4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Rxdcgaqsz\fxakrj.rgm",DllRegisterServer5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\wxeu.ocxMD5
f3ee6c287e266d4412340b912ecfc813
SHA1b9d3be99d2f2a48f48a7b9ce3318c8805e897827
SHA256de6c0de31341ce1d79edf4a3b89d083c99c6fa761272ee77313db94c7641d45a
SHA5123770e26198e327b322864d4742ec8819816ed8273aa494b5ab5e03dab783ff2f13902758089108b3fe521454bcf73f66d741ec139a2975d993c7581a90a93f1c
-
\Users\Admin\wxeu.ocxMD5
f3ee6c287e266d4412340b912ecfc813
SHA1b9d3be99d2f2a48f48a7b9ce3318c8805e897827
SHA256de6c0de31341ce1d79edf4a3b89d083c99c6fa761272ee77313db94c7641d45a
SHA5123770e26198e327b322864d4742ec8819816ed8273aa494b5ab5e03dab783ff2f13902758089108b3fe521454bcf73f66d741ec139a2975d993c7581a90a93f1c
-
\Users\Admin\wxeu.ocxMD5
f3ee6c287e266d4412340b912ecfc813
SHA1b9d3be99d2f2a48f48a7b9ce3318c8805e897827
SHA256de6c0de31341ce1d79edf4a3b89d083c99c6fa761272ee77313db94c7641d45a
SHA5123770e26198e327b322864d4742ec8819816ed8273aa494b5ab5e03dab783ff2f13902758089108b3fe521454bcf73f66d741ec139a2975d993c7581a90a93f1c
-
memory/2896-282-0x0000000000000000-mapping.dmp
-
memory/3200-261-0x0000000000000000-mapping.dmp
-
memory/3380-119-0x00000268569F0000-0x00000268569F2000-memory.dmpFilesize
8KB
-
memory/3380-121-0x00000268569F0000-0x00000268569F2000-memory.dmpFilesize
8KB
-
memory/3380-127-0x00007FFBCBCE0000-0x00007FFBCBCF0000-memory.dmpFilesize
64KB
-
memory/3380-128-0x00007FFBCBCE0000-0x00007FFBCBCF0000-memory.dmpFilesize
64KB
-
memory/3380-129-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmpFilesize
64KB
-
memory/3380-120-0x00000268569F0000-0x00000268569F2000-memory.dmpFilesize
8KB
-
memory/3380-115-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmpFilesize
64KB
-
memory/3380-118-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmpFilesize
64KB
-
memory/3380-117-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmpFilesize
64KB
-
memory/3380-116-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmpFilesize
64KB
-
memory/4520-266-0x0000000000000000-mapping.dmp
-
memory/4896-287-0x0000000000000000-mapping.dmp