Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    14-01-2022 06:47

General

  • Target

    0766c61d5d861dd6db71ee8f535e5f405f9d7ae80dfc5c83938e000d2b4ba58a.xlsm

  • Size

    83KB

  • MD5

    5610c5825e0a6dfdeff609a7892a5248

  • SHA1

    3d51a54040324acc824c1b9beb8cb042e923fb76

  • SHA256

    0766c61d5d861dd6db71ee8f535e5f405f9d7ae80dfc5c83938e000d2b4ba58a

  • SHA512

    81f025d1171ec68e1b67dd57778d8475382a6c70c9815931f9a3e4c24f5dd50d98ff096598669de5c0bb191ab22a7e0e8e6b88ff73a068ef6e12cbb9548d38f0

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://adi.iswks.com/assets/hO1v71pqfNN/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\0766c61d5d861dd6db71ee8f535e5f405f9d7ae80dfc5c83938e000d2b4ba58a.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:528
    • C:\Windows\SysWow64\rundll32.exe
      C:\Windows\SysWow64\rundll32.exe ..\wxeu.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3500
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\wxeu.ocx",DllRegisterServer
        3⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:2040
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Atyyxqaconffosjv\jqjxtcoc.clp",QyYqZS
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2152
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Atyyxqaconffosjv\jqjxtcoc.clp",DllRegisterServer
            5⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            PID:1484

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\wxeu.ocx
    MD5

    8c25d2b7e7855d68f6e4839c68cac713

    SHA1

    23fbb6230fca685ec9e08ea9dee254f8e5915c1a

    SHA256

    a428659cdee3ba89a50a25f21d12b5b6b468da5b8ce06295465530ad5e09b3a9

    SHA512

    777fa9363bf317ef6da8abb09c6f2a0d25f9a4b7ec54663307e6615a580848b6eaf4d1aada6f118494fcbb98a7d582dfc5ac8a837ee35bd4d8ec48bf71c8db81

  • \Users\Admin\wxeu.ocx
    MD5

    8c25d2b7e7855d68f6e4839c68cac713

    SHA1

    23fbb6230fca685ec9e08ea9dee254f8e5915c1a

    SHA256

    a428659cdee3ba89a50a25f21d12b5b6b468da5b8ce06295465530ad5e09b3a9

    SHA512

    777fa9363bf317ef6da8abb09c6f2a0d25f9a4b7ec54663307e6615a580848b6eaf4d1aada6f118494fcbb98a7d582dfc5ac8a837ee35bd4d8ec48bf71c8db81

  • \Users\Admin\wxeu.ocx
    MD5

    8c25d2b7e7855d68f6e4839c68cac713

    SHA1

    23fbb6230fca685ec9e08ea9dee254f8e5915c1a

    SHA256

    a428659cdee3ba89a50a25f21d12b5b6b468da5b8ce06295465530ad5e09b3a9

    SHA512

    777fa9363bf317ef6da8abb09c6f2a0d25f9a4b7ec54663307e6615a580848b6eaf4d1aada6f118494fcbb98a7d582dfc5ac8a837ee35bd4d8ec48bf71c8db81

  • memory/528-119-0x00007FFE91410000-0x00007FFE91420000-memory.dmp
    Filesize

    64KB

  • memory/528-116-0x00007FFE91410000-0x00007FFE91420000-memory.dmp
    Filesize

    64KB

  • memory/528-121-0x00000151DECA0000-0x00000151DECA2000-memory.dmp
    Filesize

    8KB

  • memory/528-120-0x00000151DECA0000-0x00000151DECA2000-memory.dmp
    Filesize

    8KB

  • memory/528-122-0x00000151DECA0000-0x00000151DECA2000-memory.dmp
    Filesize

    8KB

  • memory/528-128-0x00007FFE8D940000-0x00007FFE8D950000-memory.dmp
    Filesize

    64KB

  • memory/528-129-0x00007FFE8D940000-0x00007FFE8D950000-memory.dmp
    Filesize

    64KB

  • memory/528-118-0x00007FFE91410000-0x00007FFE91420000-memory.dmp
    Filesize

    64KB

  • memory/528-117-0x00007FFE91410000-0x00007FFE91420000-memory.dmp
    Filesize

    64KB

  • memory/528-115-0x00007FFE91410000-0x00007FFE91420000-memory.dmp
    Filesize

    64KB

  • memory/1484-288-0x0000000000000000-mapping.dmp
  • memory/2040-271-0x0000000000000000-mapping.dmp
  • memory/2152-283-0x0000000000000000-mapping.dmp
  • memory/3500-266-0x0000000000000000-mapping.dmp