Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
14-01-2022 06:47
Behavioral task
behavioral1
Sample
0766c61d5d861dd6db71ee8f535e5f405f9d7ae80dfc5c83938e000d2b4ba58a.xlsm
Resource
win10-en-20211208
Behavioral task
behavioral2
Sample
0766c61d5d861dd6db71ee8f535e5f405f9d7ae80dfc5c83938e000d2b4ba58a.xlsm
Resource
win10-en-20211208
General
-
Target
0766c61d5d861dd6db71ee8f535e5f405f9d7ae80dfc5c83938e000d2b4ba58a.xlsm
-
Size
83KB
-
MD5
5610c5825e0a6dfdeff609a7892a5248
-
SHA1
3d51a54040324acc824c1b9beb8cb042e923fb76
-
SHA256
0766c61d5d861dd6db71ee8f535e5f405f9d7ae80dfc5c83938e000d2b4ba58a
-
SHA512
81f025d1171ec68e1b67dd57778d8475382a6c70c9815931f9a3e4c24f5dd50d98ff096598669de5c0bb191ab22a7e0e8e6b88ff73a068ef6e12cbb9548d38f0
Malware Config
Extracted
http://adi.iswks.com/assets/hO1v71pqfNN/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3500 528 rundll32.exe EXCEL.EXE -
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 46 1484 rundll32.exe 47 1484 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 3500 rundll32.exe 2040 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Atyyxqaconffosjv\jqjxtcoc.clp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 528 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1484 rundll32.exe 1484 rundll32.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 528 EXCEL.EXE 528 EXCEL.EXE 528 EXCEL.EXE 528 EXCEL.EXE 528 EXCEL.EXE 528 EXCEL.EXE 528 EXCEL.EXE 528 EXCEL.EXE 528 EXCEL.EXE 528 EXCEL.EXE 528 EXCEL.EXE 528 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exerundll32.exedescription pid process target process PID 528 wrote to memory of 3500 528 EXCEL.EXE rundll32.exe PID 528 wrote to memory of 3500 528 EXCEL.EXE rundll32.exe PID 528 wrote to memory of 3500 528 EXCEL.EXE rundll32.exe PID 3500 wrote to memory of 2040 3500 rundll32.exe rundll32.exe PID 3500 wrote to memory of 2040 3500 rundll32.exe rundll32.exe PID 3500 wrote to memory of 2040 3500 rundll32.exe rundll32.exe PID 2040 wrote to memory of 2152 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 2152 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 2152 2040 rundll32.exe rundll32.exe PID 2152 wrote to memory of 1484 2152 rundll32.exe rundll32.exe PID 2152 wrote to memory of 1484 2152 rundll32.exe rundll32.exe PID 2152 wrote to memory of 1484 2152 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\0766c61d5d861dd6db71ee8f535e5f405f9d7ae80dfc5c83938e000d2b4ba58a.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\rundll32.exeC:\Windows\SysWow64\rundll32.exe ..\wxeu.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\wxeu.ocx",DllRegisterServer3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Atyyxqaconffosjv\jqjxtcoc.clp",QyYqZS4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Atyyxqaconffosjv\jqjxtcoc.clp",DllRegisterServer5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\wxeu.ocxMD5
8c25d2b7e7855d68f6e4839c68cac713
SHA123fbb6230fca685ec9e08ea9dee254f8e5915c1a
SHA256a428659cdee3ba89a50a25f21d12b5b6b468da5b8ce06295465530ad5e09b3a9
SHA512777fa9363bf317ef6da8abb09c6f2a0d25f9a4b7ec54663307e6615a580848b6eaf4d1aada6f118494fcbb98a7d582dfc5ac8a837ee35bd4d8ec48bf71c8db81
-
\Users\Admin\wxeu.ocxMD5
8c25d2b7e7855d68f6e4839c68cac713
SHA123fbb6230fca685ec9e08ea9dee254f8e5915c1a
SHA256a428659cdee3ba89a50a25f21d12b5b6b468da5b8ce06295465530ad5e09b3a9
SHA512777fa9363bf317ef6da8abb09c6f2a0d25f9a4b7ec54663307e6615a580848b6eaf4d1aada6f118494fcbb98a7d582dfc5ac8a837ee35bd4d8ec48bf71c8db81
-
\Users\Admin\wxeu.ocxMD5
8c25d2b7e7855d68f6e4839c68cac713
SHA123fbb6230fca685ec9e08ea9dee254f8e5915c1a
SHA256a428659cdee3ba89a50a25f21d12b5b6b468da5b8ce06295465530ad5e09b3a9
SHA512777fa9363bf317ef6da8abb09c6f2a0d25f9a4b7ec54663307e6615a580848b6eaf4d1aada6f118494fcbb98a7d582dfc5ac8a837ee35bd4d8ec48bf71c8db81
-
memory/528-119-0x00007FFE91410000-0x00007FFE91420000-memory.dmpFilesize
64KB
-
memory/528-116-0x00007FFE91410000-0x00007FFE91420000-memory.dmpFilesize
64KB
-
memory/528-121-0x00000151DECA0000-0x00000151DECA2000-memory.dmpFilesize
8KB
-
memory/528-120-0x00000151DECA0000-0x00000151DECA2000-memory.dmpFilesize
8KB
-
memory/528-122-0x00000151DECA0000-0x00000151DECA2000-memory.dmpFilesize
8KB
-
memory/528-128-0x00007FFE8D940000-0x00007FFE8D950000-memory.dmpFilesize
64KB
-
memory/528-129-0x00007FFE8D940000-0x00007FFE8D950000-memory.dmpFilesize
64KB
-
memory/528-118-0x00007FFE91410000-0x00007FFE91420000-memory.dmpFilesize
64KB
-
memory/528-117-0x00007FFE91410000-0x00007FFE91420000-memory.dmpFilesize
64KB
-
memory/528-115-0x00007FFE91410000-0x00007FFE91420000-memory.dmpFilesize
64KB
-
memory/1484-288-0x0000000000000000-mapping.dmp
-
memory/2040-271-0x0000000000000000-mapping.dmp
-
memory/2152-283-0x0000000000000000-mapping.dmp
-
memory/3500-266-0x0000000000000000-mapping.dmp