Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
15-01-2022 01:37
Behavioral task
behavioral1
Sample
38e63247da950af1a3a96864cef46f801d99fe847c9cfab2022dd1bbfd969247.xlsm
Resource
win10-en-20211208
Behavioral task
behavioral2
Sample
38e63247da950af1a3a96864cef46f801d99fe847c9cfab2022dd1bbfd969247.xlsm
Resource
win10-en-20211208
General
-
Target
38e63247da950af1a3a96864cef46f801d99fe847c9cfab2022dd1bbfd969247.xlsm
-
Size
83KB
-
MD5
a0af41ef26d2bd43511e21159b1059ec
-
SHA1
b08b89450e52e611ce8f40bf3e433c7faa62bc1e
-
SHA256
38e63247da950af1a3a96864cef46f801d99fe847c9cfab2022dd1bbfd969247
-
SHA512
fea9b6a44b9903c38ef56cb320e1f4e1be92d13775e61e4a59906ba0e127506d36e2d729f72011298c6c846cd5a03fc993e2b5b7cc61c3aecffb3f5ddadb2d27
Malware Config
Extracted
http://www.crownpacificpartners.com/guglio/Rt4el/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2620 456 rundll32.exe EXCEL.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 46 3604 rundll32.exe 47 3604 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 2620 rundll32.exe 2180 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Bsqnyprceq\iytcgsaqnnraep.fkw rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 456 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3604 rundll32.exe 3604 rundll32.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 456 EXCEL.EXE 456 EXCEL.EXE 456 EXCEL.EXE 456 EXCEL.EXE 456 EXCEL.EXE 456 EXCEL.EXE 456 EXCEL.EXE 456 EXCEL.EXE 456 EXCEL.EXE 456 EXCEL.EXE 456 EXCEL.EXE 456 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exerundll32.exedescription pid process target process PID 456 wrote to memory of 2620 456 EXCEL.EXE rundll32.exe PID 456 wrote to memory of 2620 456 EXCEL.EXE rundll32.exe PID 456 wrote to memory of 2620 456 EXCEL.EXE rundll32.exe PID 2620 wrote to memory of 2180 2620 rundll32.exe rundll32.exe PID 2620 wrote to memory of 2180 2620 rundll32.exe rundll32.exe PID 2620 wrote to memory of 2180 2620 rundll32.exe rundll32.exe PID 2180 wrote to memory of 1680 2180 rundll32.exe rundll32.exe PID 2180 wrote to memory of 1680 2180 rundll32.exe rundll32.exe PID 2180 wrote to memory of 1680 2180 rundll32.exe rundll32.exe PID 1680 wrote to memory of 3604 1680 rundll32.exe rundll32.exe PID 1680 wrote to memory of 3604 1680 rundll32.exe rundll32.exe PID 1680 wrote to memory of 3604 1680 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\38e63247da950af1a3a96864cef46f801d99fe847c9cfab2022dd1bbfd969247.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\rundll32.exeC:\Windows\SysWow64\rundll32.exe ..\erum.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\erum.ocx",DllRegisterServer3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bsqnyprceq\iytcgsaqnnraep.fkw",SOhAimPgB4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Bsqnyprceq\iytcgsaqnnraep.fkw",DllRegisterServer5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\erum.ocxMD5
71b9190e4bb6342e08cd0b150d6f1465
SHA1e3c67b545fded250f1a03b9fa94cf90d156db93b
SHA256ebfa0393fef306631c53ab660185a01fb11664951e13be7bddbdf84251ae464b
SHA512af05d805223869e8d55429234a51d6d218c119500a1ffed4fcbccaebd80465bce112b4192eacc75d969a0394f2d7d8dfa3870c305e73e9ed4567ae0954a797e4
-
\Users\Admin\erum.ocxMD5
71b9190e4bb6342e08cd0b150d6f1465
SHA1e3c67b545fded250f1a03b9fa94cf90d156db93b
SHA256ebfa0393fef306631c53ab660185a01fb11664951e13be7bddbdf84251ae464b
SHA512af05d805223869e8d55429234a51d6d218c119500a1ffed4fcbccaebd80465bce112b4192eacc75d969a0394f2d7d8dfa3870c305e73e9ed4567ae0954a797e4
-
\Users\Admin\erum.ocxMD5
71b9190e4bb6342e08cd0b150d6f1465
SHA1e3c67b545fded250f1a03b9fa94cf90d156db93b
SHA256ebfa0393fef306631c53ab660185a01fb11664951e13be7bddbdf84251ae464b
SHA512af05d805223869e8d55429234a51d6d218c119500a1ffed4fcbccaebd80465bce112b4192eacc75d969a0394f2d7d8dfa3870c305e73e9ed4567ae0954a797e4
-
memory/456-119-0x00007FFE91410000-0x00007FFE91420000-memory.dmpFilesize
64KB
-
memory/456-116-0x00007FFE91410000-0x00007FFE91420000-memory.dmpFilesize
64KB
-
memory/456-120-0x00000271A8CB0000-0x00000271A8CB2000-memory.dmpFilesize
8KB
-
memory/456-121-0x00000271A8CB0000-0x00000271A8CB2000-memory.dmpFilesize
8KB
-
memory/456-122-0x00000271A8CB0000-0x00000271A8CB2000-memory.dmpFilesize
8KB
-
memory/456-128-0x00007FFE8D940000-0x00007FFE8D950000-memory.dmpFilesize
64KB
-
memory/456-129-0x00007FFE8D940000-0x00007FFE8D950000-memory.dmpFilesize
64KB
-
memory/456-118-0x00007FFE91410000-0x00007FFE91420000-memory.dmpFilesize
64KB
-
memory/456-117-0x00007FFE91410000-0x00007FFE91420000-memory.dmpFilesize
64KB
-
memory/456-115-0x00007FFE91410000-0x00007FFE91420000-memory.dmpFilesize
64KB
-
memory/1680-278-0x0000000000000000-mapping.dmp
-
memory/2180-266-0x0000000000000000-mapping.dmp
-
memory/2620-261-0x0000000000000000-mapping.dmp
-
memory/3604-283-0x0000000000000000-mapping.dmp