68d39acfcd55c7009d5a0693e155af5101e16c3f7e865a143aeb10741d93a4c8

General
Target

68d39acfcd55c7009d5a0693e155af5101e16c3f7e865a143aeb10741d93a4c8.xlsm

Filesize

83KB

Completed

15-01-2022 01:47

Score
10/10
MD5

4f7df170dc3f0afd4c6de1371b6e46d5

SHA1

0fcc0c1e8f9b496cbebdef3a71a3bb656f75b4ad

SHA256

68d39acfcd55c7009d5a0693e155af5101e16c3f7e865a143aeb10741d93a4c8

Malware Config

Extracted

Language xlm4.0
Source
URLs
xlm40.dropper

http://mail.emilyanncain.com/cgi-bin/A7NT3ENvn/
Signatures 14

Filter: none

Discovery
  • Process spawned unexpected child process
    rundll32.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process35923988rundll32.exeEXCEL.EXE
  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Description

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Tags

  • Blocklisted process makes network request
    rundll32.exe

    Reported IOCs

    flowpidprocess
    432328rundll32.exe
    442328rundll32.exe
  • Downloads MZ/PE file
  • Loads dropped DLL
    rundll32.exerundll32.exe

    Reported IOCs

    pidprocess
    3592rundll32.exe
    840rundll32.exe
  • Drops file in System32 directory
    rundll32.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\Daepwk\rwvknxbjsnhao.yavrundll32.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Checks processor information in registry
    EXCEL.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    3988EXCEL.EXE
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exe

    Reported IOCs

    pidprocess
    2328rundll32.exe
    2328rundll32.exe
  • Suspicious use of FindShellTrayWindow
    EXCEL.EXE

    Reported IOCs

    pidprocess
    3988EXCEL.EXE
    3988EXCEL.EXE
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    3988EXCEL.EXE
    3988EXCEL.EXE
    3988EXCEL.EXE
    3988EXCEL.EXE
    3988EXCEL.EXE
    3988EXCEL.EXE
    3988EXCEL.EXE
    3988EXCEL.EXE
    3988EXCEL.EXE
    3988EXCEL.EXE
    3988EXCEL.EXE
    3988EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXErundll32.exerundll32.exerundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3988 wrote to memory of 35923988EXCEL.EXErundll32.exe
    PID 3988 wrote to memory of 35923988EXCEL.EXErundll32.exe
    PID 3988 wrote to memory of 35923988EXCEL.EXErundll32.exe
    PID 3592 wrote to memory of 8403592rundll32.exerundll32.exe
    PID 3592 wrote to memory of 8403592rundll32.exerundll32.exe
    PID 3592 wrote to memory of 8403592rundll32.exerundll32.exe
    PID 840 wrote to memory of 3832840rundll32.exerundll32.exe
    PID 840 wrote to memory of 3832840rundll32.exerundll32.exe
    PID 840 wrote to memory of 3832840rundll32.exerundll32.exe
    PID 3832 wrote to memory of 23283832rundll32.exerundll32.exe
    PID 3832 wrote to memory of 23283832rundll32.exerundll32.exe
    PID 3832 wrote to memory of 23283832rundll32.exerundll32.exe
Processes 5
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\68d39acfcd55c7009d5a0693e155af5101e16c3f7e865a143aeb10741d93a4c8.xlsm"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:3988
    • C:\Windows\SysWow64\rundll32.exe
      C:\Windows\SysWow64\rundll32.exe ..\erum.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r
      Process spawned unexpected child process
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3592
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\erum.ocx",DllRegisterServer
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        PID:840
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Daepwk\rwvknxbjsnhao.yav",rcrXxnJzndlc
          Suspicious use of WriteProcessMemory
          PID:3832
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Daepwk\rwvknxbjsnhao.yav",DllRegisterServer
            Blocklisted process makes network request
            Suspicious behavior: EnumeratesProcesses
            PID:2328
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads

                        • C:\Users\Admin\erum.ocx

                          MD5

                          fd9a257bffd063031a70d7d3b543d907

                          SHA1

                          2ff28e5249d20bfd5da6acc636f75b971afe1f79

                          SHA256

                          f99aab0ac2b80b02b8a1ba70b86ff16e9aac1bff1451df307946feb0a42780ee

                          SHA512

                          d381c098b653627e4f32d4d6a3cb15efab90fa149d0eaa5548a9dfc7f8a9e98ba126d35df0e8ec1b7c226b760bc0c63606b3534a2b8f1324e6da3f719bb7eec1

                          Download Submit

                        • \Users\Admin\erum.ocx

                          MD5

                          fd9a257bffd063031a70d7d3b543d907

                          SHA1

                          2ff28e5249d20bfd5da6acc636f75b971afe1f79

                          SHA256

                          f99aab0ac2b80b02b8a1ba70b86ff16e9aac1bff1451df307946feb0a42780ee

                          SHA512

                          d381c098b653627e4f32d4d6a3cb15efab90fa149d0eaa5548a9dfc7f8a9e98ba126d35df0e8ec1b7c226b760bc0c63606b3534a2b8f1324e6da3f719bb7eec1

                          Download Submit

                        • \Users\Admin\erum.ocx

                          MD5

                          fd9a257bffd063031a70d7d3b543d907

                          SHA1

                          2ff28e5249d20bfd5da6acc636f75b971afe1f79

                          SHA256

                          f99aab0ac2b80b02b8a1ba70b86ff16e9aac1bff1451df307946feb0a42780ee

                          SHA512

                          d381c098b653627e4f32d4d6a3cb15efab90fa149d0eaa5548a9dfc7f8a9e98ba126d35df0e8ec1b7c226b760bc0c63606b3534a2b8f1324e6da3f719bb7eec1

                          Download Submit

                        • memory/840-258-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2328-284-0x0000000000000000-mapping.dmp

                          Download

                        • memory/3592-253-0x0000000000000000-mapping.dmp

                          Download

                        • memory/3832-279-0x0000000000000000-mapping.dmp

                          Download

                        • memory/3988-128-0x00007FFF61D50000-0x00007FFF61D60000-memory.dmp

                          Download

                        • memory/3988-122-0x0000011E21B10000-0x0000011E21B12000-memory.dmp

                          Download

                        • memory/3988-129-0x00007FFF61D50000-0x00007FFF61D60000-memory.dmp

                          Download

                        • memory/3988-121-0x00007FFF65860000-0x00007FFF65870000-memory.dmp

                          Download

                        • memory/3988-120-0x0000011E21B10000-0x0000011E21B12000-memory.dmp

                          Download

                        • memory/3988-119-0x0000011E21B10000-0x0000011E21B12000-memory.dmp

                          Download

                        • memory/3988-118-0x00007FFF65860000-0x00007FFF65870000-memory.dmp

                          Download

                        • memory/3988-117-0x00007FFF65860000-0x00007FFF65870000-memory.dmp

                          Download

                        • memory/3988-116-0x00007FFF65860000-0x00007FFF65870000-memory.dmp

                          Download

                        • memory/3988-115-0x00007FFF65860000-0x00007FFF65870000-memory.dmp

                          Download