Analysis
-
max time kernel
147s -
max time network
144s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
15-01-2022 01:45
Behavioral task
behavioral1
Sample
68d39acfcd55c7009d5a0693e155af5101e16c3f7e865a143aeb10741d93a4c8.xlsm
Resource
win10-en-20211208
Behavioral task
behavioral2
Sample
68d39acfcd55c7009d5a0693e155af5101e16c3f7e865a143aeb10741d93a4c8.xlsm
Resource
win10-en-20211208
General
-
Target
68d39acfcd55c7009d5a0693e155af5101e16c3f7e865a143aeb10741d93a4c8.xlsm
-
Size
83KB
-
MD5
4f7df170dc3f0afd4c6de1371b6e46d5
-
SHA1
0fcc0c1e8f9b496cbebdef3a71a3bb656f75b4ad
-
SHA256
68d39acfcd55c7009d5a0693e155af5101e16c3f7e865a143aeb10741d93a4c8
-
SHA512
800875ba9fe7a5ab814e8751963045670422e6282952736ef7e2c40d1f46fe3cccda6189a1991116e54c622c7dfdf6af4a9206dae45e3c136d3654c46bc1e591
Malware Config
Extracted
http://mail.emilyanncain.com/cgi-bin/A7NT3ENvn/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3592 3988 rundll32.exe EXCEL.EXE -
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 43 2328 rundll32.exe 44 2328 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 3592 rundll32.exe 840 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Daepwk\rwvknxbjsnhao.yav rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3988 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2328 rundll32.exe 2328 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 3988 EXCEL.EXE 3988 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3988 EXCEL.EXE 3988 EXCEL.EXE 3988 EXCEL.EXE 3988 EXCEL.EXE 3988 EXCEL.EXE 3988 EXCEL.EXE 3988 EXCEL.EXE 3988 EXCEL.EXE 3988 EXCEL.EXE 3988 EXCEL.EXE 3988 EXCEL.EXE 3988 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exerundll32.exedescription pid process target process PID 3988 wrote to memory of 3592 3988 EXCEL.EXE rundll32.exe PID 3988 wrote to memory of 3592 3988 EXCEL.EXE rundll32.exe PID 3988 wrote to memory of 3592 3988 EXCEL.EXE rundll32.exe PID 3592 wrote to memory of 840 3592 rundll32.exe rundll32.exe PID 3592 wrote to memory of 840 3592 rundll32.exe rundll32.exe PID 3592 wrote to memory of 840 3592 rundll32.exe rundll32.exe PID 840 wrote to memory of 3832 840 rundll32.exe rundll32.exe PID 840 wrote to memory of 3832 840 rundll32.exe rundll32.exe PID 840 wrote to memory of 3832 840 rundll32.exe rundll32.exe PID 3832 wrote to memory of 2328 3832 rundll32.exe rundll32.exe PID 3832 wrote to memory of 2328 3832 rundll32.exe rundll32.exe PID 3832 wrote to memory of 2328 3832 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\68d39acfcd55c7009d5a0693e155af5101e16c3f7e865a143aeb10741d93a4c8.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\rundll32.exeC:\Windows\SysWow64\rundll32.exe ..\erum.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\erum.ocx",DllRegisterServer3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Daepwk\rwvknxbjsnhao.yav",rcrXxnJzndlc4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Daepwk\rwvknxbjsnhao.yav",DllRegisterServer5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\erum.ocxMD5
fd9a257bffd063031a70d7d3b543d907
SHA12ff28e5249d20bfd5da6acc636f75b971afe1f79
SHA256f99aab0ac2b80b02b8a1ba70b86ff16e9aac1bff1451df307946feb0a42780ee
SHA512d381c098b653627e4f32d4d6a3cb15efab90fa149d0eaa5548a9dfc7f8a9e98ba126d35df0e8ec1b7c226b760bc0c63606b3534a2b8f1324e6da3f719bb7eec1
-
\Users\Admin\erum.ocxMD5
fd9a257bffd063031a70d7d3b543d907
SHA12ff28e5249d20bfd5da6acc636f75b971afe1f79
SHA256f99aab0ac2b80b02b8a1ba70b86ff16e9aac1bff1451df307946feb0a42780ee
SHA512d381c098b653627e4f32d4d6a3cb15efab90fa149d0eaa5548a9dfc7f8a9e98ba126d35df0e8ec1b7c226b760bc0c63606b3534a2b8f1324e6da3f719bb7eec1
-
\Users\Admin\erum.ocxMD5
fd9a257bffd063031a70d7d3b543d907
SHA12ff28e5249d20bfd5da6acc636f75b971afe1f79
SHA256f99aab0ac2b80b02b8a1ba70b86ff16e9aac1bff1451df307946feb0a42780ee
SHA512d381c098b653627e4f32d4d6a3cb15efab90fa149d0eaa5548a9dfc7f8a9e98ba126d35df0e8ec1b7c226b760bc0c63606b3534a2b8f1324e6da3f719bb7eec1
-
memory/840-258-0x0000000000000000-mapping.dmp
-
memory/2328-284-0x0000000000000000-mapping.dmp
-
memory/3592-253-0x0000000000000000-mapping.dmp
-
memory/3832-279-0x0000000000000000-mapping.dmp
-
memory/3988-119-0x0000011E21B10000-0x0000011E21B12000-memory.dmpFilesize
8KB
-
memory/3988-128-0x00007FFF61D50000-0x00007FFF61D60000-memory.dmpFilesize
64KB
-
memory/3988-129-0x00007FFF61D50000-0x00007FFF61D60000-memory.dmpFilesize
64KB
-
memory/3988-122-0x0000011E21B10000-0x0000011E21B12000-memory.dmpFilesize
8KB
-
memory/3988-121-0x00007FFF65860000-0x00007FFF65870000-memory.dmpFilesize
64KB
-
memory/3988-120-0x0000011E21B10000-0x0000011E21B12000-memory.dmpFilesize
8KB
-
memory/3988-115-0x00007FFF65860000-0x00007FFF65870000-memory.dmpFilesize
64KB
-
memory/3988-118-0x00007FFF65860000-0x00007FFF65870000-memory.dmpFilesize
64KB
-
memory/3988-117-0x00007FFF65860000-0x00007FFF65870000-memory.dmpFilesize
64KB
-
memory/3988-116-0x00007FFF65860000-0x00007FFF65870000-memory.dmpFilesize
64KB