Analysis
-
max time kernel
148s -
max time network
141s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
15-01-2022 01:49
Behavioral task
behavioral1
Sample
a59149fcacf8a5c564f48dc446b7cef1203a0ab92fec9dead2b3645bb24d3e51.xlsm
Resource
win10-en-20211208
Behavioral task
behavioral2
Sample
a59149fcacf8a5c564f48dc446b7cef1203a0ab92fec9dead2b3645bb24d3e51.xlsm
Resource
win10-en-20211208
General
-
Target
a59149fcacf8a5c564f48dc446b7cef1203a0ab92fec9dead2b3645bb24d3e51.xlsm
-
Size
83KB
-
MD5
0f9d8eef6e2b87a3759a45e1e127d94a
-
SHA1
1333efaa172a9d858b686482c75d4d4b13582a9b
-
SHA256
a59149fcacf8a5c564f48dc446b7cef1203a0ab92fec9dead2b3645bb24d3e51
-
SHA512
82e63db9145621fa07011a36f82cd603c40a8ca9dfa6408318923eec182d89acd3e552d19bbe9fcfdd4127bcb05bcef0de5ed4f1a38577d2c05b0844adc6a499
Malware Config
Extracted
http://mail.emilyanncain.com/cgi-bin/A7NT3ENvn/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2676 1628 rundll32.exe EXCEL.EXE -
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 41 4848 rundll32.exe 42 4848 rundll32.exe 44 4848 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 2676 rundll32.exe 4804 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Damkfsm\zifaghi.qom rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1628 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4848 rundll32.exe 4848 rundll32.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE 1628 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exerundll32.exedescription pid process target process PID 1628 wrote to memory of 2676 1628 EXCEL.EXE rundll32.exe PID 1628 wrote to memory of 2676 1628 EXCEL.EXE rundll32.exe PID 1628 wrote to memory of 2676 1628 EXCEL.EXE rundll32.exe PID 2676 wrote to memory of 4804 2676 rundll32.exe rundll32.exe PID 2676 wrote to memory of 4804 2676 rundll32.exe rundll32.exe PID 2676 wrote to memory of 4804 2676 rundll32.exe rundll32.exe PID 4804 wrote to memory of 4852 4804 rundll32.exe rundll32.exe PID 4804 wrote to memory of 4852 4804 rundll32.exe rundll32.exe PID 4804 wrote to memory of 4852 4804 rundll32.exe rundll32.exe PID 4852 wrote to memory of 4848 4852 rundll32.exe rundll32.exe PID 4852 wrote to memory of 4848 4852 rundll32.exe rundll32.exe PID 4852 wrote to memory of 4848 4852 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a59149fcacf8a5c564f48dc446b7cef1203a0ab92fec9dead2b3645bb24d3e51.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\rundll32.exeC:\Windows\SysWow64\rundll32.exe ..\erum.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\erum.ocx",DllRegisterServer3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Damkfsm\zifaghi.qom",tkkwisGcG4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Damkfsm\zifaghi.qom",DllRegisterServer5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\erum.ocxMD5
fc572cbbebb9865a9b574667f8f78036
SHA155b6d2a58ff83e6e7299c615358d70ef5d8b0dc5
SHA256c43db4923037b57ec6453c192decc50b576d005b8577d20b3b1298de9877170b
SHA512de99d46452ad26cb51b743ea5d28c2b89b3ca8d6121c71967a26d50491538a40ad4c39a2eee984b4d93bb4ab66f881666d6a5701ba2c0b4925758e7a6a54001b
-
\Users\Admin\erum.ocxMD5
fc572cbbebb9865a9b574667f8f78036
SHA155b6d2a58ff83e6e7299c615358d70ef5d8b0dc5
SHA256c43db4923037b57ec6453c192decc50b576d005b8577d20b3b1298de9877170b
SHA512de99d46452ad26cb51b743ea5d28c2b89b3ca8d6121c71967a26d50491538a40ad4c39a2eee984b4d93bb4ab66f881666d6a5701ba2c0b4925758e7a6a54001b
-
\Users\Admin\erum.ocxMD5
fc572cbbebb9865a9b574667f8f78036
SHA155b6d2a58ff83e6e7299c615358d70ef5d8b0dc5
SHA256c43db4923037b57ec6453c192decc50b576d005b8577d20b3b1298de9877170b
SHA512de99d46452ad26cb51b743ea5d28c2b89b3ca8d6121c71967a26d50491538a40ad4c39a2eee984b4d93bb4ab66f881666d6a5701ba2c0b4925758e7a6a54001b
-
memory/1628-119-0x0000021084FE0000-0x0000021084FE2000-memory.dmpFilesize
8KB
-
memory/1628-116-0x00007FF836310000-0x00007FF836320000-memory.dmpFilesize
64KB
-
memory/1628-120-0x0000021084FE0000-0x0000021084FE2000-memory.dmpFilesize
8KB
-
memory/1628-121-0x00007FF836310000-0x00007FF836320000-memory.dmpFilesize
64KB
-
memory/1628-122-0x0000021084FE0000-0x0000021084FE2000-memory.dmpFilesize
8KB
-
memory/1628-174-0x0000021084FE0000-0x0000021084FE2000-memory.dmpFilesize
8KB
-
memory/1628-175-0x0000021084FE0000-0x0000021084FE2000-memory.dmpFilesize
8KB
-
memory/1628-115-0x00007FF836310000-0x00007FF836320000-memory.dmpFilesize
64KB
-
memory/1628-118-0x00007FF836310000-0x00007FF836320000-memory.dmpFilesize
64KB
-
memory/1628-117-0x00007FF836310000-0x00007FF836320000-memory.dmpFilesize
64KB
-
memory/2676-259-0x0000000000000000-mapping.dmp
-
memory/4804-264-0x0000000000000000-mapping.dmp
-
memory/4848-283-0x0000000000000000-mapping.dmp
-
memory/4852-278-0x0000000000000000-mapping.dmp