Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
15-01-2022 01:12
Behavioral task
behavioral1
Sample
9e4e5949a37f75d6982aac9b092694911ce63a2c0bdda51d4a4e318d655f72a2.xlsm
Resource
win10-en-20211208
Behavioral task
behavioral2
Sample
9e4e5949a37f75d6982aac9b092694911ce63a2c0bdda51d4a4e318d655f72a2.xlsm
Resource
win10-en-20211208
General
-
Target
9e4e5949a37f75d6982aac9b092694911ce63a2c0bdda51d4a4e318d655f72a2.xlsm
-
Size
83KB
-
MD5
eb2f7e56b9c22e7c0e9725e112f50b8c
-
SHA1
b6ed272fc37059692c2483c9cce08f28664dc5fa
-
SHA256
9e4e5949a37f75d6982aac9b092694911ce63a2c0bdda51d4a4e318d655f72a2
-
SHA512
50703344c7af4e3e97f3c6479a6c84398a18e224322da71c619406f522a75b95a049b2d0b11767c27fbe5da514dae908db6e1abe36b97decc2b3bd9da1dffdb3
Malware Config
Extracted
http://recont.com/n8xbqb/lwEORjcJYPKCNQ/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1928 2748 rundll32.exe EXCEL.EXE -
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 37 3612 rundll32.exe 38 3612 rundll32.exe 40 3612 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 1928 rundll32.exe 2460 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Eiozwtukdfgyjuxw\uoeklsal.vzn rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2748 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3612 rundll32.exe 3612 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 2748 EXCEL.EXE 2748 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 2748 EXCEL.EXE 2748 EXCEL.EXE 2748 EXCEL.EXE 2748 EXCEL.EXE 2748 EXCEL.EXE 2748 EXCEL.EXE 2748 EXCEL.EXE 2748 EXCEL.EXE 2748 EXCEL.EXE 2748 EXCEL.EXE 2748 EXCEL.EXE 2748 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exerundll32.exedescription pid process target process PID 2748 wrote to memory of 1928 2748 EXCEL.EXE rundll32.exe PID 2748 wrote to memory of 1928 2748 EXCEL.EXE rundll32.exe PID 2748 wrote to memory of 1928 2748 EXCEL.EXE rundll32.exe PID 1928 wrote to memory of 2460 1928 rundll32.exe rundll32.exe PID 1928 wrote to memory of 2460 1928 rundll32.exe rundll32.exe PID 1928 wrote to memory of 2460 1928 rundll32.exe rundll32.exe PID 2460 wrote to memory of 1904 2460 rundll32.exe rundll32.exe PID 2460 wrote to memory of 1904 2460 rundll32.exe rundll32.exe PID 2460 wrote to memory of 1904 2460 rundll32.exe rundll32.exe PID 1904 wrote to memory of 3612 1904 rundll32.exe rundll32.exe PID 1904 wrote to memory of 3612 1904 rundll32.exe rundll32.exe PID 1904 wrote to memory of 3612 1904 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9e4e5949a37f75d6982aac9b092694911ce63a2c0bdda51d4a4e318d655f72a2.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\rundll32.exeC:\Windows\SysWow64\rundll32.exe ..\erum.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\erum.ocx",DllRegisterServer3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Eiozwtukdfgyjuxw\uoeklsal.vzn",albl4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Eiozwtukdfgyjuxw\uoeklsal.vzn",DllRegisterServer5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\erum.ocxMD5
ebe5f94c3f46923100fcad7393ebddcf
SHA1a56bfc3bd2d0f50a78b0fea09542b2c60f16f27e
SHA2563156cc6407069ebbfd20655fd869972986805ec525287a4f320f83c2517c450d
SHA5127991152525b80554044ccbf7c29727eff4a4811b13ba47682fa084b055bc0b9e2ce8eb431159be47aaeaa34b7e3b856a000e6ac199a81ffe46b23618c7d7e9d6
-
\Users\Admin\erum.ocxMD5
ebe5f94c3f46923100fcad7393ebddcf
SHA1a56bfc3bd2d0f50a78b0fea09542b2c60f16f27e
SHA2563156cc6407069ebbfd20655fd869972986805ec525287a4f320f83c2517c450d
SHA5127991152525b80554044ccbf7c29727eff4a4811b13ba47682fa084b055bc0b9e2ce8eb431159be47aaeaa34b7e3b856a000e6ac199a81ffe46b23618c7d7e9d6
-
\Users\Admin\erum.ocxMD5
ebe5f94c3f46923100fcad7393ebddcf
SHA1a56bfc3bd2d0f50a78b0fea09542b2c60f16f27e
SHA2563156cc6407069ebbfd20655fd869972986805ec525287a4f320f83c2517c450d
SHA5127991152525b80554044ccbf7c29727eff4a4811b13ba47682fa084b055bc0b9e2ce8eb431159be47aaeaa34b7e3b856a000e6ac199a81ffe46b23618c7d7e9d6
-
memory/1904-280-0x0000000000000000-mapping.dmp
-
memory/1928-254-0x0000000000000000-mapping.dmp
-
memory/2460-259-0x0000000000000000-mapping.dmp
-
memory/2748-120-0x0000028387120000-0x0000028387122000-memory.dmpFilesize
8KB
-
memory/2748-128-0x00007FF9D70A0000-0x00007FF9D70B0000-memory.dmpFilesize
64KB
-
memory/2748-129-0x00007FF9D3640000-0x00007FF9D3650000-memory.dmpFilesize
64KB
-
memory/2748-130-0x00007FF9D3640000-0x00007FF9D3650000-memory.dmpFilesize
64KB
-
memory/2748-122-0x0000028387120000-0x0000028387122000-memory.dmpFilesize
8KB
-
memory/2748-121-0x0000028387120000-0x0000028387122000-memory.dmpFilesize
8KB
-
memory/2748-116-0x00007FF9D70A0000-0x00007FF9D70B0000-memory.dmpFilesize
64KB
-
memory/2748-119-0x00007FF9D70A0000-0x00007FF9D70B0000-memory.dmpFilesize
64KB
-
memory/2748-118-0x00007FF9D70A0000-0x00007FF9D70B0000-memory.dmpFilesize
64KB
-
memory/2748-117-0x00007FF9D70A0000-0x00007FF9D70B0000-memory.dmpFilesize
64KB
-
memory/3612-285-0x0000000000000000-mapping.dmp