Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
15-01-2022 01:16
Behavioral task
behavioral1
Sample
b5d5cd9f663587f2151ec927231d7058d317666224b71c201bf5db90658c12ac.xlsm
Resource
win10-en-20211208
Behavioral task
behavioral2
Sample
b5d5cd9f663587f2151ec927231d7058d317666224b71c201bf5db90658c12ac.xlsm
Resource
win10-en-20211208
General
-
Target
b5d5cd9f663587f2151ec927231d7058d317666224b71c201bf5db90658c12ac.xlsm
-
Size
83KB
-
MD5
91ee11d4e4533a1346dc00ea597fe37e
-
SHA1
3948c694aca4b5d18a12bd2ff0fe5339d9923a02
-
SHA256
b5d5cd9f663587f2151ec927231d7058d317666224b71c201bf5db90658c12ac
-
SHA512
ad6a4640d5044aea187596b74013f6ca3e3e0382114d3bb55a2835e6a9aa0f807767d218ca5bfe9b31df851c765721b4a7c174aa0ee00e0d9a0410436ee9df03
Malware Config
Extracted
http://recont.com/n8xbqb/lwEORjcJYPKCNQ/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1836 1028 rundll32.exe EXCEL.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 47 3816 rundll32.exe 48 3816 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 1836 rundll32.exe 1308 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Rvknorheyadnqlg\utgdhh.jou rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1028 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3816 rundll32.exe 3816 rundll32.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 1028 EXCEL.EXE 1028 EXCEL.EXE 1028 EXCEL.EXE 1028 EXCEL.EXE 1028 EXCEL.EXE 1028 EXCEL.EXE 1028 EXCEL.EXE 1028 EXCEL.EXE 1028 EXCEL.EXE 1028 EXCEL.EXE 1028 EXCEL.EXE 1028 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exerundll32.exedescription pid process target process PID 1028 wrote to memory of 1836 1028 EXCEL.EXE rundll32.exe PID 1028 wrote to memory of 1836 1028 EXCEL.EXE rundll32.exe PID 1028 wrote to memory of 1836 1028 EXCEL.EXE rundll32.exe PID 1836 wrote to memory of 1308 1836 rundll32.exe rundll32.exe PID 1836 wrote to memory of 1308 1836 rundll32.exe rundll32.exe PID 1836 wrote to memory of 1308 1836 rundll32.exe rundll32.exe PID 1308 wrote to memory of 1988 1308 rundll32.exe rundll32.exe PID 1308 wrote to memory of 1988 1308 rundll32.exe rundll32.exe PID 1308 wrote to memory of 1988 1308 rundll32.exe rundll32.exe PID 1988 wrote to memory of 3816 1988 rundll32.exe rundll32.exe PID 1988 wrote to memory of 3816 1988 rundll32.exe rundll32.exe PID 1988 wrote to memory of 3816 1988 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\b5d5cd9f663587f2151ec927231d7058d317666224b71c201bf5db90658c12ac.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\rundll32.exeC:\Windows\SysWow64\rundll32.exe ..\erum.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\erum.ocx",DllRegisterServer3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Rvknorheyadnqlg\utgdhh.jou",IDcdqAx4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Rvknorheyadnqlg\utgdhh.jou",DllRegisterServer5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\erum.ocxMD5
ebe5f94c3f46923100fcad7393ebddcf
SHA1a56bfc3bd2d0f50a78b0fea09542b2c60f16f27e
SHA2563156cc6407069ebbfd20655fd869972986805ec525287a4f320f83c2517c450d
SHA5127991152525b80554044ccbf7c29727eff4a4811b13ba47682fa084b055bc0b9e2ce8eb431159be47aaeaa34b7e3b856a000e6ac199a81ffe46b23618c7d7e9d6
-
\Users\Admin\erum.ocxMD5
ebe5f94c3f46923100fcad7393ebddcf
SHA1a56bfc3bd2d0f50a78b0fea09542b2c60f16f27e
SHA2563156cc6407069ebbfd20655fd869972986805ec525287a4f320f83c2517c450d
SHA5127991152525b80554044ccbf7c29727eff4a4811b13ba47682fa084b055bc0b9e2ce8eb431159be47aaeaa34b7e3b856a000e6ac199a81ffe46b23618c7d7e9d6
-
\Users\Admin\erum.ocxMD5
ebe5f94c3f46923100fcad7393ebddcf
SHA1a56bfc3bd2d0f50a78b0fea09542b2c60f16f27e
SHA2563156cc6407069ebbfd20655fd869972986805ec525287a4f320f83c2517c450d
SHA5127991152525b80554044ccbf7c29727eff4a4811b13ba47682fa084b055bc0b9e2ce8eb431159be47aaeaa34b7e3b856a000e6ac199a81ffe46b23618c7d7e9d6
-
memory/1028-119-0x0000025259850000-0x0000025259852000-memory.dmpFilesize
8KB
-
memory/1028-115-0x00007FFDEE7B0000-0x00007FFDEE7C0000-memory.dmpFilesize
64KB
-
memory/1028-120-0x0000025259850000-0x0000025259852000-memory.dmpFilesize
8KB
-
memory/1028-121-0x00007FFDEE7B0000-0x00007FFDEE7C0000-memory.dmpFilesize
64KB
-
memory/1028-122-0x0000025259850000-0x0000025259852000-memory.dmpFilesize
8KB
-
memory/1028-128-0x00007FFDEBBB0000-0x00007FFDEBBC0000-memory.dmpFilesize
64KB
-
memory/1028-129-0x00007FFDEBBB0000-0x00007FFDEBBC0000-memory.dmpFilesize
64KB
-
memory/1028-116-0x00007FFDEE7B0000-0x00007FFDEE7C0000-memory.dmpFilesize
64KB
-
memory/1028-118-0x00007FFDEE7B0000-0x00007FFDEE7C0000-memory.dmpFilesize
64KB
-
memory/1028-117-0x00007FFDEE7B0000-0x00007FFDEE7C0000-memory.dmpFilesize
64KB
-
memory/1308-266-0x0000000000000000-mapping.dmp
-
memory/1836-261-0x0000000000000000-mapping.dmp
-
memory/1988-282-0x0000000000000000-mapping.dmp
-
memory/3816-287-0x0000000000000000-mapping.dmp