Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
15-01-2022 01:20
Behavioral task
behavioral1
Sample
62693b6b06025484f7f9ef6c5639c942a879fbd49e87983c83541106f3566ad2.xlsm
Resource
win10-en-20211208
Behavioral task
behavioral2
Sample
62693b6b06025484f7f9ef6c5639c942a879fbd49e87983c83541106f3566ad2.xlsm
Resource
win10-en-20211208
General
-
Target
62693b6b06025484f7f9ef6c5639c942a879fbd49e87983c83541106f3566ad2.xlsm
-
Size
83KB
-
MD5
a5d6144a863e7ac8f56b2b6c88516eb2
-
SHA1
882cdbecc31ba88b223e54b15ca332221a6b58e5
-
SHA256
62693b6b06025484f7f9ef6c5639c942a879fbd49e87983c83541106f3566ad2
-
SHA512
c0dfe8c519d4acf1289f3f3bdf8612d7a879bc380fd7c22f32d5341ffe9e1f113fecd7823dfdbf8b813b7c5826dfa68c009cab2a72fa15ab6ce80a198d07f795
Malware Config
Extracted
http://mail.emilyanncain.com/cgi-bin/A7NT3ENvn/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2872 2344 rundll32.exe EXCEL.EXE -
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 36 3864 rundll32.exe 37 3864 rundll32.exe 38 3864 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 2872 rundll32.exe 3572 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Hrvsrytuln\sycqqd.plm rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2344 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3864 rundll32.exe 3864 rundll32.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 2344 EXCEL.EXE 2344 EXCEL.EXE 2344 EXCEL.EXE 2344 EXCEL.EXE 2344 EXCEL.EXE 2344 EXCEL.EXE 2344 EXCEL.EXE 2344 EXCEL.EXE 2344 EXCEL.EXE 2344 EXCEL.EXE 2344 EXCEL.EXE 2344 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exerundll32.exedescription pid process target process PID 2344 wrote to memory of 2872 2344 EXCEL.EXE rundll32.exe PID 2344 wrote to memory of 2872 2344 EXCEL.EXE rundll32.exe PID 2344 wrote to memory of 2872 2344 EXCEL.EXE rundll32.exe PID 2872 wrote to memory of 3572 2872 rundll32.exe rundll32.exe PID 2872 wrote to memory of 3572 2872 rundll32.exe rundll32.exe PID 2872 wrote to memory of 3572 2872 rundll32.exe rundll32.exe PID 3572 wrote to memory of 1028 3572 rundll32.exe rundll32.exe PID 3572 wrote to memory of 1028 3572 rundll32.exe rundll32.exe PID 3572 wrote to memory of 1028 3572 rundll32.exe rundll32.exe PID 1028 wrote to memory of 3864 1028 rundll32.exe rundll32.exe PID 1028 wrote to memory of 3864 1028 rundll32.exe rundll32.exe PID 1028 wrote to memory of 3864 1028 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\62693b6b06025484f7f9ef6c5639c942a879fbd49e87983c83541106f3566ad2.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\rundll32.exeC:\Windows\SysWow64\rundll32.exe ..\erum.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\erum.ocx",DllRegisterServer3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hrvsrytuln\sycqqd.plm",CLTDuzQPkHpSD4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hrvsrytuln\sycqqd.plm",DllRegisterServer5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\erum.ocxMD5
3ddc96812e347c89f5c1fef805462e9d
SHA1ba686d9d9caa7d35b1c9ee507863645f029a385c
SHA2569caa54943b5d009ad41e975fc56f1b9771cdf9237fea48a11c081493a07ab0b0
SHA512433f013db921ef0ccdc034762c36e5815d9120ee3300743891bc0c6330980e1246debcf079c188ef6b7c82803ade5643b2f653dd4d68686cf0fa68545901f941
-
\Users\Admin\erum.ocxMD5
3ddc96812e347c89f5c1fef805462e9d
SHA1ba686d9d9caa7d35b1c9ee507863645f029a385c
SHA2569caa54943b5d009ad41e975fc56f1b9771cdf9237fea48a11c081493a07ab0b0
SHA512433f013db921ef0ccdc034762c36e5815d9120ee3300743891bc0c6330980e1246debcf079c188ef6b7c82803ade5643b2f653dd4d68686cf0fa68545901f941
-
\Users\Admin\erum.ocxMD5
3ddc96812e347c89f5c1fef805462e9d
SHA1ba686d9d9caa7d35b1c9ee507863645f029a385c
SHA2569caa54943b5d009ad41e975fc56f1b9771cdf9237fea48a11c081493a07ab0b0
SHA512433f013db921ef0ccdc034762c36e5815d9120ee3300743891bc0c6330980e1246debcf079c188ef6b7c82803ade5643b2f653dd4d68686cf0fa68545901f941
-
memory/1028-278-0x0000000000000000-mapping.dmp
-
memory/2344-118-0x00007FFE3E940000-0x00007FFE3E950000-memory.dmpFilesize
64KB
-
memory/2344-120-0x00000225B8CC0000-0x00000225B8CC2000-memory.dmpFilesize
8KB
-
memory/2344-121-0x00000225B8CC0000-0x00000225B8CC2000-memory.dmpFilesize
8KB
-
memory/2344-127-0x00007FFE3E940000-0x00007FFE3E950000-memory.dmpFilesize
64KB
-
memory/2344-119-0x00000225B8CC0000-0x00000225B8CC2000-memory.dmpFilesize
8KB
-
memory/2344-115-0x00007FFE3E940000-0x00007FFE3E950000-memory.dmpFilesize
64KB
-
memory/2344-117-0x00007FFE3E940000-0x00007FFE3E950000-memory.dmpFilesize
64KB
-
memory/2344-116-0x00007FFE3E940000-0x00007FFE3E950000-memory.dmpFilesize
64KB
-
memory/2872-259-0x0000000000000000-mapping.dmp
-
memory/3572-264-0x0000000000000000-mapping.dmp
-
memory/3864-283-0x0000000000000000-mapping.dmp