Analysis
-
max time kernel
148s -
max time network
141s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
15-01-2022 01:23
Behavioral task
behavioral1
Sample
de54a7c99135db230ba151e513f7813ccca74b08201d7592958e82c51b152386.xlsm
Resource
win10-en-20211208
Behavioral task
behavioral2
Sample
de54a7c99135db230ba151e513f7813ccca74b08201d7592958e82c51b152386.xlsm
Resource
win10-en-20211208
General
-
Target
de54a7c99135db230ba151e513f7813ccca74b08201d7592958e82c51b152386.xlsm
-
Size
83KB
-
MD5
6b5fbfc62c3f736a188c3f614b14fbe3
-
SHA1
1ce7dd32aecf09f3b4683f9c3c005d0c6ae82b0a
-
SHA256
de54a7c99135db230ba151e513f7813ccca74b08201d7592958e82c51b152386
-
SHA512
ff04fc0017f3a39f777a8671fd030b210d8b99cb30202acc3cc0b0fee8e48f5f12c4b730576a2adfa43955c03e4a2a0e66e954cc8bacfa20963479010717e516
Malware Config
Extracted
http://recont.com/n8xbqb/lwEORjcJYPKCNQ/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1992 2656 rundll32.exe EXCEL.EXE -
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 43 1404 rundll32.exe 44 1404 rundll32.exe 45 1404 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 1992 rundll32.exe 2280 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Vtqpsroub\bbbck.zwv rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2656 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1404 rundll32.exe 1404 rundll32.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 2656 EXCEL.EXE 2656 EXCEL.EXE 2656 EXCEL.EXE 2656 EXCEL.EXE 2656 EXCEL.EXE 2656 EXCEL.EXE 2656 EXCEL.EXE 2656 EXCEL.EXE 2656 EXCEL.EXE 2656 EXCEL.EXE 2656 EXCEL.EXE 2656 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exerundll32.exedescription pid process target process PID 2656 wrote to memory of 1992 2656 EXCEL.EXE rundll32.exe PID 2656 wrote to memory of 1992 2656 EXCEL.EXE rundll32.exe PID 2656 wrote to memory of 1992 2656 EXCEL.EXE rundll32.exe PID 1992 wrote to memory of 2280 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 2280 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 2280 1992 rundll32.exe rundll32.exe PID 2280 wrote to memory of 1580 2280 rundll32.exe rundll32.exe PID 2280 wrote to memory of 1580 2280 rundll32.exe rundll32.exe PID 2280 wrote to memory of 1580 2280 rundll32.exe rundll32.exe PID 1580 wrote to memory of 1404 1580 rundll32.exe rundll32.exe PID 1580 wrote to memory of 1404 1580 rundll32.exe rundll32.exe PID 1580 wrote to memory of 1404 1580 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\de54a7c99135db230ba151e513f7813ccca74b08201d7592958e82c51b152386.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\rundll32.exeC:\Windows\SysWow64\rundll32.exe ..\erum.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\erum.ocx",DllRegisterServer3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vtqpsroub\bbbck.zwv",ibQQquQD4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vtqpsroub\bbbck.zwv",DllRegisterServer5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\erum.ocxMD5
bb8e2574a3832904c6e4308548f8cc10
SHA18cb5d14c959f47e49524dfbd57697dc04a092d98
SHA25696bf62e2cba59dbee4dba9efccb6b0b090fae3017ef2f04ef1edb57338f1b363
SHA512a07e26bbb364f145a24b22fa700562bb683af1ceb8fee2ea517906f4fb3be40516b17b67bd8605ae91d922442860a77382a08032373abbcbc47c3476e6c532c8
-
\Users\Admin\erum.ocxMD5
bb8e2574a3832904c6e4308548f8cc10
SHA18cb5d14c959f47e49524dfbd57697dc04a092d98
SHA25696bf62e2cba59dbee4dba9efccb6b0b090fae3017ef2f04ef1edb57338f1b363
SHA512a07e26bbb364f145a24b22fa700562bb683af1ceb8fee2ea517906f4fb3be40516b17b67bd8605ae91d922442860a77382a08032373abbcbc47c3476e6c532c8
-
\Users\Admin\erum.ocxMD5
bb8e2574a3832904c6e4308548f8cc10
SHA18cb5d14c959f47e49524dfbd57697dc04a092d98
SHA25696bf62e2cba59dbee4dba9efccb6b0b090fae3017ef2f04ef1edb57338f1b363
SHA512a07e26bbb364f145a24b22fa700562bb683af1ceb8fee2ea517906f4fb3be40516b17b67bd8605ae91d922442860a77382a08032373abbcbc47c3476e6c532c8
-
memory/1404-302-0x0000000000000000-mapping.dmp
-
memory/1580-297-0x0000000000000000-mapping.dmp
-
memory/1992-277-0x0000000000000000-mapping.dmp
-
memory/2280-282-0x0000000000000000-mapping.dmp
-
memory/2656-121-0x00007FFD72FE0000-0x00007FFD72FF0000-memory.dmpFilesize
64KB
-
memory/2656-154-0x0000017619A20000-0x0000017619A22000-memory.dmpFilesize
8KB
-
memory/2656-129-0x00007FFD6F570000-0x00007FFD6F580000-memory.dmpFilesize
64KB
-
memory/2656-148-0x0000017619A20000-0x0000017619A22000-memory.dmpFilesize
8KB
-
memory/2656-150-0x0000017619A20000-0x0000017619A22000-memory.dmpFilesize
8KB
-
memory/2656-149-0x0000017619A20000-0x0000017619A22000-memory.dmpFilesize
8KB
-
memory/2656-151-0x0000017619A20000-0x0000017619A22000-memory.dmpFilesize
8KB
-
memory/2656-152-0x0000017619A20000-0x0000017619A22000-memory.dmpFilesize
8KB
-
memory/2656-153-0x0000017619A20000-0x0000017619A22000-memory.dmpFilesize
8KB
-
memory/2656-128-0x00007FFD6F570000-0x00007FFD6F580000-memory.dmpFilesize
64KB
-
memory/2656-155-0x0000017619A20000-0x0000017619A22000-memory.dmpFilesize
8KB
-
memory/2656-122-0x0000017619A20000-0x0000017619A22000-memory.dmpFilesize
8KB
-
memory/2656-115-0x00007FFD72FE0000-0x00007FFD72FF0000-memory.dmpFilesize
64KB
-
memory/2656-120-0x0000017619A20000-0x0000017619A22000-memory.dmpFilesize
8KB
-
memory/2656-119-0x0000017619A20000-0x0000017619A22000-memory.dmpFilesize
8KB
-
memory/2656-118-0x00007FFD72FE0000-0x00007FFD72FF0000-memory.dmpFilesize
64KB
-
memory/2656-117-0x00007FFD72FE0000-0x00007FFD72FF0000-memory.dmpFilesize
64KB
-
memory/2656-116-0x00007FFD72FE0000-0x00007FFD72FF0000-memory.dmpFilesize
64KB