e839313f28c2088224ab43e562fe1cbdfd9861122c4a80fdc9121cfff8d58690

General
Target

e839313f28c2088224ab43e562fe1cbdfd9861122c4a80fdc9121cfff8d58690.xlsm

Filesize

83KB

Completed

15-01-2022 01:28

Score
10/10
MD5

8a33badcc1ed80af8d3ba0f02b85a8e7

SHA1

a1374206e356e9ad4ae461511c76b543d969b6f0

SHA256

e839313f28c2088224ab43e562fe1cbdfd9861122c4a80fdc9121cfff8d58690

Malware Config

Extracted

Language xlm4.0
Source
URLs
xlm40.dropper

http://mail.emilyanncain.com/cgi-bin/A7NT3ENvn/

Signatures 13

Filter: none

Discovery
  • Process spawned unexpected child process
    rundll32.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process39482656rundll32.exeEXCEL.EXE
  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Description

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Tags

  • Blocklisted process makes network request
    rundll32.exe

    Reported IOCs

    flowpidprocess
    422460rundll32.exe
    432460rundll32.exe
  • Downloads MZ/PE file
  • Loads dropped DLL
    rundll32.exerundll32.exe

    Reported IOCs

    pidprocess
    3948rundll32.exe
    4048rundll32.exe
  • Drops file in System32 directory
    rundll32.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\Yholh\gbofex.rugrundll32.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Checks processor information in registry
    EXCEL.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    2656EXCEL.EXE
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exe

    Reported IOCs

    pidprocess
    2460rundll32.exe
    2460rundll32.exe
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    2656EXCEL.EXE
    2656EXCEL.EXE
    2656EXCEL.EXE
    2656EXCEL.EXE
    2656EXCEL.EXE
    2656EXCEL.EXE
    2656EXCEL.EXE
    2656EXCEL.EXE
    2656EXCEL.EXE
    2656EXCEL.EXE
    2656EXCEL.EXE
    2656EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXErundll32.exerundll32.exerundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2656 wrote to memory of 39482656EXCEL.EXErundll32.exe
    PID 2656 wrote to memory of 39482656EXCEL.EXErundll32.exe
    PID 2656 wrote to memory of 39482656EXCEL.EXErundll32.exe
    PID 3948 wrote to memory of 40483948rundll32.exerundll32.exe
    PID 3948 wrote to memory of 40483948rundll32.exerundll32.exe
    PID 3948 wrote to memory of 40483948rundll32.exerundll32.exe
    PID 4048 wrote to memory of 22324048rundll32.exerundll32.exe
    PID 4048 wrote to memory of 22324048rundll32.exerundll32.exe
    PID 4048 wrote to memory of 22324048rundll32.exerundll32.exe
    PID 2232 wrote to memory of 24602232rundll32.exerundll32.exe
    PID 2232 wrote to memory of 24602232rundll32.exerundll32.exe
    PID 2232 wrote to memory of 24602232rundll32.exerundll32.exe
Processes 5
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\e839313f28c2088224ab43e562fe1cbdfd9861122c4a80fdc9121cfff8d58690.xlsm"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Windows\SysWow64\rundll32.exe
      C:\Windows\SysWow64\rundll32.exe ..\erum.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r
      Process spawned unexpected child process
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3948
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\erum.ocx",DllRegisterServer
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        PID:4048
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Yholh\gbofex.rug",waGdX
          Suspicious use of WriteProcessMemory
          PID:2232
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Yholh\gbofex.rug",DllRegisterServer
            Blocklisted process makes network request
            Suspicious behavior: EnumeratesProcesses
            PID:2460
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\erum.ocx

                          MD5

                          476ed724c37422578c33371747669460

                          SHA1

                          535d53b4a03e9f2205da7301849dfc9217990f7e

                          SHA256

                          b1b4fc6018739eedcee96b39de128b3fb768e273ca4c06aa5a1e1d2129c8216a

                          SHA512

                          7ee68bd287a8ffe323de652a9835246d5641e1f5632e82f426269033708e3aa0690c9181f3b8a0cd0087173e23ee66f19d59aa61a6f000c29acdd8b40e634ec5

                        • \Users\Admin\erum.ocx

                          MD5

                          476ed724c37422578c33371747669460

                          SHA1

                          535d53b4a03e9f2205da7301849dfc9217990f7e

                          SHA256

                          b1b4fc6018739eedcee96b39de128b3fb768e273ca4c06aa5a1e1d2129c8216a

                          SHA512

                          7ee68bd287a8ffe323de652a9835246d5641e1f5632e82f426269033708e3aa0690c9181f3b8a0cd0087173e23ee66f19d59aa61a6f000c29acdd8b40e634ec5

                        • \Users\Admin\erum.ocx

                          MD5

                          476ed724c37422578c33371747669460

                          SHA1

                          535d53b4a03e9f2205da7301849dfc9217990f7e

                          SHA256

                          b1b4fc6018739eedcee96b39de128b3fb768e273ca4c06aa5a1e1d2129c8216a

                          SHA512

                          7ee68bd287a8ffe323de652a9835246d5641e1f5632e82f426269033708e3aa0690c9181f3b8a0cd0087173e23ee66f19d59aa61a6f000c29acdd8b40e634ec5

                        • memory/2232-280-0x0000000000000000-mapping.dmp

                        • memory/2460-285-0x0000000000000000-mapping.dmp

                        • memory/2656-128-0x00007FFB2DC70000-0x00007FFB2DC80000-memory.dmp

                        • memory/2656-121-0x0000019A4B280000-0x0000019A4B282000-memory.dmp

                        • memory/2656-122-0x0000019A4B280000-0x0000019A4B282000-memory.dmp

                        • memory/2656-120-0x0000019A4B280000-0x0000019A4B282000-memory.dmp

                        • memory/2656-129-0x00007FFB2DC70000-0x00007FFB2DC80000-memory.dmp

                        • memory/2656-119-0x00007FFB307C0000-0x00007FFB307D0000-memory.dmp

                        • memory/2656-118-0x00007FFB307C0000-0x00007FFB307D0000-memory.dmp

                        • memory/2656-117-0x00007FFB307C0000-0x00007FFB307D0000-memory.dmp

                        • memory/2656-116-0x00007FFB307C0000-0x00007FFB307D0000-memory.dmp

                        • memory/2656-115-0x00007FFB307C0000-0x00007FFB307D0000-memory.dmp

                        • memory/3948-261-0x0000000000000000-mapping.dmp

                        • memory/4048-266-0x0000000000000000-mapping.dmp