1fe942f8fb7656e92f1d24a24cce7fd0bf9564693184fb8883203a4733b51253

General

Target

1fe942f8fb7656e92f1d24a24cce7fd0bf9564693184fb8883203a4733b51253.xlsm
Size

99KB
MD5

4d0597bff370b6ad371c1c7cb3fc1ac1
SHA1

1168604e7f52b3c3ceb7e71eea9c3796881d0c26
SHA256

1fe942f8fb7656e92f1d24a24cce7fd0bf9564693184fb8883203a4733b51253
SHA512

327fbf2bf248053419e9c7cc0dd9bac149a718f448222b5b81ba45f5f802153755a9b681be957836f560aeab2e3816b6c912015f196900d2311c4ae6e111a6d5

Score

10^/10

suricata

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://auto.lambolero.com/f1nygync/IOENXupeXUt/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3168	2916	rundll32.exe	EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

45 3380 rundll32.exe
46 3380 rundll32.exe
Downloads MZ/PE file
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3168 rundll32.exe
3640 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Lzkbiitzrn\inivc.bsj rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
45	3380	rundll32.exe
46	3380	rundll32.exe

pid	process
3168	rundll32.exe
3640	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Lzkbiitzrn\inivc.bsj	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2916 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3380 rundll32.exe
3380 rundll32.exe

pid	process
3380	rundll32.exe
3380	rundll32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

EXCEL.EXErundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 2916 wrote to memory of 3168	2916	EXCEL.EXE	rundll32.exe
PID 2916 wrote to memory of 3168	2916	EXCEL.EXE	rundll32.exe
PID 2916 wrote to memory of 3168	2916	EXCEL.EXE	rundll32.exe
PID 3168 wrote to memory of 3640	3168	rundll32.exe	rundll32.exe
PID 3168 wrote to memory of 3640	3168	rundll32.exe	rundll32.exe
PID 3168 wrote to memory of 3640	3168	rundll32.exe	rundll32.exe
PID 3640 wrote to memory of 3860	3640	rundll32.exe	rundll32.exe
PID 3640 wrote to memory of 3860	3640	rundll32.exe	rundll32.exe
PID 3640 wrote to memory of 3860	3640	rundll32.exe	rundll32.exe
PID 3860 wrote to memory of 3380	3860	rundll32.exe	rundll32.exe
PID 3860 wrote to memory of 3380	3860	rundll32.exe	rundll32.exe
PID 3860 wrote to memory of 3380	3860	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\1fe942f8fb7656e92f1d24a24cce7fd0bf9564693184fb8883203a4733b51253.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\SysWow64\rundll32.exe
C:\Windows\SysWow64\rundll32.exe ..\ourl.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\ourl.ocx",DllRegisterServer
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lzkbiitzrn\inivc.bsj",RJJIVhbLw
4⤵
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lzkbiitzrn\inivc.bsj",DllRegisterServer
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\ourl.ocx

MD5
970184fe67c46f55e6565786d14480d6

SHA1
de8c62051b3d4bf18e7f90a8e20ec4afb34012de

SHA256
340513992fb4da5d1dc3ad3b369672e05ef81b6b2f89f9d9c97e68ec22fb10ad

SHA512
770c6fada0bb9708e8c77be412276dde20dadc42a02511a7043b12ac994ac8c473ea1214726f0b89b54cc1dbe9a496951bcad9cf6b8298b222ff3a04655dcde6

Download Submit
\Users\Admin\ourl.ocx

MD5
970184fe67c46f55e6565786d14480d6

SHA1
de8c62051b3d4bf18e7f90a8e20ec4afb34012de

SHA256
340513992fb4da5d1dc3ad3b369672e05ef81b6b2f89f9d9c97e68ec22fb10ad

SHA512
770c6fada0bb9708e8c77be412276dde20dadc42a02511a7043b12ac994ac8c473ea1214726f0b89b54cc1dbe9a496951bcad9cf6b8298b222ff3a04655dcde6

Download Submit
\Users\Admin\ourl.ocx

MD5
970184fe67c46f55e6565786d14480d6

SHA1
de8c62051b3d4bf18e7f90a8e20ec4afb34012de

SHA256
340513992fb4da5d1dc3ad3b369672e05ef81b6b2f89f9d9c97e68ec22fb10ad

SHA512
770c6fada0bb9708e8c77be412276dde20dadc42a02511a7043b12ac994ac8c473ea1214726f0b89b54cc1dbe9a496951bcad9cf6b8298b222ff3a04655dcde6

Download Submit
memory/2916-119-0x00007FF909EF0000-0x00007FF909F00000-memory.dmp

Filesize
64KB

Download
memory/2916-116-0x00007FF909EF0000-0x00007FF909F00000-memory.dmp

Filesize
64KB

Download
memory/2916-120-0x00000276B2CD0000-0x00000276B2CD2000-memory.dmp

Filesize
8KB

Download
memory/2916-121-0x00000276B2CD0000-0x00000276B2CD2000-memory.dmp

Filesize
8KB

Download
memory/2916-122-0x00000276B2CD0000-0x00000276B2CD2000-memory.dmp

Filesize
8KB

Download
memory/2916-128-0x00007FF906CA0000-0x00007FF906CB0000-memory.dmp

Filesize
64KB

Download
memory/2916-129-0x00007FF906CA0000-0x00007FF906CB0000-memory.dmp

Filesize
64KB

Download
memory/2916-115-0x00007FF909EF0000-0x00007FF909F00000-memory.dmp

Filesize
64KB

Download
memory/2916-118-0x00007FF909EF0000-0x00007FF909F00000-memory.dmp

Filesize
64KB

Download
memory/2916-117-0x00007FF909EF0000-0x00007FF909F00000-memory.dmp

Filesize
64KB

Download
memory/3168-261-0x0000000000000000-mapping.dmp

Download
memory/3380-283-0x0000000000000000-mapping.dmp

Download
memory/3640-266-0x0000000000000000-mapping.dmp

Download
memory/3860-278-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads