Analysis
-
max time kernel
148s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
11-01-2022 17:44
Behavioral task
behavioral1
Sample
38b51ee1239079bda9d7d55d94ad241f9595a1bad8a9538a140cd3504ce559c0.xls
Resource
win10-en-20211208
General
-
Target
38b51ee1239079bda9d7d55d94ad241f9595a1bad8a9538a140cd3504ce559c0.xls
-
Size
118KB
-
MD5
649e907da725e225aad0e71d19611094
-
SHA1
88ae2494e7304d51c21ec826cab65aca20b17082
-
SHA256
38b51ee1239079bda9d7d55d94ad241f9595a1bad8a9538a140cd3504ce559c0
-
SHA512
922f7290d86cbd2b073a965248e4c77d317fb4be0a68d782cd8fd67bc934b4722c111f8c033c0f15a3219c169302d28c09e35cac4fe4a20a2f462e73078cecf1
Malware Config
Extracted
https://wordpressdes.vanzolini-gte.org.br/fundacaotelefonica.org.br/gAbC4QpJYI/
Extracted
emotet
Epoch4
131.100.24.231:80
209.59.138.75:7080
103.8.26.103:8080
51.38.71.0:443
212.237.17.99:8080
79.172.212.216:8080
207.38.84.195:8080
104.168.155.129:8080
178.79.147.66:8080
46.55.222.11:443
103.8.26.102:8080
192.254.71.210:443
45.176.232.124:443
203.114.109.124:443
51.68.175.8:8080
58.227.42.236:80
45.142.114.231:8080
217.182.143.207:443
178.63.25.185:443
45.118.115.99:8080
103.75.201.2:443
104.251.214.46:8080
158.69.222.101:443
81.0.236.90:443
45.118.135.203:7080
176.104.106.96:8080
212.237.56.116:7080
216.158.226.206:443
173.212.193.249:8080
50.116.54.215:443
138.185.72.26:8080
41.76.108.46:8080
212.237.5.209:443
107.182.225.142:8080
195.154.133.20:443
162.214.50.39:7080
110.232.117.186:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1928 2740 rundll32.exe EXCEL.EXE -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 1928 rundll32.exe 2232 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Kkuuvv\ogqywuhfjthbam.wll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2740 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 2740 EXCEL.EXE 2740 EXCEL.EXE 2740 EXCEL.EXE 2740 EXCEL.EXE 2740 EXCEL.EXE 2740 EXCEL.EXE 2740 EXCEL.EXE 2740 EXCEL.EXE 2740 EXCEL.EXE 2740 EXCEL.EXE 2740 EXCEL.EXE 2740 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exerundll32.exedescription pid process target process PID 2740 wrote to memory of 1928 2740 EXCEL.EXE rundll32.exe PID 2740 wrote to memory of 1928 2740 EXCEL.EXE rundll32.exe PID 2740 wrote to memory of 1928 2740 EXCEL.EXE rundll32.exe PID 1928 wrote to memory of 2232 1928 rundll32.exe rundll32.exe PID 1928 wrote to memory of 2232 1928 rundll32.exe rundll32.exe PID 1928 wrote to memory of 2232 1928 rundll32.exe rundll32.exe PID 2232 wrote to memory of 3112 2232 rundll32.exe rundll32.exe PID 2232 wrote to memory of 3112 2232 rundll32.exe rundll32.exe PID 2232 wrote to memory of 3112 2232 rundll32.exe rundll32.exe PID 3112 wrote to memory of 1272 3112 rundll32.exe rundll32.exe PID 3112 wrote to memory of 1272 3112 rundll32.exe rundll32.exe PID 3112 wrote to memory of 1272 3112 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\38b51ee1239079bda9d7d55d94ad241f9595a1bad8a9538a140cd3504ce559c0.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWow64\rundll32.exeC:\Windows\SysWow64\rundll32.exe ..\sun.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\sun.ocx",DllRegisterServer3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kkuuvv\ogqywuhfjthbam.wll",mriqLaiyyCLDa4⤵
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kkuuvv\ogqywuhfjthbam.wll",DllRegisterServer5⤵PID:1272
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9335a3187bd8a8fc950026dbca80366a
SHA1fde95ebb6ba07a861e6c070143bbb6e446b408df
SHA256e467aa960cdbc867b456e4236f6ca77bf07c0a6e202aae2a2d6c44ff3a598119
SHA512fd4b1f45e0aa00be893fd9a43911d784da608d5d8b25660879ff52b6096fbfc964b593f82d69b243c8922db0be8f710dfdefbd8d0675bd89517afd1cf3d62dde
-
MD5
9335a3187bd8a8fc950026dbca80366a
SHA1fde95ebb6ba07a861e6c070143bbb6e446b408df
SHA256e467aa960cdbc867b456e4236f6ca77bf07c0a6e202aae2a2d6c44ff3a598119
SHA512fd4b1f45e0aa00be893fd9a43911d784da608d5d8b25660879ff52b6096fbfc964b593f82d69b243c8922db0be8f710dfdefbd8d0675bd89517afd1cf3d62dde
-
MD5
9335a3187bd8a8fc950026dbca80366a
SHA1fde95ebb6ba07a861e6c070143bbb6e446b408df
SHA256e467aa960cdbc867b456e4236f6ca77bf07c0a6e202aae2a2d6c44ff3a598119
SHA512fd4b1f45e0aa00be893fd9a43911d784da608d5d8b25660879ff52b6096fbfc964b593f82d69b243c8922db0be8f710dfdefbd8d0675bd89517afd1cf3d62dde