Analysis
-
max time kernel
144s -
max time network
129s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
11-01-2022 17:54
Behavioral task
behavioral1
Sample
649e907da725e225aad0e71d19611094.xls
Resource
win7-en-20211208
General
-
Target
649e907da725e225aad0e71d19611094.xls
-
Size
118KB
-
MD5
649e907da725e225aad0e71d19611094
-
SHA1
88ae2494e7304d51c21ec826cab65aca20b17082
-
SHA256
38b51ee1239079bda9d7d55d94ad241f9595a1bad8a9538a140cd3504ce559c0
-
SHA512
922f7290d86cbd2b073a965248e4c77d317fb4be0a68d782cd8fd67bc934b4722c111f8c033c0f15a3219c169302d28c09e35cac4fe4a20a2f462e73078cecf1
Malware Config
Extracted
https://wordpressdes.vanzolini-gte.org.br/fundacaotelefonica.org.br/gAbC4QpJYI/
Extracted
emotet
Epoch4
131.100.24.231:80
209.59.138.75:7080
103.8.26.103:8080
51.38.71.0:443
212.237.17.99:8080
79.172.212.216:8080
207.38.84.195:8080
104.168.155.129:8080
178.79.147.66:8080
46.55.222.11:443
103.8.26.102:8080
192.254.71.210:443
45.176.232.124:443
203.114.109.124:443
51.68.175.8:8080
58.227.42.236:80
45.142.114.231:8080
217.182.143.207:443
178.63.25.185:443
45.118.115.99:8080
103.75.201.2:443
104.251.214.46:8080
158.69.222.101:443
81.0.236.90:443
45.118.135.203:7080
176.104.106.96:8080
212.237.56.116:7080
216.158.226.206:443
173.212.193.249:8080
50.116.54.215:443
138.185.72.26:8080
41.76.108.46:8080
212.237.5.209:443
107.182.225.142:8080
195.154.133.20:443
162.214.50.39:7080
110.232.117.186:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4260 3584 rundll32.exe EXCEL.EXE -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 4260 rundll32.exe 4980 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Dolrregnndib\czxmcyyfbjipg.pww rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3584 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3584 EXCEL.EXE 3584 EXCEL.EXE 3584 EXCEL.EXE 3584 EXCEL.EXE 3584 EXCEL.EXE 3584 EXCEL.EXE 3584 EXCEL.EXE 3584 EXCEL.EXE 3584 EXCEL.EXE 3584 EXCEL.EXE 3584 EXCEL.EXE 3584 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exerundll32.exedescription pid process target process PID 3584 wrote to memory of 4260 3584 EXCEL.EXE rundll32.exe PID 3584 wrote to memory of 4260 3584 EXCEL.EXE rundll32.exe PID 3584 wrote to memory of 4260 3584 EXCEL.EXE rundll32.exe PID 4260 wrote to memory of 4980 4260 rundll32.exe rundll32.exe PID 4260 wrote to memory of 4980 4260 rundll32.exe rundll32.exe PID 4260 wrote to memory of 4980 4260 rundll32.exe rundll32.exe PID 4980 wrote to memory of 4524 4980 rundll32.exe rundll32.exe PID 4980 wrote to memory of 4524 4980 rundll32.exe rundll32.exe PID 4980 wrote to memory of 4524 4980 rundll32.exe rundll32.exe PID 4524 wrote to memory of 1284 4524 rundll32.exe rundll32.exe PID 4524 wrote to memory of 1284 4524 rundll32.exe rundll32.exe PID 4524 wrote to memory of 1284 4524 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\649e907da725e225aad0e71d19611094.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWow64\rundll32.exeC:\Windows\SysWow64\rundll32.exe ..\sun.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\sun.ocx",DllRegisterServer3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Dolrregnndib\czxmcyyfbjipg.pww",dlrYcv4⤵
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Dolrregnndib\czxmcyyfbjipg.pww",DllRegisterServer5⤵PID:1284
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9e1b54583ed7242ae3eaadd9027c30cf
SHA1c367eee2df91e6b1eb26b464d78fb3c6d0584275
SHA256b2c54b1512fc88a36503a994367556a9623278c80410cd6d8dc9e8ad0604a950
SHA512d574d0a83a32b56b9cc8782137cacf4e77ef6f5d93fa1eb13788df1259d2d930e851ec2e4d39a57bb9a81660e7cb0278a2805ec6f8d7064c26428e3d8bd00a70
-
MD5
9e1b54583ed7242ae3eaadd9027c30cf
SHA1c367eee2df91e6b1eb26b464d78fb3c6d0584275
SHA256b2c54b1512fc88a36503a994367556a9623278c80410cd6d8dc9e8ad0604a950
SHA512d574d0a83a32b56b9cc8782137cacf4e77ef6f5d93fa1eb13788df1259d2d930e851ec2e4d39a57bb9a81660e7cb0278a2805ec6f8d7064c26428e3d8bd00a70
-
MD5
9e1b54583ed7242ae3eaadd9027c30cf
SHA1c367eee2df91e6b1eb26b464d78fb3c6d0584275
SHA256b2c54b1512fc88a36503a994367556a9623278c80410cd6d8dc9e8ad0604a950
SHA512d574d0a83a32b56b9cc8782137cacf4e77ef6f5d93fa1eb13788df1259d2d930e851ec2e4d39a57bb9a81660e7cb0278a2805ec6f8d7064c26428e3d8bd00a70