Analysis Overview
SHA256
5c6aea6be7880ed8f7e80593115269ba7863db0a6233779b499da82550b80fa2
Threat Level: Known bad
The file 5c6aea6be7880ed8f7e80593115269ba7863db0a6233779b499da82550b80fa2.xlsm was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE W32/Emotet CnC Beacon 3
Emotet
Process spawned unexpected child process
Suspicious Office macro
Downloads MZ/PE file
Loads dropped DLL
Drops file in System32 directory
Suspicious behavior: AddClipboardFormatListener
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-11 19:34
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-11 19:34
Reported
2022-03-11 19:37
Platform
win10-20220223-en
Max time kernel
127s
Max time network
143s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\5c6aea6be7880ed8f7e80593115269ba7863db0a6233779b499da82550b80fa2.xlsm"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gokcevizyon.com | udp |
| N/A | 100.64.0.2:80 | gokcevizyon.com | tcp |
| US | 8.8.8.8:53 | henrysfreshroast.com | udp |
| N/A | 100.64.0.2:80 | henrysfreshroast.com | tcp |
| US | 8.8.8.8:53 | sorathlions.com | udp |
| N/A | 100.64.0.2:80 | sorathlions.com | tcp |
| US | 8.8.8.8:53 | www.ajaxmatters.com | udp |
| N/A | 100.64.0.2:80 | www.ajaxmatters.com | tcp |
| US | 8.8.8.8:53 | cricketaddictorsassociation.com | udp |
| US | 8.8.8.8:53 | ewestern.com | udp |
Files
memory/2548-114-0x00007FF8A5B40000-0x00007FF8A5B50000-memory.dmp
memory/2548-115-0x00007FF8A5B40000-0x00007FF8A5B50000-memory.dmp
memory/2548-116-0x00007FF8A5B40000-0x00007FF8A5B50000-memory.dmp
memory/2548-117-0x00007FF8A5B40000-0x00007FF8A5B50000-memory.dmp
memory/2548-126-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp
memory/2548-127-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp
memory/2548-128-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp
memory/2548-129-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp
memory/2548-131-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp
memory/2548-130-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp
memory/2548-132-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp
memory/2548-133-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp
memory/2548-134-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp
memory/2548-135-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp
memory/2548-136-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp
memory/2548-137-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp
memory/2548-138-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp
memory/2548-139-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp
memory/2548-140-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp
memory/2548-141-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp
memory/2548-142-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp
memory/2548-143-0x00007FF8E30A0000-0x00007FF8E314E000-memory.dmp
memory/2548-144-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp
memory/2548-145-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp
memory/2548-147-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp
memory/2548-314-0x00007FF8A5B40000-0x00007FF8A5B50000-memory.dmp
memory/2548-315-0x00007FF8A5B40000-0x00007FF8A5B50000-memory.dmp
memory/2548-316-0x00007FF8A5B40000-0x00007FF8A5B50000-memory.dmp
memory/2548-317-0x00007FF8A5B40000-0x00007FF8A5B50000-memory.dmp
memory/2548-318-0x00007FF8E30A0000-0x00007FF8E314E000-memory.dmp
memory/2548-319-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-11 19:34
Reported
2022-03-11 19:37
Platform
win10-20220223-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Emotet
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWow64\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
suricata: ET MALWARE W32/Emotet CnC Beacon 3
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWow64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Cbeyvibxauwdcoxs\bocotghz.dnd | C:\Windows\SysWow64\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1504 wrote to memory of 3148 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 1504 wrote to memory of 3148 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 1504 wrote to memory of 3148 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 3148 wrote to memory of 1512 | N/A | C:\Windows\SysWow64\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3148 wrote to memory of 1512 | N/A | C:\Windows\SysWow64\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3148 wrote to memory of 1512 | N/A | C:\Windows\SysWow64\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\5c6aea6be7880ed8f7e80593115269ba7863db0a6233779b499da82550b80fa2.xlsm"
C:\Windows\SysWow64\regsvr32.exe
C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Cbeyvibxauwdcoxs\bocotghz.dnd"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gokcevizyon.com | udp |
| TR | 178.210.174.35:80 | gokcevizyon.com | tcp |
| BR | 186.250.48.5:80 | 186.250.48.5 | tcp |
| DE | 168.119.39.118:443 | tcp | |
| UA | 185.168.130.138:443 | 185.168.130.138 | tcp |
Files
memory/1504-114-0x00007FFC57330000-0x00007FFC57340000-memory.dmp
memory/1504-115-0x00007FFC57330000-0x00007FFC57340000-memory.dmp
memory/1504-116-0x00007FFC57330000-0x00007FFC57340000-memory.dmp
memory/1504-117-0x00007FFC57330000-0x00007FFC57340000-memory.dmp
memory/1504-128-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp
memory/1504-129-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp
memory/1504-132-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp
memory/1504-134-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp
memory/1504-136-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp
memory/1504-138-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp
memory/1504-140-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp
memory/1504-143-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp
memory/1504-148-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp
memory/1504-150-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp
memory/1504-145-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp
memory/1504-152-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp
memory/1504-154-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp
memory/1504-155-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp
memory/1504-157-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp
memory/1504-159-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp
memory/1504-161-0x00007FFC96F20000-0x00007FFC96FCE000-memory.dmp
memory/1504-164-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp
memory/1504-166-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp
memory/1504-169-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp
memory/1504-171-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp
C:\Users\Admin\sei.ocx
| MD5 | b66ea05079cc0b697b808ea626791dfd |
| SHA1 | fd2d38fdaee9df0dc44095e93c91ae63e89778ee |
| SHA256 | 30c7b933cac568d7dbb98e7c75ede9b124da8d5fe8615dd7a30c9c8f792605d0 |
| SHA512 | 1f2a3e7b504e3e9d9f4fc2207707c657bb69b0033f704785ef5e9aebfc27ec7f5e74b00b732457298f52593cabe667ec40c8f75887698627373b1a3a11292015 |
\Users\Admin\sei.ocx
| MD5 | b66ea05079cc0b697b808ea626791dfd |
| SHA1 | fd2d38fdaee9df0dc44095e93c91ae63e89778ee |
| SHA256 | 30c7b933cac568d7dbb98e7c75ede9b124da8d5fe8615dd7a30c9c8f792605d0 |
| SHA512 | 1f2a3e7b504e3e9d9f4fc2207707c657bb69b0033f704785ef5e9aebfc27ec7f5e74b00b732457298f52593cabe667ec40c8f75887698627373b1a3a11292015 |
memory/1512-301-0x00000000044A0000-0x00000000044C7000-memory.dmp