Malware Analysis Report

2025-01-22 16:05

Sample ID 220311-yabecaeabq
Target 5c6aea6be7880ed8f7e80593115269ba7863db0a6233779b499da82550b80fa2.xlsm
SHA256 5c6aea6be7880ed8f7e80593115269ba7863db0a6233779b499da82550b80fa2
Tags
macro xlm emotet epoch5 banker suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c6aea6be7880ed8f7e80593115269ba7863db0a6233779b499da82550b80fa2

Threat Level: Known bad

The file 5c6aea6be7880ed8f7e80593115269ba7863db0a6233779b499da82550b80fa2.xlsm was found to be: Known bad.

Malicious Activity Summary

macro xlm emotet epoch5 banker suricata trojan

suricata: ET MALWARE W32/Emotet CnC Beacon 3

Emotet

Process spawned unexpected child process

Suspicious Office macro

Downloads MZ/PE file

Loads dropped DLL

Drops file in System32 directory

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-11 19:34

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-11 19:34

Reported

2022-03-11 19:37

Platform

win10-20220223-en

Max time kernel

127s

Max time network

143s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\5c6aea6be7880ed8f7e80593115269ba7863db0a6233779b499da82550b80fa2.xlsm"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\5c6aea6be7880ed8f7e80593115269ba7863db0a6233779b499da82550b80fa2.xlsm"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gokcevizyon.com udp
N/A 100.64.0.2:80 gokcevizyon.com tcp
US 8.8.8.8:53 henrysfreshroast.com udp
N/A 100.64.0.2:80 henrysfreshroast.com tcp
US 8.8.8.8:53 sorathlions.com udp
N/A 100.64.0.2:80 sorathlions.com tcp
US 8.8.8.8:53 www.ajaxmatters.com udp
N/A 100.64.0.2:80 www.ajaxmatters.com tcp
US 8.8.8.8:53 cricketaddictorsassociation.com udp
US 8.8.8.8:53 ewestern.com udp

Files

memory/2548-114-0x00007FF8A5B40000-0x00007FF8A5B50000-memory.dmp

memory/2548-115-0x00007FF8A5B40000-0x00007FF8A5B50000-memory.dmp

memory/2548-116-0x00007FF8A5B40000-0x00007FF8A5B50000-memory.dmp

memory/2548-117-0x00007FF8A5B40000-0x00007FF8A5B50000-memory.dmp

memory/2548-126-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp

memory/2548-127-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp

memory/2548-128-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp

memory/2548-129-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp

memory/2548-131-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp

memory/2548-130-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp

memory/2548-132-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp

memory/2548-133-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp

memory/2548-134-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp

memory/2548-135-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp

memory/2548-136-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp

memory/2548-137-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp

memory/2548-138-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp

memory/2548-139-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp

memory/2548-140-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp

memory/2548-141-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp

memory/2548-142-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp

memory/2548-143-0x00007FF8E30A0000-0x00007FF8E314E000-memory.dmp

memory/2548-144-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp

memory/2548-145-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp

memory/2548-147-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp

memory/2548-314-0x00007FF8A5B40000-0x00007FF8A5B50000-memory.dmp

memory/2548-315-0x00007FF8A5B40000-0x00007FF8A5B50000-memory.dmp

memory/2548-316-0x00007FF8A5B40000-0x00007FF8A5B50000-memory.dmp

memory/2548-317-0x00007FF8A5B40000-0x00007FF8A5B50000-memory.dmp

memory/2548-318-0x00007FF8E30A0000-0x00007FF8E314E000-memory.dmp

memory/2548-319-0x00007FF8E5AB0000-0x00007FF8E5C8B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-11 19:34

Reported

2022-03-11 19:37

Platform

win10-20220223-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\5c6aea6be7880ed8f7e80593115269ba7863db0a6233779b499da82550b80fa2.xlsm"

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWow64\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3

suricata

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWow64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Cbeyvibxauwdcoxs\bocotghz.dnd C:\Windows\SysWow64\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\5c6aea6be7880ed8f7e80593115269ba7863db0a6233779b499da82550b80fa2.xlsm"

C:\Windows\SysWow64\regsvr32.exe

C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Cbeyvibxauwdcoxs\bocotghz.dnd"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gokcevizyon.com udp
TR 178.210.174.35:80 gokcevizyon.com tcp
BR 186.250.48.5:80 186.250.48.5 tcp
DE 168.119.39.118:443 tcp
UA 185.168.130.138:443 185.168.130.138 tcp

Files

memory/1504-114-0x00007FFC57330000-0x00007FFC57340000-memory.dmp

memory/1504-115-0x00007FFC57330000-0x00007FFC57340000-memory.dmp

memory/1504-116-0x00007FFC57330000-0x00007FFC57340000-memory.dmp

memory/1504-117-0x00007FFC57330000-0x00007FFC57340000-memory.dmp

memory/1504-128-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp

memory/1504-129-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp

memory/1504-132-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp

memory/1504-134-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp

memory/1504-136-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp

memory/1504-138-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp

memory/1504-140-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp

memory/1504-143-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp

memory/1504-148-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp

memory/1504-150-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp

memory/1504-145-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp

memory/1504-152-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp

memory/1504-154-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp

memory/1504-155-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp

memory/1504-157-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp

memory/1504-159-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp

memory/1504-161-0x00007FFC96F20000-0x00007FFC96FCE000-memory.dmp

memory/1504-164-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp

memory/1504-166-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp

memory/1504-169-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp

memory/1504-171-0x00007FFC972A0000-0x00007FFC9747B000-memory.dmp

C:\Users\Admin\sei.ocx

MD5 b66ea05079cc0b697b808ea626791dfd
SHA1 fd2d38fdaee9df0dc44095e93c91ae63e89778ee
SHA256 30c7b933cac568d7dbb98e7c75ede9b124da8d5fe8615dd7a30c9c8f792605d0
SHA512 1f2a3e7b504e3e9d9f4fc2207707c657bb69b0033f704785ef5e9aebfc27ec7f5e74b00b732457298f52593cabe667ec40c8f75887698627373b1a3a11292015

\Users\Admin\sei.ocx

MD5 b66ea05079cc0b697b808ea626791dfd
SHA1 fd2d38fdaee9df0dc44095e93c91ae63e89778ee
SHA256 30c7b933cac568d7dbb98e7c75ede9b124da8d5fe8615dd7a30c9c8f792605d0
SHA512 1f2a3e7b504e3e9d9f4fc2207707c657bb69b0033f704785ef5e9aebfc27ec7f5e74b00b732457298f52593cabe667ec40c8f75887698627373b1a3a11292015

memory/1512-301-0x00000000044A0000-0x00000000044C7000-memory.dmp