Analysis Overview
SHA256
9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a
Threat Level: Known bad
The file 9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm was found to be: Known bad.
Malicious Activity Summary
Emotet
Process spawned unexpected child process
Suspicious Office macro
Downloads MZ/PE file
Loads dropped DLL
Drops file in System32 directory
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-12 09:58
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-12 09:58
Reported
2022-03-12 10:01
Platform
win10-20220223-en
Max time kernel
144s
Max time network
147s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | blog.centerking.top | udp |
| N/A | 100.64.0.2:80 | blog.centerking.top | tcp |
| US | 8.8.8.8:53 | lucrecomconforto.com.br | udp |
| US | 8.8.8.8:53 | academiasuccesului.ro | udp |
| N/A | 100.64.0.2:80 | academiasuccesului.ro | tcp |
| US | 8.8.8.8:53 | melekler.atspace.cc | udp |
| N/A | 100.64.0.2:80 | melekler.atspace.cc | tcp |
| US | 8.8.8.8:53 | acerestoration.co.za | udp |
| N/A | 100.64.0.2:80 | acerestoration.co.za | tcp |
| US | 8.8.8.8:53 | loko-architecten.nl | udp |
| N/A | 100.64.0.2:80 | loko-architecten.nl | tcp |
| US | 8.8.8.8:53 | sorteiovipbrasil.com.br | udp |
Files
memory/3008-114-0x00007FFEBAE50000-0x00007FFEBAE60000-memory.dmp
memory/3008-115-0x00007FFEBAE50000-0x00007FFEBAE60000-memory.dmp
memory/3008-116-0x00007FFEBAE50000-0x00007FFEBAE60000-memory.dmp
memory/3008-117-0x00007FFEBAE50000-0x00007FFEBAE60000-memory.dmp
memory/3008-126-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp
memory/3008-127-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp
memory/3008-128-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp
memory/3008-129-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp
memory/3008-130-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp
memory/3008-131-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp
memory/3008-132-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp
memory/3008-133-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp
memory/3008-134-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp
memory/3008-135-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp
memory/3008-137-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp
memory/3008-136-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp
memory/3008-139-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp
memory/3008-138-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp
memory/3008-140-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp
memory/3008-141-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp
memory/3008-143-0x00007FFEFAB70000-0x00007FFEFAC1E000-memory.dmp
memory/3008-142-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp
memory/3008-147-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp
memory/3008-145-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp
memory/3008-149-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp
memory/3008-151-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp
memory/3008-313-0x00007FFEBAE50000-0x00007FFEBAE60000-memory.dmp
memory/3008-314-0x00007FFEBAE50000-0x00007FFEBAE60000-memory.dmp
memory/3008-315-0x00007FFEBAE50000-0x00007FFEBAE60000-memory.dmp
memory/3008-316-0x00007FFEBAE50000-0x00007FFEBAE60000-memory.dmp
memory/3008-317-0x00007FFEFAB70000-0x00007FFEFAC1E000-memory.dmp
memory/3008-318-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-12 09:58
Reported
2022-03-12 10:01
Platform
win10-20220223-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Emotet
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWow64\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWow64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Qryyktwxyarnffe\tjgzxalcroowv.hid | C:\Windows\SysWow64\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3932 wrote to memory of 4092 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 3932 wrote to memory of 4092 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 3932 wrote to memory of 4092 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SysWow64\regsvr32.exe |
| PID 4092 wrote to memory of 4036 | N/A | C:\Windows\SysWow64\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4092 wrote to memory of 4036 | N/A | C:\Windows\SysWow64\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4092 wrote to memory of 4036 | N/A | C:\Windows\SysWow64\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm"
C:\Windows\SysWow64\regsvr32.exe
C:\Windows\SysWow64\regsvr32.exe -s ..\adx.ocx
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Qryyktwxyarnffe\tjgzxalcroowv.hid"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | blog.centerking.top | udp |
| HK | 129.226.183.155:80 | blog.centerking.top | tcp |
| US | 20.189.173.14:443 | tcp | |
| PL | 51.75.33.122:443 | tcp | |
| BR | 186.250.48.5:80 | 186.250.48.5 | tcp |
| DE | 168.119.39.118:443 | tcp | |
| AU | 207.148.81.119:8080 | tcp | |
| FR | 194.9.172.107:8080 | tcp | |
| CN | 139.196.72.155:8080 | 139.196.72.155 | tcp |
Files
memory/3932-114-0x00007FFF89EB0000-0x00007FFF89EC0000-memory.dmp
memory/3932-115-0x00007FFF89EB0000-0x00007FFF89EC0000-memory.dmp
memory/3932-116-0x00007FFF89EB0000-0x00007FFF89EC0000-memory.dmp
memory/3932-118-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp
memory/3932-117-0x00007FFF89EB0000-0x00007FFF89EC0000-memory.dmp
memory/3932-119-0x00007FFFC9490000-0x00007FFFC953E000-memory.dmp
memory/3932-120-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp
memory/3932-123-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp
memory/3932-125-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp
memory/3932-124-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp
memory/3932-126-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp
memory/3932-127-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp
memory/3932-128-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp
memory/3932-129-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp
memory/3932-130-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp
memory/3932-131-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp
memory/3932-132-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp
memory/3932-133-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp
memory/3932-134-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp
memory/3932-135-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp
memory/3932-137-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp
memory/3932-141-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp
memory/3932-139-0x00007FFFC9490000-0x00007FFFC953E000-memory.dmp
memory/3932-144-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp
C:\Users\Admin\adx.ocx
| MD5 | df46019d92eb6df67ca1153b296d034a |
| SHA1 | 1217a1216dbea1a275e9af58094f1b39933a11f6 |
| SHA256 | cd2fab983f4dba43c95396ea7707d34f7a394257e69563e5e17a1b7caa88d053 |
| SHA512 | f1e7b14810702c8ba4e091f1797b8f256a039a80a509df19cfab618c4fdb4c7dfbaab54a60178e5537f0f46050d764d4ad6637f13570ad14376086bb0cd76c06 |
\Users\Admin\adx.ocx
| MD5 | df46019d92eb6df67ca1153b296d034a |
| SHA1 | 1217a1216dbea1a275e9af58094f1b39933a11f6 |
| SHA256 | cd2fab983f4dba43c95396ea7707d34f7a394257e69563e5e17a1b7caa88d053 |
| SHA512 | f1e7b14810702c8ba4e091f1797b8f256a039a80a509df19cfab618c4fdb4c7dfbaab54a60178e5537f0f46050d764d4ad6637f13570ad14376086bb0cd76c06 |
memory/4092-155-0x0000000004B50000-0x0000000004B77000-memory.dmp
memory/4036-158-0x0000000000BB0000-0x0000000000BD7000-memory.dmp