Malware Analysis Report

2025-01-22 16:05

Sample ID 220312-lzmgpabcd2
Target 9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm
SHA256 9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a
Tags
macro xlm emotet epoch5 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a

Threat Level: Known bad

The file 9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm was found to be: Known bad.

Malicious Activity Summary

macro xlm emotet epoch5 banker trojan

Emotet

Process spawned unexpected child process

Suspicious Office macro

Downloads MZ/PE file

Loads dropped DLL

Drops file in System32 directory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-12 09:58

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-12 09:58

Reported

2022-03-12 10:01

Platform

win10-20220223-en

Max time kernel

144s

Max time network

147s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm"

Network

Country Destination Domain Proto
US 8.8.8.8:53 blog.centerking.top udp
N/A 100.64.0.2:80 blog.centerking.top tcp
US 8.8.8.8:53 lucrecomconforto.com.br udp
US 8.8.8.8:53 academiasuccesului.ro udp
N/A 100.64.0.2:80 academiasuccesului.ro tcp
US 8.8.8.8:53 melekler.atspace.cc udp
N/A 100.64.0.2:80 melekler.atspace.cc tcp
US 8.8.8.8:53 acerestoration.co.za udp
N/A 100.64.0.2:80 acerestoration.co.za tcp
US 8.8.8.8:53 loko-architecten.nl udp
N/A 100.64.0.2:80 loko-architecten.nl tcp
US 8.8.8.8:53 sorteiovipbrasil.com.br udp

Files

memory/3008-114-0x00007FFEBAE50000-0x00007FFEBAE60000-memory.dmp

memory/3008-115-0x00007FFEBAE50000-0x00007FFEBAE60000-memory.dmp

memory/3008-116-0x00007FFEBAE50000-0x00007FFEBAE60000-memory.dmp

memory/3008-117-0x00007FFEBAE50000-0x00007FFEBAE60000-memory.dmp

memory/3008-126-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp

memory/3008-127-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp

memory/3008-128-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp

memory/3008-129-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp

memory/3008-130-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp

memory/3008-131-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp

memory/3008-132-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp

memory/3008-133-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp

memory/3008-134-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp

memory/3008-135-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp

memory/3008-137-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp

memory/3008-136-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp

memory/3008-139-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp

memory/3008-138-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp

memory/3008-140-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp

memory/3008-141-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp

memory/3008-143-0x00007FFEFAB70000-0x00007FFEFAC1E000-memory.dmp

memory/3008-142-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp

memory/3008-147-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp

memory/3008-145-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp

memory/3008-149-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp

memory/3008-151-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp

memory/3008-313-0x00007FFEBAE50000-0x00007FFEBAE60000-memory.dmp

memory/3008-314-0x00007FFEBAE50000-0x00007FFEBAE60000-memory.dmp

memory/3008-315-0x00007FFEBAE50000-0x00007FFEBAE60000-memory.dmp

memory/3008-316-0x00007FFEBAE50000-0x00007FFEBAE60000-memory.dmp

memory/3008-317-0x00007FFEFAB70000-0x00007FFEFAC1E000-memory.dmp

memory/3008-318-0x00007FFEFADC0000-0x00007FFEFAF9B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-12 09:58

Reported

2022-03-12 10:01

Platform

win10-20220223-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm"

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWow64\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWow64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Qryyktwxyarnffe\tjgzxalcroowv.hid C:\Windows\SysWow64\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9406991950efaebb87aff68e0d3573fd59655678366a5940956c37b25d02226a.xlsm"

C:\Windows\SysWow64\regsvr32.exe

C:\Windows\SysWow64\regsvr32.exe -s ..\adx.ocx

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Qryyktwxyarnffe\tjgzxalcroowv.hid"

Network

Country Destination Domain Proto
US 8.8.8.8:53 blog.centerking.top udp
HK 129.226.183.155:80 blog.centerking.top tcp
US 20.189.173.14:443 tcp
PL 51.75.33.122:443 tcp
BR 186.250.48.5:80 186.250.48.5 tcp
DE 168.119.39.118:443 tcp
AU 207.148.81.119:8080 tcp
FR 194.9.172.107:8080 tcp
CN 139.196.72.155:8080 139.196.72.155 tcp

Files

memory/3932-114-0x00007FFF89EB0000-0x00007FFF89EC0000-memory.dmp

memory/3932-115-0x00007FFF89EB0000-0x00007FFF89EC0000-memory.dmp

memory/3932-116-0x00007FFF89EB0000-0x00007FFF89EC0000-memory.dmp

memory/3932-118-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp

memory/3932-117-0x00007FFF89EB0000-0x00007FFF89EC0000-memory.dmp

memory/3932-119-0x00007FFFC9490000-0x00007FFFC953E000-memory.dmp

memory/3932-120-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp

memory/3932-123-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp

memory/3932-125-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp

memory/3932-124-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp

memory/3932-126-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp

memory/3932-127-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp

memory/3932-128-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp

memory/3932-129-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp

memory/3932-130-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp

memory/3932-131-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp

memory/3932-132-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp

memory/3932-133-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp

memory/3932-134-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp

memory/3932-135-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp

memory/3932-137-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp

memory/3932-141-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp

memory/3932-139-0x00007FFFC9490000-0x00007FFFC953E000-memory.dmp

memory/3932-144-0x00007FFFC9E20000-0x00007FFFC9FFB000-memory.dmp

C:\Users\Admin\adx.ocx

MD5 df46019d92eb6df67ca1153b296d034a
SHA1 1217a1216dbea1a275e9af58094f1b39933a11f6
SHA256 cd2fab983f4dba43c95396ea7707d34f7a394257e69563e5e17a1b7caa88d053
SHA512 f1e7b14810702c8ba4e091f1797b8f256a039a80a509df19cfab618c4fdb4c7dfbaab54a60178e5537f0f46050d764d4ad6637f13570ad14376086bb0cd76c06

\Users\Admin\adx.ocx

MD5 df46019d92eb6df67ca1153b296d034a
SHA1 1217a1216dbea1a275e9af58094f1b39933a11f6
SHA256 cd2fab983f4dba43c95396ea7707d34f7a394257e69563e5e17a1b7caa88d053
SHA512 f1e7b14810702c8ba4e091f1797b8f256a039a80a509df19cfab618c4fdb4c7dfbaab54a60178e5537f0f46050d764d4ad6637f13570ad14376086bb0cd76c06

memory/4092-155-0x0000000004B50000-0x0000000004B77000-memory.dmp

memory/4036-158-0x0000000000BB0000-0x0000000000BD7000-memory.dmp