Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:15
Behavioral task
behavioral1
Sample
PACK_53.xls
Resource
win7-20220414-en
General
-
Target
PACK_53.xls
-
Size
67KB
-
MD5
8dd66f630a5c13d41ed8fe01604bfff6
-
SHA1
3a38dbb63444e63461312b93a30743b70444f09b
-
SHA256
cea8a4085a3551739dadcd60711d0c9ce5c3f4b570618d1917ef67a9859779aa
-
SHA512
274df5018f9c8d1f02fc456e623a490167b8ae38862dec7304f3d2473d700d5cec7ca0f0a4cfad9e7ee92d4d5ea41289ef1ad7f398dc490139dfe0f66bd28663
Malware Config
Extracted
http://www.clasite.com/blogs/IEEsyn/
https://oncrete-egy.com/wp-content/V6Igzw8/
http://opencart-destek.com/catalog/OqHwQ8xlWa5Goyo/
http://www.pjesacac.com/components/O93XXhMN3tOtTlV/
Extracted
emotet
Epoch5
194.9.172.107:8080
66.42.57.149:443
165.22.73.229:8080
202.29.239.162:443
76.189.152.228:1645
59.185.164.123:8382
115.19.43.159:30377
104.248.225.227:8080
54.38.242.185:443
103.133.214.242:8080
78.47.204.80:443
210.57.209.142:8080
103.41.204.169:8080
118.98.72.86:443
88.217.172.165:8080
87.106.97.83:7080
85.25.120.45:8080
195.77.239.39:8080
37.44.244.177:8080
36.67.23.59:443
93.41.142.108:30345
42.6.66.255:39545
160.16.143.191:7080
38.217.125.207:49663
54.38.143.246:7080
159.69.237.188:443
68.183.93.250:443
54.37.228.122:443
190.90.233.66:443
37.59.209.141:8080
29.146.139.51:30005
18.37.240.161:6409
178.62.112.199:8080
59.148.253.194:443
196.44.98.190:8080
79.235.8.209:58224
202.28.34.99:8080
78.46.73.125:443
51.68.141.164:8080
207.148.81.119:8080
93.104.209.107:8080
185.148.168.220:8080
100.21.231.107:63582
103.85.95.4:8080
62.171.178.147:8080
175.126.176.79:8080
134.122.119.23:8080
202.134.4.210:7080
116.124.128.206:8080
45.71.195.104:8080
110.235.83.107:7080
103.56.149.105:8080
68.183.91.111:8080
119.44.217.160:39748
5.56.132.177:8080
195.154.146.35:443
217.182.143.207:443
54.37.106.167:8080
85.214.67.203:8080
90.63.125.244:30283
188.225.32.231:4143
103.42.58.120:7080
139.196.72.155:8080
103.8.26.17:8080
70.11.238.157:53347
55.74.152.152:37910
113.59.252.140:36286
97.67.147.111:40652
116.64.52.198:22668
61.87.190.176:45536
203.153.216.46:443
27.55.166.48:19567
32.53.89.86:40407
31.238.181.227:13139
26.19.105.199:26580
73.238.38.64:44958
18.191.122.164:4987
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4900 3368 regsvr32.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4288 3368 regsvr32.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4436 3368 regsvr32.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1008 3368 regsvr32.exe EXCEL.EXE -
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Downloads MZ/PE file
-
Loads dropped DLL 6 IoCs
Processes:
regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exepid process 4900 regsvr32.exe 4436 regsvr32.exe 1008 regsvr32.exe 2804 regsvr32.exe 3912 regsvr32.exe 4524 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3368 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 3912 regsvr32.exe 3912 regsvr32.exe 2804 regsvr32.exe 2804 regsvr32.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3368 EXCEL.EXE 3368 EXCEL.EXE 3368 EXCEL.EXE 3368 EXCEL.EXE 3368 EXCEL.EXE 3368 EXCEL.EXE 3368 EXCEL.EXE 3368 EXCEL.EXE 3368 EXCEL.EXE 3368 EXCEL.EXE 3368 EXCEL.EXE 3368 EXCEL.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
EXCEL.EXEregsvr32.exeregsvr32.exeregsvr32.exedescription pid process target process PID 3368 wrote to memory of 4900 3368 EXCEL.EXE regsvr32.exe PID 3368 wrote to memory of 4900 3368 EXCEL.EXE regsvr32.exe PID 3368 wrote to memory of 4288 3368 EXCEL.EXE regsvr32.exe PID 3368 wrote to memory of 4288 3368 EXCEL.EXE regsvr32.exe PID 3368 wrote to memory of 4436 3368 EXCEL.EXE regsvr32.exe PID 3368 wrote to memory of 4436 3368 EXCEL.EXE regsvr32.exe PID 3368 wrote to memory of 1008 3368 EXCEL.EXE regsvr32.exe PID 3368 wrote to memory of 1008 3368 EXCEL.EXE regsvr32.exe PID 4436 wrote to memory of 2804 4436 regsvr32.exe regsvr32.exe PID 4436 wrote to memory of 2804 4436 regsvr32.exe regsvr32.exe PID 1008 wrote to memory of 3912 1008 regsvr32.exe regsvr32.exe PID 1008 wrote to memory of 3912 1008 regsvr32.exe regsvr32.exe PID 4900 wrote to memory of 4524 4900 regsvr32.exe regsvr32.exe PID 4900 wrote to memory of 4524 4900 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PACK_53.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\uxevr1.ocx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\JDMUN\qvsguW.dll"3⤵
- Loads dropped DLL
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\uxevr2.ocx2⤵
- Process spawned unexpected child process
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\uxevr3.ocx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\CFAToMVLxOO\BtOcd.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\uxevr4.ocx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\BJsrfvPj\zqBs.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\uxevr1.ocxFilesize
373KB
MD50c833f3d3633f1239d5f7d27ec411b35
SHA1f6f5c954a833f3ccc59ae9596f3365a1deff390a
SHA25647efdef5ba81eacc1f97698b52204aeab8e3c2af3505a50a979aa03262dc8cb2
SHA5129b677262e374d3714b6e88c574e155503bc35b9616b5abb1ad1993cf5b1a799d5d3d5a73a1598235370f86fc650e30aecee5c53bb40d48b865c8cb2608a7f050
-
C:\Users\Admin\uxevr1.ocxFilesize
373KB
MD50c833f3d3633f1239d5f7d27ec411b35
SHA1f6f5c954a833f3ccc59ae9596f3365a1deff390a
SHA25647efdef5ba81eacc1f97698b52204aeab8e3c2af3505a50a979aa03262dc8cb2
SHA5129b677262e374d3714b6e88c574e155503bc35b9616b5abb1ad1993cf5b1a799d5d3d5a73a1598235370f86fc650e30aecee5c53bb40d48b865c8cb2608a7f050
-
C:\Users\Admin\uxevr3.ocxFilesize
362KB
MD510c4a4775dd68f38fe3fac8bdf34cde2
SHA1eb14c61ebe4be6c1b16c2e3d17ff5b33dc29d3d4
SHA2560ecdf1784274846899c16e72756c8ba7fdf6945af43a0d19395c1efc476159ce
SHA51249563654a00a438560718ef61a9fbbe24e392477e679b077884973bb70221a1678d81945998d1dfdc1ea575ef35ad584e2a25fbd8e3480dcc1cd1ed26fa5656d
-
C:\Users\Admin\uxevr3.ocxFilesize
362KB
MD510c4a4775dd68f38fe3fac8bdf34cde2
SHA1eb14c61ebe4be6c1b16c2e3d17ff5b33dc29d3d4
SHA2560ecdf1784274846899c16e72756c8ba7fdf6945af43a0d19395c1efc476159ce
SHA51249563654a00a438560718ef61a9fbbe24e392477e679b077884973bb70221a1678d81945998d1dfdc1ea575ef35ad584e2a25fbd8e3480dcc1cd1ed26fa5656d
-
C:\Users\Admin\uxevr4.ocxFilesize
362KB
MD594fe8e76ea573fd2e585f9ca864917a0
SHA15d2049adb9c53361d4f0dd499931f06794379198
SHA256ee0e5bde2fabcc21aa2df3f5971fe40e8a5006a6021da9fc1752710a25a0c467
SHA5121d4afd61deeb4d80af8ed0d0dc633be9a80247c7a983591c1be1e069e2e434d09f177d2a1e9e27e1e556b0754718c9277b3694eeff02588ee819d7c30ea9a81e
-
C:\Users\Admin\uxevr4.ocxFilesize
362KB
MD594fe8e76ea573fd2e585f9ca864917a0
SHA15d2049adb9c53361d4f0dd499931f06794379198
SHA256ee0e5bde2fabcc21aa2df3f5971fe40e8a5006a6021da9fc1752710a25a0c467
SHA5121d4afd61deeb4d80af8ed0d0dc633be9a80247c7a983591c1be1e069e2e434d09f177d2a1e9e27e1e556b0754718c9277b3694eeff02588ee819d7c30ea9a81e
-
C:\Windows\System32\BJsrfvPj\zqBs.dllFilesize
362KB
MD594fe8e76ea573fd2e585f9ca864917a0
SHA15d2049adb9c53361d4f0dd499931f06794379198
SHA256ee0e5bde2fabcc21aa2df3f5971fe40e8a5006a6021da9fc1752710a25a0c467
SHA5121d4afd61deeb4d80af8ed0d0dc633be9a80247c7a983591c1be1e069e2e434d09f177d2a1e9e27e1e556b0754718c9277b3694eeff02588ee819d7c30ea9a81e
-
C:\Windows\System32\CFAToMVLxOO\BtOcd.dllFilesize
362KB
MD510c4a4775dd68f38fe3fac8bdf34cde2
SHA1eb14c61ebe4be6c1b16c2e3d17ff5b33dc29d3d4
SHA2560ecdf1784274846899c16e72756c8ba7fdf6945af43a0d19395c1efc476159ce
SHA51249563654a00a438560718ef61a9fbbe24e392477e679b077884973bb70221a1678d81945998d1dfdc1ea575ef35ad584e2a25fbd8e3480dcc1cd1ed26fa5656d
-
C:\Windows\System32\JDMUN\qvsguW.dllFilesize
373KB
MD50c833f3d3633f1239d5f7d27ec411b35
SHA1f6f5c954a833f3ccc59ae9596f3365a1deff390a
SHA25647efdef5ba81eacc1f97698b52204aeab8e3c2af3505a50a979aa03262dc8cb2
SHA5129b677262e374d3714b6e88c574e155503bc35b9616b5abb1ad1993cf5b1a799d5d3d5a73a1598235370f86fc650e30aecee5c53bb40d48b865c8cb2608a7f050
-
memory/1008-147-0x0000000000000000-mapping.dmp
-
memory/2804-153-0x0000000000000000-mapping.dmp
-
memory/3368-133-0x00007FF801710000-0x00007FF801720000-memory.dmpFilesize
64KB
-
memory/3368-134-0x00007FF801710000-0x00007FF801720000-memory.dmpFilesize
64KB
-
memory/3368-132-0x00007FF801710000-0x00007FF801720000-memory.dmpFilesize
64KB
-
memory/3368-131-0x00007FF801710000-0x00007FF801720000-memory.dmpFilesize
64KB
-
memory/3368-136-0x00007FF7FF2E0000-0x00007FF7FF2F0000-memory.dmpFilesize
64KB
-
memory/3368-135-0x00007FF7FF2E0000-0x00007FF7FF2F0000-memory.dmpFilesize
64KB
-
memory/3368-130-0x00007FF801710000-0x00007FF801720000-memory.dmpFilesize
64KB
-
memory/3912-154-0x0000000000000000-mapping.dmp
-
memory/4288-140-0x0000000000000000-mapping.dmp
-
memory/4436-144-0x0000000180000000-0x0000000180031000-memory.dmpFilesize
196KB
-
memory/4436-141-0x0000000000000000-mapping.dmp
-
memory/4524-166-0x0000000000000000-mapping.dmp
-
memory/4900-163-0x0000000180000000-0x0000000180031000-memory.dmpFilesize
196KB
-
memory/4900-137-0x0000000000000000-mapping.dmp