Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
21-05-2022 12:58
Behavioral task
behavioral1
Sample
88ee09c8848b1775e3e470d64fbe64f877e9edfc172a21318acbe0f2f99ac9df.xls
Resource
win10-20220414-en
General
-
Target
88ee09c8848b1775e3e470d64fbe64f877e9edfc172a21318acbe0f2f99ac9df.xls
-
Size
40KB
-
MD5
35cef72c5abdb47cc705de2459f6bf16
-
SHA1
2639ec69b35fa5633b0555bc61e4feda7ae23994
-
SHA256
88ee09c8848b1775e3e470d64fbe64f877e9edfc172a21318acbe0f2f99ac9df
-
SHA512
27c0c534eb18e19a6598b737787a4ce1fa70732d5ca6720070232fc4567b606bce4c2069cd2f15ac341e28af7095b13eb930d099b796d33be4a2b2ccab3ce043
Malware Config
Extracted
http://jimlowry.com/9tag/Mv2ZYY61NBOf8/
http://stainedglassexpress.com/classes/veV/
Extracted
emotet
Epoch4
131.100.24.231:80
103.132.242.26:8080
167.172.253.162:8080
149.56.131.28:8080
209.126.98.206:8080
188.44.20.25:443
212.237.17.99:8080
129.232.188.93:443
160.16.142.56:8080
46.55.222.11:443
1.234.2.232:8080
45.235.8.30:8080
185.157.82.211:8080
158.69.222.101:443
185.4.135.165:8080
27.54.89.58:8080
197.242.150.244:8080
153.126.146.25:7080
183.111.227.137:8080
103.75.201.2:443
45.118.115.99:8080
79.137.35.198:8080
172.104.251.154:8080
159.65.88.10:8080
203.114.109.124:443
101.50.0.91:8080
51.254.140.238:7080
206.189.28.199:8080
72.15.201.15:8080
150.95.66.124:8080
201.94.166.162:443
209.97.163.214:443
103.70.28.102:8080
185.8.212.130:7080
216.158.226.206:443
209.250.246.206:443
23.239.0.12:443
164.68.99.3:8080
102.222.215.74:443
134.122.66.193:8080
82.165.152.127:8080
51.91.76.89:8080
189.126.111.200:7080
146.59.226.45:443
163.44.196.120:8080
51.91.7.5:8080
58.227.42.236:80
167.99.115.35:8080
196.218.30.83:443
107.182.225.142:8080
151.106.112.196:8080
91.207.28.33:8080
94.23.45.86:4143
103.43.46.182:443
45.176.232.124:443
5.9.116.246:8080
173.212.193.249:8080
1.234.21.73:7080
212.24.98.99:8080
213.241.20.155:443
110.232.117.186:8080
77.81.247.144:8080
119.193.124.41:7080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 5032 920 regsvr32.exe EXCEL.EXE -
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 5032 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 920 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 3916 regsvr32.exe 3916 regsvr32.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EXCEL.EXEregsvr32.exedescription pid process target process PID 920 wrote to memory of 5032 920 EXCEL.EXE regsvr32.exe PID 920 wrote to memory of 5032 920 EXCEL.EXE regsvr32.exe PID 5032 wrote to memory of 3916 5032 regsvr32.exe regsvr32.exe PID 5032 wrote to memory of 3916 5032 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\88ee09c8848b1775e3e470d64fbe64f877e9edfc172a21318acbe0f2f99ac9df.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe ..\wurod.ocx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\PBfrpSLKbfrJRPfi\OremM.dll"3⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\wurod.ocxFilesize
532KB
MD5da62d4579c6b23dbe17bba881b46270c
SHA14eaf998fedc5f3d0d1059ca2887d9a9c2033e87a
SHA256e73f8bf7bef8ec4200fe4b989dd8d19d64486cf2461f6adc867f0199c556065a
SHA5120ecf5682e1817e5b9063930ea4d81621e6c125ad0578df39bfc611ac6f604c63ffdd01bbb251cfc8960a3d16a11ed4bb07accb47d0fa34dd046917d85a50020c
-
\Users\Admin\wurod.ocxFilesize
532KB
MD5da62d4579c6b23dbe17bba881b46270c
SHA14eaf998fedc5f3d0d1059ca2887d9a9c2033e87a
SHA256e73f8bf7bef8ec4200fe4b989dd8d19d64486cf2461f6adc867f0199c556065a
SHA5120ecf5682e1817e5b9063930ea4d81621e6c125ad0578df39bfc611ac6f604c63ffdd01bbb251cfc8960a3d16a11ed4bb07accb47d0fa34dd046917d85a50020c
-
memory/920-118-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmpFilesize
64KB
-
memory/920-119-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmpFilesize
64KB
-
memory/920-120-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmpFilesize
64KB
-
memory/920-121-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmpFilesize
64KB
-
memory/920-130-0x00007FFE768A0000-0x00007FFE768B0000-memory.dmpFilesize
64KB
-
memory/920-131-0x00007FFE768A0000-0x00007FFE768B0000-memory.dmpFilesize
64KB
-
memory/3916-277-0x0000000000000000-mapping.dmp
-
memory/5032-268-0x0000000000000000-mapping.dmp
-
memory/5032-271-0x0000000180000000-0x0000000180030000-memory.dmpFilesize
192KB