Behavioral Report

max time kernel148s
max time network147s
platformwindows10_x64
resourcewin10-20220414-en
submitted21-05-2022 16:59

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

2414403ef30664ec26da4da73b06b3144014d5264058f021028a23b6934610c7.xls

Filesize

70KB

Completed

21-05-2022 17:01

Task

behavioral2

Score

10^/10

MD5

7e566d44be516beae7dda38c3920a41b

SHA1

9dec14d45c8b4af209238c0796a6232da103e1a5

SHA256

2414403ef30664ec26da4da73b06b3144014d5264058f021028a23b6934610c7

SHA256

ece463aae972e7a165326b3f60c0d559be3a1a41720bf1a42cd277394e76de1d38f70d6340b09e2bbd0b92f88fdb11e244df17cfd936ec8993c46b5704b00b80

emotet epoch4 banker suricata trojan

Extracted

Language	xlm4.0
Source
URLs	http://farschid.de/verkaufsberater_service/OZRw36a2y1CH2clUzY/ http://77homolog.com.br/dev-jealves/GP55wbYNXnp6/ http://geowf.ge/templates/pJRea3Iu3wG/ xlm40.dropper http://farschid.de/verkaufsberater_service/OZRw36a2y1CH2clUzY/ xlm40.dropper http://77homolog.com.br/dev-jealves/GP55wbYNXnp6/ xlm40.dropper http://geowf.ge/templates/pJRea3Iu3wG/

Extracted

Family	emotet
Botnet	Epoch4
C2	176.31.73.90:443 45.76.159.214:8080 138.197.147.101:443 104.168.154.79:8080 149.56.131.28:8080 5.9.116.246:8080 77.81.247.144:8080 172.104.251.154:8080 50.30.40.196:8080 173.212.193.249:8080 51.91.76.89:8080 197.242.150.244:8080 103.75.201.2:443 51.254.140.238:7080 79.137.35.198:8080 72.15.201.15:8080 27.54.89.58:8080 189.126.111.200:7080 196.218.30.83:443 82.165.152.127:8080 164.68.99.3:8080 183.111.227.137:8080 167.172.253.162:8080 153.126.146.25:7080 129.232.188.93:443 151.106.112.196:8080 188.44.20.25:443 167.99.115.35:8080 134.122.66.193:8080 185.4.135.165:8080 212.24.98.99:8080 51.91.7.5:8080 146.59.226.45:443 131.100.24.231:80 212.237.17.99:8080 201.94.166.162:443 45.176.232.124:443 159.65.88.10:8080 160.16.142.56:8080 216.158.226.206:443 203.114.109.124:443 103.43.46.182:443 46.55.222.11:443 209.126.98.206:8080 91.207.28.33:8080 1.234.2.232:8080 45.118.115.99:8080 206.189.28.199:8080 94.23.45.86:4143 158.69.222.101:443 103.70.28.102:8080 101.50.0.91:8080 58.227.42.236:80 119.193.124.41:7080 107.182.225.142:8080 185.157.82.211:8080 45.235.8.30:8080 103.132.242.26:8080 1.234.21.73:7080 110.232.117.186:8080 209.97.163.214:443 185.8.212.130:7080 209.250.246.206:443 176.31.73.90:443 45.76.159.214:8080 138.197.147.101:443 104.168.154.79:8080 149.56.131.28:8080 5.9.116.246:8080 77.81.247.144:8080 172.104.251.154:8080 50.30.40.196:8080 173.212.193.249:8080 51.91.76.89:8080 197.242.150.244:8080 103.75.201.2:443 51.254.140.238:7080 79.137.35.198:8080 72.15.201.15:8080 27.54.89.58:8080 189.126.111.200:7080 196.218.30.83:443 82.165.152.127:8080 164.68.99.3:8080 183.111.227.137:8080 167.172.253.162:8080 153.126.146.25:7080 129.232.188.93:443 151.106.112.196:8080 188.44.20.25:443 167.99.115.35:8080 134.122.66.193:8080 185.4.135.165:8080 212.24.98.99:8080 51.91.7.5:8080 146.59.226.45:443 131.100.24.231:80 212.237.17.99:8080 201.94.166.162:443 45.176.232.124:443 159.65.88.10:8080 160.16.142.56:8080 216.158.226.206:443 203.114.109.124:443 103.43.46.182:443 46.55.222.11:443 209.126.98.206:8080 91.207.28.33:8080 1.234.2.232:8080 45.118.115.99:8080 206.189.28.199:8080 94.23.45.86:4143 158.69.222.101:443 103.70.28.102:8080 101.50.0.91:8080 58.227.42.236:80 119.193.124.41:7080 107.182.225.142:8080 185.157.82.211:8080 45.235.8.30:8080 103.132.242.26:8080 1.234.21.73:7080 110.232.117.186:8080 209.97.163.214:443 185.8.212.130:7080 209.250.246.206:443
eck1.plain
ecs1.plain

Discovery

Emotet

Description

Emotet is a trojan that is primarily spread through spam emails.

Tags

trojan banker emotet

Process spawned unexpected child process

regsvr32.exe

Description

This typically indicates the parent process was compromised via an exploit or macro.

Reported IOCs

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4816	2656	regsvr32.exe	EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3

Description

suricata: ET MALWARE W32/Emotet CnC Beacon 3

Tags

suricata
Downloads MZ/PE file
Loads dropped DLL
regsvr32.exe

Reported IOCs

pid process

4816 regsvr32.exe
Drops file in System32 directory
regsvr32.exe

Reported IOCs

description ioc process

File opened for modification C:\Windows\system32\Siyzcvhe\hrgdkyt.sux regsvr32.exe

pid	process
4816	regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\system32\Siyzcvhe\hrgdkyt.sux	regsvr32.exe

Checks processor information in registry

EXCEL.EXE

Description

Processor information is often read in order to detect sandboxing environments.

TTPs

Query RegistrySystem Information Discovery

Reported IOCs

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry

EXCEL.EXE

TTPs

Query RegistrySystem Information Discovery

Reported IOCs

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener
EXCEL.EXE

Reported IOCs

pid process

2656 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses
regsvr32.exe

Reported IOCs

pid process

4540 regsvr32.exe
4540 regsvr32.exe

pid	process
4540	regsvr32.exe
4540	regsvr32.exe

Suspicious use of SetWindowsHookEx

EXCEL.EXE

Reported IOCs

pid	process
2656	EXCEL.EXE
2656	EXCEL.EXE
2656	EXCEL.EXE
2656	EXCEL.EXE
2656	EXCEL.EXE
2656	EXCEL.EXE
2656	EXCEL.EXE
2656	EXCEL.EXE
2656	EXCEL.EXE
2656	EXCEL.EXE
2656	EXCEL.EXE
2656	EXCEL.EXE

Suspicious use of WriteProcessMemory

EXCEL.EXEregsvr32.exe

Reported IOCs

description	pid	process	target process
PID 2656 wrote to memory of 4816	2656	EXCEL.EXE	regsvr32.exe
PID 2656 wrote to memory of 4816	2656	EXCEL.EXE	regsvr32.exe
PID 4816 wrote to memory of 4540	4816	regsvr32.exe	regsvr32.exe
PID 4816 wrote to memory of 4540	4816	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\2414403ef30664ec26da4da73b06b3144014d5264058f021028a23b6934610c7.xls"

Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:2656

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe ..\xdwno.ocx

Process spawned unexpected child process
Loads dropped DLL
Drops file in System32 directory
Suspicious use of WriteProcessMemory

PID:4816

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\Siyzcvhe\hrgdkyt.sux"

Suspicious behavior: EnumeratesProcesses

PID:4540

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

C:\Users\Admin\xdwno.ocx
MD5
0a339089210feb211b398e69d78f515e

SHA1
d840d9215c9343e2c96a4621008e3d258c4983c0

SHA256
6f940b3ce9692475698569cda498f77736f12697183bc6dd1b839aea3cd573c3

SHA512
09c80205a4495659b28448540578362f0c2ff4624e40d857a8c63d0e8d02f909edab50af556d834dd4c648858174fb2961fa7acaac730c50b02993b4c74d85be

Download Submit
\Users\Admin\xdwno.ocx
MD5
0a339089210feb211b398e69d78f515e

SHA1
d840d9215c9343e2c96a4621008e3d258c4983c0

SHA256
6f940b3ce9692475698569cda498f77736f12697183bc6dd1b839aea3cd573c3

SHA512
09c80205a4495659b28448540578362f0c2ff4624e40d857a8c63d0e8d02f909edab50af556d834dd4c648858174fb2961fa7acaac730c50b02993b4c74d85be

Download Submit
memory/2656-118-0x00007FF997EE0000-0x00007FF997EF0000-memory.dmp

Download
memory/2656-121-0x00007FF997EE0000-0x00007FF997EF0000-memory.dmp

Download
memory/2656-130-0x00007FF994370000-0x00007FF994380000-memory.dmp

Download
memory/2656-131-0x00007FF994370000-0x00007FF994380000-memory.dmp

Download
memory/2656-119-0x00007FF997EE0000-0x00007FF997EF0000-memory.dmp

Download
memory/2656-120-0x00007FF997EE0000-0x00007FF997EF0000-memory.dmp

Download
memory/4540-278-0x0000000000000000-mapping.dmp

Download
memory/4816-267-0x0000000000000000-mapping.dmp

Download
memory/4816-270-0x0000000180000000-0x000000018002B000-memory.dmp

Download

Extracted

Extracted

Filter: none

Description

Tags

Description

Reported IOCs

Description

Tags

Reported IOCs

Reported IOCs

Description

TTPs

Reported IOCs

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title