Analysis
-
max time kernel
97s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-06-2022 20:08
Behavioral task
behavioral1
Sample
Escanear_3006.xls
Resource
win7-20220414-en
General
-
Target
Escanear_3006.xls
-
Size
95KB
-
MD5
dacb649a56235d4bc93fb20cafc6d335
-
SHA1
c1445eb63a8bba0881ad280ce868eaf925c53fcd
-
SHA256
d5821ba3ecbd546f0907ff16038f6acf26611bb361a9a9dc406595aa009eff2a
-
SHA512
4c334c865e6b6f528ee02fd585c588b8dc46b067ead3e72aba2141f36782540966757f8c6bf0d4ec25879878e863d13cea7c48deb6257379dd88a6d8fc3a38b2
Malware Config
Extracted
https://evashopping.thietkewebsitechuanseo.com/assets/rNAyQu/
http://www.forensisbilisim.com/wp-includes/tznAlaHXSY/
Extracted
emotet
Epoch4
82.223.21.224:8080
173.212.193.249:8080
82.165.152.127:8080
151.106.112.196:8080
160.16.142.56:8080
163.44.196.120:8080
103.70.28.102:8080
164.68.99.3:8080
51.161.73.194:443
146.59.226.45:443
104.168.155.143:8080
101.50.0.91:8080
94.23.45.86:4143
167.172.253.162:8080
5.9.116.246:8080
185.4.135.165:8080
159.65.140.115:443
212.24.98.99:8080
209.97.163.214:443
206.189.28.199:8080
135.148.6.80:443
159.65.88.10:8080
79.137.35.198:8080
172.105.226.75:8080
172.104.251.154:8080
115.68.227.76:8080
201.94.166.162:443
144.91.78.55:443
183.111.227.137:8080
45.176.232.124:443
209.126.98.206:8080
72.15.201.15:8080
197.242.150.244:8080
51.254.140.238:7080
45.235.8.30:8080
103.75.201.2:443
207.148.79.14:8080
213.239.212.5:443
110.232.117.186:8080
153.126.146.25:7080
188.44.20.25:443
45.55.191.130:443
134.122.66.193:8080
131.100.24.231:80
186.194.240.217:443
64.227.100.222:8080
51.91.76.89:8080
159.89.202.34:443
149.56.131.28:8080
196.218.30.83:443
103.43.75.120:443
213.241.20.155:443
91.207.28.33:8080
129.232.188.93:443
119.193.124.41:7080
45.118.115.99:8080
158.69.222.101:443
150.95.66.124:8080
37.187.115.122:8080
107.170.39.149:8080
103.132.242.26:8080
1.234.2.232:8080
139.59.126.41:443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1888 2040 regsvr32.exe EXCEL.EXE -
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 1888 regsvr32.exe 1136 regsvr32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2040 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 1136 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 2040 EXCEL.EXE 2040 EXCEL.EXE 2040 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EXCEL.EXEregsvr32.exeregsvr32.exedescription pid process target process PID 2040 wrote to memory of 1888 2040 EXCEL.EXE regsvr32.exe PID 2040 wrote to memory of 1888 2040 EXCEL.EXE regsvr32.exe PID 2040 wrote to memory of 1888 2040 EXCEL.EXE regsvr32.exe PID 2040 wrote to memory of 1888 2040 EXCEL.EXE regsvr32.exe PID 2040 wrote to memory of 1888 2040 EXCEL.EXE regsvr32.exe PID 2040 wrote to memory of 1888 2040 EXCEL.EXE regsvr32.exe PID 2040 wrote to memory of 1888 2040 EXCEL.EXE regsvr32.exe PID 1888 wrote to memory of 1136 1888 regsvr32.exe regsvr32.exe PID 1888 wrote to memory of 1136 1888 regsvr32.exe regsvr32.exe PID 1888 wrote to memory of 1136 1888 regsvr32.exe regsvr32.exe PID 1888 wrote to memory of 1136 1888 regsvr32.exe regsvr32.exe PID 1888 wrote to memory of 1136 1888 regsvr32.exe regsvr32.exe PID 1888 wrote to memory of 1136 1888 regsvr32.exe regsvr32.exe PID 1888 wrote to memory of 1136 1888 regsvr32.exe regsvr32.exe PID 1136 wrote to memory of 1784 1136 regsvr32.exe regsvr32.exe PID 1136 wrote to memory of 1784 1136 regsvr32.exe regsvr32.exe PID 1136 wrote to memory of 1784 1136 regsvr32.exe regsvr32.exe PID 1136 wrote to memory of 1784 1136 regsvr32.exe regsvr32.exe PID 1136 wrote to memory of 1784 1136 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Escanear_3006.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\sctm1.ocx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/S ..\sctm1.ocx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\YFMGzieyg\RiamUlIYnuR.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
60KB
MD5589c442fc7a0c70dca927115a700d41e
SHA166a07dace3afbfd1aa07a47e6875beab62c4bb31
SHA2562e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a
SHA5121b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
340B
MD5cef1f8fb3e6066c2619e59a24946683c
SHA1bde0181f279d2427f8301ee205ed2fea48c86834
SHA2561254651aec7d505d11600e81e20ddd9db933ccee29c5b57f30c92b8137d84442
SHA512c46beceddfecafb60a7334bf06b2889902f0ddc6d1c96de51f789487132f10c71714ea399d2cd3a93f0bd4daa051a84b3080689fb4609c6a0d66abb3b63e489f
-
C:\Users\Admin\sctm1.ocxFilesize
548KB
MD53d0e93d1916cef643f06e7e8926bef81
SHA14fe4c80aa295d9b748e0d4452824025cb2522e19
SHA25658458c854127df51002cc024600e190ab3d23607c8fc589630efdb723db165f0
SHA512f8ded72b0e691ccd06dd0ef1ef26073b8c6c0d70435ce21d86d7665c3f96bf13680e411431cdd847dcbeca27e8eab2336b7443a6d4a73a31ebab4d3914915f71
-
\Users\Admin\sctm1.ocxFilesize
548KB
MD53d0e93d1916cef643f06e7e8926bef81
SHA14fe4c80aa295d9b748e0d4452824025cb2522e19
SHA25658458c854127df51002cc024600e190ab3d23607c8fc589630efdb723db165f0
SHA512f8ded72b0e691ccd06dd0ef1ef26073b8c6c0d70435ce21d86d7665c3f96bf13680e411431cdd847dcbeca27e8eab2336b7443a6d4a73a31ebab4d3914915f71
-
\Users\Admin\sctm1.ocxFilesize
548KB
MD53d0e93d1916cef643f06e7e8926bef81
SHA14fe4c80aa295d9b748e0d4452824025cb2522e19
SHA25658458c854127df51002cc024600e190ab3d23607c8fc589630efdb723db165f0
SHA512f8ded72b0e691ccd06dd0ef1ef26073b8c6c0d70435ce21d86d7665c3f96bf13680e411431cdd847dcbeca27e8eab2336b7443a6d4a73a31ebab4d3914915f71
-
memory/1136-67-0x0000000000480000-0x00000000004DA000-memory.dmpFilesize
360KB
-
memory/1136-64-0x0000000000000000-mapping.dmp
-
memory/1136-65-0x000007FEFC341000-0x000007FEFC343000-memory.dmpFilesize
8KB
-
memory/1784-71-0x0000000000000000-mapping.dmp
-
memory/1888-60-0x0000000000000000-mapping.dmp
-
memory/2040-59-0x0000000072B1D000-0x0000000072B28000-memory.dmpFilesize
44KB
-
memory/2040-58-0x0000000076261000-0x0000000076263000-memory.dmpFilesize
8KB
-
memory/2040-57-0x0000000072B1D000-0x0000000072B28000-memory.dmpFilesize
44KB
-
memory/2040-54-0x000000002FA11000-0x000000002FA14000-memory.dmpFilesize
12KB
-
memory/2040-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2040-55-0x0000000071B31000-0x0000000071B33000-memory.dmpFilesize
8KB