Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
07-07-2022 04:08
Behavioral task
behavioral1
Sample
10fa6005847123358153b457bbb0544fdb9336d3ede2f2c122d14199d2413346.xls
Resource
win10-20220414-en
General
-
Target
10fa6005847123358153b457bbb0544fdb9336d3ede2f2c122d14199d2413346.xls
-
Size
95KB
-
MD5
3bd53b9274e0465ae5f15efbf34cd96c
-
SHA1
03198f860e12a66454036b4c0719ad1b3e928f55
-
SHA256
10fa6005847123358153b457bbb0544fdb9336d3ede2f2c122d14199d2413346
-
SHA512
9d94a21230f32e04ad672a19f4adefbba7bebc03e9d66d11c1841409dcf9afe9045044844e1de67f1e007e13494ef4d32c31657cafedb42aa3d6fd2754bd38b2
Malware Config
Extracted
https://edoraseguros.com.br/cgi-bin/jQNq9wlH1GXU/
http://earthmach.co.za/libraries/tWkZh9YrXbTd6IeX/
http://finvest.rs/wp-admin/Hr9nVNTIHgw59S/
http://efverstedt.se/5jjaV/w7fLEHJ20xn0qD/
Extracted
emotet
Epoch5
103.71.99.57:8080
103.224.241.74:8080
157.245.111.0:8080
37.44.244.177:8080
103.41.204.169:8080
64.227.55.231:8080
103.254.12.236:7080
103.85.95.4:8080
157.230.99.206:8080
165.22.254.236:8080
85.214.67.203:8080
54.37.228.122:443
195.77.239.39:8080
128.199.217.206:443
190.145.8.4:443
165.232.185.110:8080
188.165.79.151:443
178.62.112.199:8080
54.37.106.167:8080
104.244.79.94:443
43.129.209.178:443
87.106.97.83:7080
202.134.4.210:7080
178.238.225.252:8080
198.199.70.22:8080
62.171.178.147:8080
175.126.176.79:8080
128.199.242.164:8080
88.217.172.165:8080
104.248.225.227:8080
85.25.120.45:8080
139.196.72.155:8080
188.225.32.231:4143
202.29.239.162:443
103.126.216.86:443
210.57.209.142:8080
93.104.209.107:8080
196.44.98.190:8080
5.253.30.17:7080
46.101.98.60:8080
103.56.149.105:8080
190.107.19.179:443
139.59.80.108:8080
36.67.23.59:443
78.47.204.80:443
83.229.80.93:8080
174.138.33.49:7080
118.98.72.86:443
37.187.114.15:8080
202.28.34.99:8080
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3620 2688 regsvr32.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2964 2688 regsvr32.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1640 2688 regsvr32.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1064 2688 regsvr32.exe EXCEL.EXE -
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 2964 regsvr32.exe 1640 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 2908 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2688 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exepid process 2964 regsvr32.exe 2964 regsvr32.exe 1640 regsvr32.exe 1640 regsvr32.exe 2460 regsvr32.exe 2460 regsvr32.exe 2460 regsvr32.exe 2460 regsvr32.exe 2236 regsvr32.exe 2236 regsvr32.exe 2236 regsvr32.exe 2236 regsvr32.exe 2460 regsvr32.exe 2460 regsvr32.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 2688 EXCEL.EXE 2688 EXCEL.EXE 2688 EXCEL.EXE 2688 EXCEL.EXE 2688 EXCEL.EXE 2688 EXCEL.EXE 2688 EXCEL.EXE 2688 EXCEL.EXE 2688 EXCEL.EXE 2688 EXCEL.EXE 2688 EXCEL.EXE 2688 EXCEL.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
EXCEL.EXEregsvr32.exeregsvr32.exeregsvr32.exedescription pid process target process PID 2688 wrote to memory of 3620 2688 EXCEL.EXE regsvr32.exe PID 2688 wrote to memory of 3620 2688 EXCEL.EXE regsvr32.exe PID 2688 wrote to memory of 2964 2688 EXCEL.EXE regsvr32.exe PID 2688 wrote to memory of 2964 2688 EXCEL.EXE regsvr32.exe PID 2688 wrote to memory of 1640 2688 EXCEL.EXE regsvr32.exe PID 2688 wrote to memory of 1640 2688 EXCEL.EXE regsvr32.exe PID 2964 wrote to memory of 2460 2964 regsvr32.exe regsvr32.exe PID 2964 wrote to memory of 2460 2964 regsvr32.exe regsvr32.exe PID 1640 wrote to memory of 2236 1640 regsvr32.exe regsvr32.exe PID 1640 wrote to memory of 2236 1640 regsvr32.exe regsvr32.exe PID 2688 wrote to memory of 1064 2688 EXCEL.EXE regsvr32.exe PID 2688 wrote to memory of 1064 2688 EXCEL.EXE regsvr32.exe PID 2460 wrote to memory of 96 2460 regsvr32.exe systeminfo.exe PID 2460 wrote to memory of 96 2460 regsvr32.exe systeminfo.exe PID 2460 wrote to memory of 2908 2460 regsvr32.exe ipconfig.exe PID 2460 wrote to memory of 2908 2460 regsvr32.exe ipconfig.exe PID 2460 wrote to memory of 3624 2460 regsvr32.exe nltest.exe PID 2460 wrote to memory of 3624 2460 regsvr32.exe nltest.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\10fa6005847123358153b457bbb0544fdb9336d3ede2f2c122d14199d2413346.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\soci1.ocx2⤵
- Process spawned unexpected child process
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\soci2.ocx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZBXAdndU\KKYKVPkqQGFAV.dll"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
-
C:\Windows\system32\ipconfig.exeipconfig /all4⤵
- Gathers network information
-
C:\Windows\system32\nltest.exenltest /dclist:4⤵
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\soci3.ocx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\FFXKExDBs\voILyRFPbQpa.dll"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\soci4.ocx2⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\soci2.ocxFilesize
847KB
MD515a4143b665933e6ad0b3f2e05f560f4
SHA1c5ee3295dc4680fe2cf7813eca9a9fd576571b7e
SHA25686ce3564f613d87be0b6c26f8fd8f7bba98989f5ca0b9d255d054e8fab41c59e
SHA51291b75cf64768f6494a19a7f0b6ba140e090a6cab9abc3506e9133ff8bac46a3124a90187c9d9158e2d3f016862e27fda325174a0ed2dd1d83e58f93d55ebf72c
-
C:\Users\Admin\soci3.ocxFilesize
847KB
MD55e07d8a8c5f9efed5a8b204b5e850c72
SHA15ff8e145c8a0166afc26bcb0449e3a24a50bdf97
SHA256b5b049223e6f90dbda01c6f4f8d39758b33f2c08c46b0261dac504d871e63251
SHA512bb9d932dada3a3353e1c3d76bca110ef247e36bbf2aea0be17ad3351998ec647eefa1104ad65580314500e5e896ed23884c62055e9b9348a8af1145d17665a6e
-
\Users\Admin\soci2.ocxFilesize
847KB
MD515a4143b665933e6ad0b3f2e05f560f4
SHA1c5ee3295dc4680fe2cf7813eca9a9fd576571b7e
SHA25686ce3564f613d87be0b6c26f8fd8f7bba98989f5ca0b9d255d054e8fab41c59e
SHA51291b75cf64768f6494a19a7f0b6ba140e090a6cab9abc3506e9133ff8bac46a3124a90187c9d9158e2d3f016862e27fda325174a0ed2dd1d83e58f93d55ebf72c
-
\Users\Admin\soci3.ocxFilesize
847KB
MD55e07d8a8c5f9efed5a8b204b5e850c72
SHA15ff8e145c8a0166afc26bcb0449e3a24a50bdf97
SHA256b5b049223e6f90dbda01c6f4f8d39758b33f2c08c46b0261dac504d871e63251
SHA512bb9d932dada3a3353e1c3d76bca110ef247e36bbf2aea0be17ad3351998ec647eefa1104ad65580314500e5e896ed23884c62055e9b9348a8af1145d17665a6e
-
memory/96-297-0x0000000000000000-mapping.dmp
-
memory/1064-291-0x0000000000000000-mapping.dmp
-
memory/1640-276-0x0000000000000000-mapping.dmp
-
memory/2236-290-0x0000000000000000-mapping.dmp
-
memory/2460-301-0x0000000002280000-0x00000000081EB000-memory.dmpFilesize
95MB
-
memory/2460-298-0x0000000002280000-0x00000000081EB000-memory.dmpFilesize
95MB
-
memory/2460-277-0x0000000000000000-mapping.dmp
-
memory/2688-131-0x00007FFB5FE40000-0x00007FFB5FE50000-memory.dmpFilesize
64KB
-
memory/2688-118-0x00007FFB63430000-0x00007FFB63440000-memory.dmpFilesize
64KB
-
memory/2688-130-0x00007FFB5FE40000-0x00007FFB5FE50000-memory.dmpFilesize
64KB
-
memory/2688-121-0x00007FFB63430000-0x00007FFB63440000-memory.dmpFilesize
64KB
-
memory/2688-120-0x00007FFB63430000-0x00007FFB63440000-memory.dmpFilesize
64KB
-
memory/2688-119-0x00007FFB63430000-0x00007FFB63440000-memory.dmpFilesize
64KB
-
memory/2908-299-0x0000000000000000-mapping.dmp
-
memory/2964-271-0x0000000180000000-0x0000000180030000-memory.dmpFilesize
192KB
-
memory/2964-268-0x0000000000000000-mapping.dmp
-
memory/3620-267-0x0000000000000000-mapping.dmp
-
memory/3624-300-0x0000000000000000-mapping.dmp