Analysis

  • max time kernel
    144s
  • max time network
    139s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-11-2022 16:45

General

  • Target

    f6e373ce039a5cc8c40b1df8d89557ec40f5ee36f5add54efdfb81732e3d17ab.xls

  • Size

    217KB

  • MD5

    8a8e7a345463f9c84c094d99aa3f23a1

  • SHA1

    90951630600ff85cdf5ce3a0554044ddc4f9b6dd

  • SHA256

    f6e373ce039a5cc8c40b1df8d89557ec40f5ee36f5add54efdfb81732e3d17ab

  • SHA512

    d7fe557e9e5e5939eaf9ad273a8563c8a828b06c263e2248a2906cfab2b0be312988348e1115638ff6f044e3df66743709ee27fe177fa0bc4b076d90155ff240

  • SSDEEP

    6144:OKpb8rGYrMPe3q7Q0XV5xtuEsi8/dg8yY+TAQXTHGUMEyP5p6f5jQmB:nbGUMVWlbB

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://kabaruntukrakyat.com/wp-content/B9oJ0jh/

xlm40.dropper

http://coinkub.com/wp-content/WwrJvjumS/

xlm40.dropper

https://aberractivity.hu/iqq/Dmtv/

xlm40.dropper

https://anamafegarcia.es/css/HfFXMTXvc40t/

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f6e373ce039a5cc8c40b1df8d89557ec40f5ee36f5add54efdfb81732e3d17ab.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4852
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MHLNvMlEKlxqKWb\yrYuUcPv.dll"
        3⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        PID:4772
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\McCuFlwdKDQehQz\XfSH.dll"
        3⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        PID:4568
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4972
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\HMvMelv\NyDLD.dll"
        3⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        PID:1236
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1044
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\Lzlpc\nnCmJY.dll"
        3⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        PID:3304

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\oxnv1.ooccxx

    Filesize

    712KB

    MD5

    9e91b55835fbcdf5878ad5ec2d9d299a

    SHA1

    408df88388229ced5370c15a145c9d9b66e3a0ac

    SHA256

    23055980f5cd3b756872d9ce8308146c403da3c9e327e3beba01b601f95714b6

    SHA512

    af94a001bc789f7e470ea038e8f50cbc4feed4622623d348b4b874200864d5c6ad99ed0eee7b71c504296c9bbf84d6343c2030b0921ef79a51df89530f136e5c

  • C:\Users\Admin\oxnv2.ooccxx

    Filesize

    712KB

    MD5

    e69dd625ebd0bc7768ca1ba163284ee9

    SHA1

    f911d3f3874e906bef1acb9e610f4c742de8aed8

    SHA256

    3c5172e7f642cfcc0586ae723ff4cd575f8bec7f5e23a32afb4411459c6012f4

    SHA512

    b3ed4b63372fb8bdf63972bf4c29cceb0c48f6a9f05408de368ad5fd5f0be1a5fdcde279b428b5cd9f0d6383c3b5fa3a5561bbaf57f052c6a53c63ecc7f6a973

  • C:\Users\Admin\oxnv3.ooccxx

    Filesize

    712KB

    MD5

    4c74f8644a26ff92259a5b0ec9590f34

    SHA1

    0634e2308acf3a88731ea139c193d8af8dc5c665

    SHA256

    d0073edccc4b6ff39184c5dea36bd2d419277ffaa435aadcd06bb6f69b759dc3

    SHA512

    e4482d60d402f7e1c7c54f43b9ad2a76068b1639314f5549d2d9228aa8410c9797e50ca7d3fcdc0b3a857a2d261a82f244cd9d9e30939dd50124360ec015a099

  • C:\Users\Admin\oxnv4.ooccxx

    Filesize

    712KB

    MD5

    d42f08e457604a2d7c005b5027aa9865

    SHA1

    0f25c799fabd98572bd3b3df5fa4f5661bfbeeb2

    SHA256

    3bf39799a9bb6d00ba06c9ce58a0305c2cd0c70c5d2989fe3d5f62002262aeec

    SHA512

    28f489d208cb4958e05c8a7e7b08fc99149596883de410eab0291d0d3802cf619f4e0b295e99b2d2a6cde217a40186d52bc1bf5a3a113ad146f4e30def44570c

  • \Users\Admin\oxnv1.ooccxx

    Filesize

    712KB

    MD5

    9e91b55835fbcdf5878ad5ec2d9d299a

    SHA1

    408df88388229ced5370c15a145c9d9b66e3a0ac

    SHA256

    23055980f5cd3b756872d9ce8308146c403da3c9e327e3beba01b601f95714b6

    SHA512

    af94a001bc789f7e470ea038e8f50cbc4feed4622623d348b4b874200864d5c6ad99ed0eee7b71c504296c9bbf84d6343c2030b0921ef79a51df89530f136e5c

  • \Users\Admin\oxnv2.ooccxx

    Filesize

    712KB

    MD5

    e69dd625ebd0bc7768ca1ba163284ee9

    SHA1

    f911d3f3874e906bef1acb9e610f4c742de8aed8

    SHA256

    3c5172e7f642cfcc0586ae723ff4cd575f8bec7f5e23a32afb4411459c6012f4

    SHA512

    b3ed4b63372fb8bdf63972bf4c29cceb0c48f6a9f05408de368ad5fd5f0be1a5fdcde279b428b5cd9f0d6383c3b5fa3a5561bbaf57f052c6a53c63ecc7f6a973

  • \Users\Admin\oxnv3.ooccxx

    Filesize

    712KB

    MD5

    4c74f8644a26ff92259a5b0ec9590f34

    SHA1

    0634e2308acf3a88731ea139c193d8af8dc5c665

    SHA256

    d0073edccc4b6ff39184c5dea36bd2d419277ffaa435aadcd06bb6f69b759dc3

    SHA512

    e4482d60d402f7e1c7c54f43b9ad2a76068b1639314f5549d2d9228aa8410c9797e50ca7d3fcdc0b3a857a2d261a82f244cd9d9e30939dd50124360ec015a099

  • \Users\Admin\oxnv4.ooccxx

    Filesize

    712KB

    MD5

    d42f08e457604a2d7c005b5027aa9865

    SHA1

    0f25c799fabd98572bd3b3df5fa4f5661bfbeeb2

    SHA256

    3bf39799a9bb6d00ba06c9ce58a0305c2cd0c70c5d2989fe3d5f62002262aeec

    SHA512

    28f489d208cb4958e05c8a7e7b08fc99149596883de410eab0291d0d3802cf619f4e0b295e99b2d2a6cde217a40186d52bc1bf5a3a113ad146f4e30def44570c

  • memory/1044-331-0x0000000000000000-mapping.dmp

  • memory/1236-325-0x0000000000000000-mapping.dmp

  • memory/1948-297-0x0000000000000000-mapping.dmp

  • memory/2744-133-0x00007FFC918B0000-0x00007FFC918C0000-memory.dmp

    Filesize

    64KB

  • memory/2744-123-0x00007FFC94BB0000-0x00007FFC94BC0000-memory.dmp

    Filesize

    64KB

  • memory/2744-120-0x00007FFC94BB0000-0x00007FFC94BC0000-memory.dmp

    Filesize

    64KB

  • memory/2744-122-0x00007FFC94BB0000-0x00007FFC94BC0000-memory.dmp

    Filesize

    64KB

  • memory/2744-121-0x00007FFC94BB0000-0x00007FFC94BC0000-memory.dmp

    Filesize

    64KB

  • memory/2744-132-0x00007FFC918B0000-0x00007FFC918C0000-memory.dmp

    Filesize

    64KB

  • memory/3304-339-0x0000000000000000-mapping.dmp

  • memory/4568-307-0x0000000000000000-mapping.dmp

  • memory/4772-289-0x0000000000000000-mapping.dmp

  • memory/4852-281-0x0000000180000000-0x0000000180030000-memory.dmp

    Filesize

    192KB

  • memory/4852-278-0x0000000000000000-mapping.dmp

  • memory/4972-315-0x0000000000000000-mapping.dmp