Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
04/11/2022, 06:57
Behavioral task
behavioral1
Sample
86353d15a6e972bee1b51d6727a02fdae8f7aa2440870b22fa926200b7bfe0d2.xls
Resource
win10-20220901-en
Behavioral task
behavioral2
Sample
86353d15a6e972bee1b51d6727a02fdae8f7aa2440870b22fa926200b7bfe0d2.xls
Resource
win10-20220812-en
General
-
Target
86353d15a6e972bee1b51d6727a02fdae8f7aa2440870b22fa926200b7bfe0d2.xls
-
Size
217KB
-
MD5
96819b29abf3dc945f696c1cd8cfd7a4
-
SHA1
04286c9d204c1bce1f8296260891208328bda9aa
-
SHA256
86353d15a6e972bee1b51d6727a02fdae8f7aa2440870b22fa926200b7bfe0d2
-
SHA512
fab2c61f658ee8e082b4ef73235bbe5fb9fd50a72d7b5d1ff1842f4a412144a73762cda36436773cfba657f9dbf5102f7c3fcfb177aa7017d5db95391562f176
-
SSDEEP
6144:zKpb8rGYrMPe3q7Q0XV5xtuEsi8/dglyY+TAQXTHGUMEyP5p6f5jQm4:JbGUMVWlb4
Malware Config
Extracted
http://aquariorecords.com.br/wp-content/A8G3ownNApEj1L4hF/
http://ftp.pricoat.com.mx/Fichas/3ybJLLXu5zqqn8Sx/
http://armannahalpersian.ir/3H5qqUOB/
http://alagi.ge/application/irnz5Rs8qWvQrf/
Extracted
emotet
Epoch5
178.238.225.252:8080
139.196.72.155:8080
36.67.23.59:443
103.56.149.105:8080
37.44.244.177:8080
85.25.120.45:8080
202.134.4.210:7080
78.47.204.80:443
83.229.80.93:8080
93.104.209.107:8080
80.211.107.116:8080
165.22.254.236:8080
104.244.79.94:443
185.148.169.10:8080
190.145.8.4:443
175.126.176.79:8080
139.59.80.108:8080
188.165.79.151:443
128.199.217.206:443
64.227.55.231:8080
218.38.121.17:443
103.71.99.57:8080
103.224.241.74:8080
128.199.242.164:8080
85.214.67.203:8080
103.254.12.236:7080
46.101.98.60:8080
178.62.112.199:8080
210.57.209.142:8080
195.77.239.39:8080
103.126.216.86:443
82.98.180.154:7080
202.28.34.99:8080
174.138.33.49:7080
160.16.143.191:8080
51.75.33.122:443
103.41.204.169:8080
186.250.48.5:443
87.106.97.83:7080
118.98.72.86:443
196.44.98.190:8080
103.85.95.4:8080
62.171.178.147:8080
54.37.228.122:443
114.79.130.68:443
198.199.70.22:8080
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3980 2692 regsvr32.exe 65 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4244 2692 regsvr32.exe 65 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3176 2692 regsvr32.exe 65 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4428 2692 regsvr32.exe 65 -
Downloads MZ/PE file
-
Loads dropped DLL 3 IoCs
pid Process 4244 regsvr32.exe 3176 regsvr32.exe 4428 regsvr32.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YjrdogsLjm.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\XUcorKBM\\YjrdogsLjm.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xqydsaEzv.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\WMNBWTwUUtG\\xqydsaEzv.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uejcnW.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\KhAWt\\uejcnW.dll\"" regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2692 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 4244 regsvr32.exe 4244 regsvr32.exe 5016 regsvr32.exe 5016 regsvr32.exe 5016 regsvr32.exe 5016 regsvr32.exe 3176 regsvr32.exe 3176 regsvr32.exe 4396 regsvr32.exe 4396 regsvr32.exe 4396 regsvr32.exe 4396 regsvr32.exe 4428 regsvr32.exe 4428 regsvr32.exe 476 regsvr32.exe 476 regsvr32.exe 476 regsvr32.exe 476 regsvr32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2692 EXCEL.EXE 2692 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2692 EXCEL.EXE 2692 EXCEL.EXE 2692 EXCEL.EXE 2692 EXCEL.EXE 2692 EXCEL.EXE 2692 EXCEL.EXE 2692 EXCEL.EXE 2692 EXCEL.EXE 2692 EXCEL.EXE 2692 EXCEL.EXE 2692 EXCEL.EXE 2692 EXCEL.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2692 wrote to memory of 3980 2692 EXCEL.EXE 68 PID 2692 wrote to memory of 3980 2692 EXCEL.EXE 68 PID 2692 wrote to memory of 4244 2692 EXCEL.EXE 71 PID 2692 wrote to memory of 4244 2692 EXCEL.EXE 71 PID 4244 wrote to memory of 5016 4244 regsvr32.exe 74 PID 4244 wrote to memory of 5016 4244 regsvr32.exe 74 PID 2692 wrote to memory of 3176 2692 EXCEL.EXE 75 PID 2692 wrote to memory of 3176 2692 EXCEL.EXE 75 PID 3176 wrote to memory of 4396 3176 regsvr32.exe 77 PID 3176 wrote to memory of 4396 3176 regsvr32.exe 77 PID 2692 wrote to memory of 4428 2692 EXCEL.EXE 78 PID 2692 wrote to memory of 4428 2692 EXCEL.EXE 78 PID 4428 wrote to memory of 476 4428 regsvr32.exe 79 PID 4428 wrote to memory of 476 4428 regsvr32.exe 79
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\86353d15a6e972bee1b51d6727a02fdae8f7aa2440870b22fa926200b7bfe0d2.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx2⤵
- Process spawned unexpected child process
PID:3980
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\WMNBWTwUUtG\xqydsaEzv.dll"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:5016
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\KhAWt\uejcnW.dll"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4396
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\XUcorKBM\YjrdogsLjm.dll"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:476
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
751KB
MD5211b878bc5444d635b6caf5171f3a206
SHA125c6476faa9a10979cb186a878cb02c77c281ebd
SHA25666684783e944644417920fae3fd457407e4d4081dc008a5eca8d28164824253b
SHA5121d3e106907526dd657e5f0f69e84a0e97f8801d2ee2a74589040ef3f2132d263ab76182c599816ef987dd5117bddccb990174d41bf1cc167c0f8877494e08312
-
Filesize
751KB
MD5a2d031cf0f8eb50b6d89ada2db501b0b
SHA19e1fb3523535e7434c6b19650eceec1cdcf2ef57
SHA2564478dc3cf8b152ae41f4beda3516b586e7312f7c9d6d6692049b9f58ba9314fa
SHA512b61a380f5a47fc8cc583e76ccaae7149bdb68c93b104a83468743a6bbcc229a4e4e7cfb4855d84a9d58d38a98b84479a455310537055eb54246a9458794de1dd
-
Filesize
751KB
MD51e6f35c86cedb64c10332876caf40130
SHA1138628122b6424ed4120c5b4dd67fa46039ebc72
SHA2560452a8418e0dab728c939308442b3bfab1150cf200d6d7521920c21c5a1b44d6
SHA51259e8b63ddc9922b5fea1b449492ea806f7688cf5ecd90e036d916ebfc5266d8f5132f3e59408f5041fe9143c9f8ca4304c2412f58b4cbc7649ad98b314bf64b5
-
Filesize
751KB
MD5211b878bc5444d635b6caf5171f3a206
SHA125c6476faa9a10979cb186a878cb02c77c281ebd
SHA25666684783e944644417920fae3fd457407e4d4081dc008a5eca8d28164824253b
SHA5121d3e106907526dd657e5f0f69e84a0e97f8801d2ee2a74589040ef3f2132d263ab76182c599816ef987dd5117bddccb990174d41bf1cc167c0f8877494e08312
-
Filesize
751KB
MD5a2d031cf0f8eb50b6d89ada2db501b0b
SHA19e1fb3523535e7434c6b19650eceec1cdcf2ef57
SHA2564478dc3cf8b152ae41f4beda3516b586e7312f7c9d6d6692049b9f58ba9314fa
SHA512b61a380f5a47fc8cc583e76ccaae7149bdb68c93b104a83468743a6bbcc229a4e4e7cfb4855d84a9d58d38a98b84479a455310537055eb54246a9458794de1dd
-
Filesize
751KB
MD51e6f35c86cedb64c10332876caf40130
SHA1138628122b6424ed4120c5b4dd67fa46039ebc72
SHA2560452a8418e0dab728c939308442b3bfab1150cf200d6d7521920c21c5a1b44d6
SHA51259e8b63ddc9922b5fea1b449492ea806f7688cf5ecd90e036d916ebfc5266d8f5132f3e59408f5041fe9143c9f8ca4304c2412f58b4cbc7649ad98b314bf64b5