Analysis
-
max time kernel
151s -
max time network
189s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
09/11/2022, 22:16
Behavioral task
behavioral1
Sample
408372.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
408372.xls
Resource
win10v2004-20220812-en
General
-
Target
408372.xls
-
Size
91KB
-
MD5
eba12ff624bac7b80f793d44cebd8d42
-
SHA1
0550a1128429c2ab52c31c559acb9be33e7b36d6
-
SHA256
1ee7b704748ac97fec5cac6b14feb616aa08a607af15ec2e23dfe4a49e885077
-
SHA512
b064f33fd9a5834fe6361e130e4a7fe4a539a461e9d6cd31c5acb36ee3d28ed3fe28e21f9b060e8a0caad5aba9f2c03747e5bc24754972663f3bafed4952cfe1
-
SSDEEP
1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgIbCXuZH4gb4CEn9J4ZJVQvj:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgp
Malware Config
Extracted
http://fixoutlet.com/logs/OGlRuU/
http://www.cesasin.com.ar/administrator/viA95RR/
http://blacktequila.com.br/2fb62HWWoKi5nfEq2D/XB5VOAXZkhVhSKveYUV/
http://case.co.il/_js/dooigYa/
Extracted
emotet
Epoch5
178.238.225.252:8080
139.196.72.155:8080
36.67.23.59:443
103.56.149.105:8080
37.44.244.177:8080
85.25.120.45:8080
202.134.4.210:7080
78.47.204.80:443
83.229.80.93:8080
93.104.209.107:8080
80.211.107.116:8080
165.22.254.236:8080
104.244.79.94:443
185.148.169.10:8080
190.145.8.4:443
175.126.176.79:8080
139.59.80.108:8080
188.165.79.151:443
128.199.217.206:443
64.227.55.231:8080
218.38.121.17:443
103.71.99.57:8080
103.224.241.74:8080
128.199.242.164:8080
85.214.67.203:8080
103.254.12.236:7080
46.101.98.60:8080
178.62.112.199:8080
210.57.209.142:8080
195.77.239.39:8080
103.126.216.86:443
82.98.180.154:7080
202.28.34.99:8080
174.138.33.49:7080
160.16.143.191:8080
51.75.33.122:443
103.41.204.169:8080
186.250.48.5:443
87.106.97.83:7080
118.98.72.86:443
196.44.98.190:8080
103.85.95.4:8080
62.171.178.147:8080
54.37.228.122:443
114.79.130.68:443
198.199.70.22:8080
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 904 1996 regsvr32.exe 26 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 744 1996 regsvr32.exe 26 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1140 1996 regsvr32.exe 26 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1588 1996 regsvr32.exe 26 -
Downloads MZ/PE file
-
Loads dropped DLL 8 IoCs
pid Process 904 regsvr32.exe 624 regsvr32.exe 744 regsvr32.exe 1556 regsvr32.exe 1140 regsvr32.exe 760 regsvr32.exe 1588 regsvr32.exe 1604 regsvr32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1996 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 624 regsvr32.exe 1972 regsvr32.exe 1972 regsvr32.exe 1556 regsvr32.exe 1520 regsvr32.exe 1520 regsvr32.exe 760 regsvr32.exe 1628 regsvr32.exe 1628 regsvr32.exe 1604 regsvr32.exe 1712 regsvr32.exe 1712 regsvr32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1996 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1996 EXCEL.EXE 1996 EXCEL.EXE 1996 EXCEL.EXE 1996 EXCEL.EXE 1996 EXCEL.EXE 1996 EXCEL.EXE 1996 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 904 1996 EXCEL.EXE 29 PID 1996 wrote to memory of 904 1996 EXCEL.EXE 29 PID 1996 wrote to memory of 904 1996 EXCEL.EXE 29 PID 1996 wrote to memory of 904 1996 EXCEL.EXE 29 PID 1996 wrote to memory of 904 1996 EXCEL.EXE 29 PID 1996 wrote to memory of 904 1996 EXCEL.EXE 29 PID 1996 wrote to memory of 904 1996 EXCEL.EXE 29 PID 904 wrote to memory of 624 904 regsvr32.exe 30 PID 904 wrote to memory of 624 904 regsvr32.exe 30 PID 904 wrote to memory of 624 904 regsvr32.exe 30 PID 904 wrote to memory of 624 904 regsvr32.exe 30 PID 904 wrote to memory of 624 904 regsvr32.exe 30 PID 904 wrote to memory of 624 904 regsvr32.exe 30 PID 904 wrote to memory of 624 904 regsvr32.exe 30 PID 624 wrote to memory of 1972 624 regsvr32.exe 31 PID 624 wrote to memory of 1972 624 regsvr32.exe 31 PID 624 wrote to memory of 1972 624 regsvr32.exe 31 PID 624 wrote to memory of 1972 624 regsvr32.exe 31 PID 624 wrote to memory of 1972 624 regsvr32.exe 31 PID 1996 wrote to memory of 744 1996 EXCEL.EXE 32 PID 1996 wrote to memory of 744 1996 EXCEL.EXE 32 PID 1996 wrote to memory of 744 1996 EXCEL.EXE 32 PID 1996 wrote to memory of 744 1996 EXCEL.EXE 32 PID 1996 wrote to memory of 744 1996 EXCEL.EXE 32 PID 1996 wrote to memory of 744 1996 EXCEL.EXE 32 PID 1996 wrote to memory of 744 1996 EXCEL.EXE 32 PID 744 wrote to memory of 1556 744 regsvr32.exe 33 PID 744 wrote to memory of 1556 744 regsvr32.exe 33 PID 744 wrote to memory of 1556 744 regsvr32.exe 33 PID 744 wrote to memory of 1556 744 regsvr32.exe 33 PID 744 wrote to memory of 1556 744 regsvr32.exe 33 PID 744 wrote to memory of 1556 744 regsvr32.exe 33 PID 744 wrote to memory of 1556 744 regsvr32.exe 33 PID 1556 wrote to memory of 1520 1556 regsvr32.exe 34 PID 1556 wrote to memory of 1520 1556 regsvr32.exe 34 PID 1556 wrote to memory of 1520 1556 regsvr32.exe 34 PID 1556 wrote to memory of 1520 1556 regsvr32.exe 34 PID 1556 wrote to memory of 1520 1556 regsvr32.exe 34 PID 1996 wrote to memory of 1140 1996 EXCEL.EXE 35 PID 1996 wrote to memory of 1140 1996 EXCEL.EXE 35 PID 1996 wrote to memory of 1140 1996 EXCEL.EXE 35 PID 1996 wrote to memory of 1140 1996 EXCEL.EXE 35 PID 1996 wrote to memory of 1140 1996 EXCEL.EXE 35 PID 1996 wrote to memory of 1140 1996 EXCEL.EXE 35 PID 1996 wrote to memory of 1140 1996 EXCEL.EXE 35 PID 1140 wrote to memory of 760 1140 regsvr32.exe 36 PID 1140 wrote to memory of 760 1140 regsvr32.exe 36 PID 1140 wrote to memory of 760 1140 regsvr32.exe 36 PID 1140 wrote to memory of 760 1140 regsvr32.exe 36 PID 1140 wrote to memory of 760 1140 regsvr32.exe 36 PID 1140 wrote to memory of 760 1140 regsvr32.exe 36 PID 1140 wrote to memory of 760 1140 regsvr32.exe 36 PID 760 wrote to memory of 1628 760 regsvr32.exe 37 PID 760 wrote to memory of 1628 760 regsvr32.exe 37 PID 760 wrote to memory of 1628 760 regsvr32.exe 37 PID 760 wrote to memory of 1628 760 regsvr32.exe 37 PID 760 wrote to memory of 1628 760 regsvr32.exe 37 PID 1996 wrote to memory of 1588 1996 EXCEL.EXE 38 PID 1996 wrote to memory of 1588 1996 EXCEL.EXE 38 PID 1996 wrote to memory of 1588 1996 EXCEL.EXE 38 PID 1996 wrote to memory of 1588 1996 EXCEL.EXE 38 PID 1996 wrote to memory of 1588 1996 EXCEL.EXE 38 PID 1996 wrote to memory of 1588 1996 EXCEL.EXE 38 PID 1996 wrote to memory of 1588 1996 EXCEL.EXE 38
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\408372.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\system32\regsvr32.exe/S ..\elv1.ooocccxxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZjZqBZHdEcGXsIRxR\RawXiWenv.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1972
-
-
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\system32\regsvr32.exe/S ..\elv2.ooocccxxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\PmiVbmRbuta\TjYFujrobTE.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1520
-
-
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\system32\regsvr32.exe/S ..\elv3.ooocccxxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\QpzCGhGy\UqRCRGX.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1628
-
-
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
PID:1588 -
C:\Windows\system32\regsvr32.exe/S ..\elv4.ooocccxxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1604 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\TNBRerGgHW\CrKWkkZAMhsHkYT.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1712
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
591KB
MD54a5ab9863715d0778c91040cb2a9c3a8
SHA130dfa658ab6895c002c102c2b3009321beb37c5a
SHA256c6cd574ddef31474f34b8a2d921d3c5ebe1b59cd69b16b573e9430cbd613599b
SHA5125e422a91ba8dd43b37f36ac888a54617353c0eef89ba0dbc53e27ba8eefde435b21f2c6a6dcd552e92b3d8c2204f8991fa719d313eaa882575e891c32c5314c1
-
Filesize
591KB
MD59bc23165d29537bd71402d3d62e58917
SHA109144b3178d0a4d06163b592d2a4833a8e81944e
SHA2561f655e334471ef833f1b6507e2fe921b450877751d46636084818800bc884f79
SHA512a55b644644e5e31e55357a55266ba72431721a76a4e6e5bc86b93d3fe90b62a14cdab7b27b04b945cab1bc0de87ae2a92a403e74833a2ea26332d5edc29c5123
-
Filesize
591KB
MD52f6b66b556069272ad46a89b57863c22
SHA145d5d758c10d88b504b25c9cb17b5328735ff652
SHA2567d5d2efe757a466425b4a8b21af0724b4e27ff66c7e9d91adc0011d790b88fa0
SHA5126630149d60428885c2508a4adec47151487b7f605a8cdca9ccb327d4f3654f48edb07d1c3cca5c42855b5a964061ecb4af8d9435f3c3d6b5ac7840ac3b5248e0
-
Filesize
591KB
MD57b9c0fd9bce02dced8d5d8834d8cf56a
SHA122e4690dcfca530e96b8f9286023d711fece52e4
SHA25648145affe2d4ce3243e6d157c7af448c04b98a4042b1a91fd04e0363d4f706b2
SHA512635bc6a4df0dc14ad4b3abedcfc0bb8ae17ce8ff270a6fb7a3d1cb9477920fdb4fc3d3ff3ebdcb9f0e9c60d6ae1a79e43728f08d7ea7fd6ab7466967321167bb
-
Filesize
591KB
MD54a5ab9863715d0778c91040cb2a9c3a8
SHA130dfa658ab6895c002c102c2b3009321beb37c5a
SHA256c6cd574ddef31474f34b8a2d921d3c5ebe1b59cd69b16b573e9430cbd613599b
SHA5125e422a91ba8dd43b37f36ac888a54617353c0eef89ba0dbc53e27ba8eefde435b21f2c6a6dcd552e92b3d8c2204f8991fa719d313eaa882575e891c32c5314c1
-
Filesize
591KB
MD54a5ab9863715d0778c91040cb2a9c3a8
SHA130dfa658ab6895c002c102c2b3009321beb37c5a
SHA256c6cd574ddef31474f34b8a2d921d3c5ebe1b59cd69b16b573e9430cbd613599b
SHA5125e422a91ba8dd43b37f36ac888a54617353c0eef89ba0dbc53e27ba8eefde435b21f2c6a6dcd552e92b3d8c2204f8991fa719d313eaa882575e891c32c5314c1
-
Filesize
591KB
MD59bc23165d29537bd71402d3d62e58917
SHA109144b3178d0a4d06163b592d2a4833a8e81944e
SHA2561f655e334471ef833f1b6507e2fe921b450877751d46636084818800bc884f79
SHA512a55b644644e5e31e55357a55266ba72431721a76a4e6e5bc86b93d3fe90b62a14cdab7b27b04b945cab1bc0de87ae2a92a403e74833a2ea26332d5edc29c5123
-
Filesize
591KB
MD59bc23165d29537bd71402d3d62e58917
SHA109144b3178d0a4d06163b592d2a4833a8e81944e
SHA2561f655e334471ef833f1b6507e2fe921b450877751d46636084818800bc884f79
SHA512a55b644644e5e31e55357a55266ba72431721a76a4e6e5bc86b93d3fe90b62a14cdab7b27b04b945cab1bc0de87ae2a92a403e74833a2ea26332d5edc29c5123
-
Filesize
591KB
MD52f6b66b556069272ad46a89b57863c22
SHA145d5d758c10d88b504b25c9cb17b5328735ff652
SHA2567d5d2efe757a466425b4a8b21af0724b4e27ff66c7e9d91adc0011d790b88fa0
SHA5126630149d60428885c2508a4adec47151487b7f605a8cdca9ccb327d4f3654f48edb07d1c3cca5c42855b5a964061ecb4af8d9435f3c3d6b5ac7840ac3b5248e0
-
Filesize
591KB
MD52f6b66b556069272ad46a89b57863c22
SHA145d5d758c10d88b504b25c9cb17b5328735ff652
SHA2567d5d2efe757a466425b4a8b21af0724b4e27ff66c7e9d91adc0011d790b88fa0
SHA5126630149d60428885c2508a4adec47151487b7f605a8cdca9ccb327d4f3654f48edb07d1c3cca5c42855b5a964061ecb4af8d9435f3c3d6b5ac7840ac3b5248e0
-
Filesize
591KB
MD57b9c0fd9bce02dced8d5d8834d8cf56a
SHA122e4690dcfca530e96b8f9286023d711fece52e4
SHA25648145affe2d4ce3243e6d157c7af448c04b98a4042b1a91fd04e0363d4f706b2
SHA512635bc6a4df0dc14ad4b3abedcfc0bb8ae17ce8ff270a6fb7a3d1cb9477920fdb4fc3d3ff3ebdcb9f0e9c60d6ae1a79e43728f08d7ea7fd6ab7466967321167bb
-
Filesize
591KB
MD57b9c0fd9bce02dced8d5d8834d8cf56a
SHA122e4690dcfca530e96b8f9286023d711fece52e4
SHA25648145affe2d4ce3243e6d157c7af448c04b98a4042b1a91fd04e0363d4f706b2
SHA512635bc6a4df0dc14ad4b3abedcfc0bb8ae17ce8ff270a6fb7a3d1cb9477920fdb4fc3d3ff3ebdcb9f0e9c60d6ae1a79e43728f08d7ea7fd6ab7466967321167bb