Analysis
-
max time kernel
185s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2022, 21:40
Behavioral task
behavioral1
Sample
14408.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
14408.xls
Resource
win10v2004-20220812-en
General
-
Target
14408.xls
-
Size
91KB
-
MD5
43923f2dd90ef7bc51dce76cabff25dc
-
SHA1
dffdfc5e30c4efac1b48e7964b12b1b537eb9ce4
-
SHA256
ead31830ffa2f7421dfbb81a6dffa1388021494679b943cb824806863a6be300
-
SHA512
dc0c5cd4ad463ab870cf72181247dd3e209eb5a4617d03e6b28c4c39f281bcd1345f646696fd2b8d3d5a7634c7ac0d720de5ffe44c0dd7ca22c15e9c174063b0
-
SSDEEP
1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgIbCXuZH4gb4CEn9J4ZJhQvj:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgt
Malware Config
Extracted
http://fixoutlet.com/logs/OGlRuU/
http://www.cesasin.com.ar/administrator/viA95RR/
http://blacktequila.com.br/2fb62HWWoKi5nfEq2D/XB5VOAXZkhVhSKveYUV/
http://case.co.il/_js/dooigYa/
Extracted
emotet
Epoch5
178.238.225.252:8080
139.196.72.155:8080
36.67.23.59:443
103.56.149.105:8080
37.44.244.177:8080
85.25.120.45:8080
202.134.4.210:7080
78.47.204.80:443
83.229.80.93:8080
93.104.209.107:8080
80.211.107.116:8080
165.22.254.236:8080
104.244.79.94:443
185.148.169.10:8080
190.145.8.4:443
175.126.176.79:8080
139.59.80.108:8080
188.165.79.151:443
128.199.217.206:443
64.227.55.231:8080
218.38.121.17:443
103.71.99.57:8080
103.224.241.74:8080
128.199.242.164:8080
85.214.67.203:8080
103.254.12.236:7080
46.101.98.60:8080
178.62.112.199:8080
210.57.209.142:8080
195.77.239.39:8080
103.126.216.86:443
82.98.180.154:7080
202.28.34.99:8080
174.138.33.49:7080
160.16.143.191:8080
51.75.33.122:443
103.41.204.169:8080
186.250.48.5:443
87.106.97.83:7080
118.98.72.86:443
196.44.98.190:8080
103.85.95.4:8080
62.171.178.147:8080
54.37.228.122:443
114.79.130.68:443
198.199.70.22:8080
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3204 960 regsvr32.exe 78 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4456 960 regsvr32.exe 78 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1044 960 regsvr32.exe 78 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2332 960 regsvr32.exe 78 -
Downloads MZ/PE file
-
Loads dropped DLL 6 IoCs
pid Process 4456 regsvr32.exe 4200 regsvr32.exe 1044 regsvr32.exe 4424 regsvr32.exe 2332 regsvr32.exe 2344 regsvr32.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BfczZNgcKnc.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\WdJVXfoXw\\BfczZNgcKnc.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zzRcPmkqglw.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\CddVKWpQJwvxdZ\\zzRcPmkqglw.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzhHgfgn.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\SRkVc\\pzhHgfgn.dll\"" regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 960 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 4456 regsvr32.exe 4456 regsvr32.exe 4200 regsvr32.exe 4200 regsvr32.exe 4200 regsvr32.exe 4200 regsvr32.exe 1044 regsvr32.exe 1044 regsvr32.exe 4424 regsvr32.exe 4424 regsvr32.exe 4424 regsvr32.exe 4424 regsvr32.exe 2332 regsvr32.exe 2332 regsvr32.exe 2344 regsvr32.exe 2344 regsvr32.exe 2344 regsvr32.exe 2344 regsvr32.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 960 EXCEL.EXE 960 EXCEL.EXE 960 EXCEL.EXE 960 EXCEL.EXE 960 EXCEL.EXE 960 EXCEL.EXE 960 EXCEL.EXE 960 EXCEL.EXE 960 EXCEL.EXE 960 EXCEL.EXE 960 EXCEL.EXE 960 EXCEL.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 960 wrote to memory of 3204 960 EXCEL.EXE 83 PID 960 wrote to memory of 3204 960 EXCEL.EXE 83 PID 960 wrote to memory of 4456 960 EXCEL.EXE 84 PID 960 wrote to memory of 4456 960 EXCEL.EXE 84 PID 4456 wrote to memory of 4200 4456 regsvr32.exe 85 PID 4456 wrote to memory of 4200 4456 regsvr32.exe 85 PID 960 wrote to memory of 1044 960 EXCEL.EXE 86 PID 960 wrote to memory of 1044 960 EXCEL.EXE 86 PID 1044 wrote to memory of 4424 1044 regsvr32.exe 87 PID 1044 wrote to memory of 4424 1044 regsvr32.exe 87 PID 960 wrote to memory of 2332 960 EXCEL.EXE 88 PID 960 wrote to memory of 2332 960 EXCEL.EXE 88 PID 2332 wrote to memory of 2344 2332 regsvr32.exe 89 PID 2332 wrote to memory of 2344 2332 regsvr32.exe 89
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\14408.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx2⤵
- Process spawned unexpected child process
PID:3204
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\WdJVXfoXw\BfczZNgcKnc.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4200
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\CddVKWpQJwvxdZ\zzRcPmkqglw.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4424
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\SRkVc\pzhHgfgn.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2344
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
591KB
MD515e3cde75461e37aba5b3982fb9cf6e5
SHA1d54fdfcbdcb6ac4e1552b42acc19e680825329c5
SHA25651c515f1d30cc4345521f2f113fafce5ddca143d20d58d6768a53dacf781900a
SHA512abc883fa0190ba4fa9b6bcd3b707af3c36324179ce74c0c4218456df03d133cef85cdee80d3405bf73b5da3c60dd7ac0198431fbaede6f92da0feaaf376daeca
-
Filesize
591KB
MD515e3cde75461e37aba5b3982fb9cf6e5
SHA1d54fdfcbdcb6ac4e1552b42acc19e680825329c5
SHA25651c515f1d30cc4345521f2f113fafce5ddca143d20d58d6768a53dacf781900a
SHA512abc883fa0190ba4fa9b6bcd3b707af3c36324179ce74c0c4218456df03d133cef85cdee80d3405bf73b5da3c60dd7ac0198431fbaede6f92da0feaaf376daeca
-
Filesize
591KB
MD53479033a5ec6626ec2c2d24a9d19f796
SHA1827ae23c2a0e8f287fd8ca301218481cfef3c2e6
SHA2568badf47caa4eefafae7b15d7e2d17bbdd0d2bb55addd10bafefd20f251f75d24
SHA512b361f6b96241f42fc39836bc65b8dc693603d4136226baf22a9d307fd6ce14133ff10a8c1529e8b2a98ed71104e1a18294fb90ca9b7fc2ec3e3e5e68ad4cd618
-
Filesize
591KB
MD53479033a5ec6626ec2c2d24a9d19f796
SHA1827ae23c2a0e8f287fd8ca301218481cfef3c2e6
SHA2568badf47caa4eefafae7b15d7e2d17bbdd0d2bb55addd10bafefd20f251f75d24
SHA512b361f6b96241f42fc39836bc65b8dc693603d4136226baf22a9d307fd6ce14133ff10a8c1529e8b2a98ed71104e1a18294fb90ca9b7fc2ec3e3e5e68ad4cd618
-
Filesize
591KB
MD50f2b02086295811395a96a99556cc9da
SHA179c1034e8204ec0945463620949f56280dd6f931
SHA2565f8453b2a1536f903f83357852e84b01e37498d8ae993d118716dae9aec9fcb0
SHA512820b614a9108bfd1cd90c04aa458b5ca010686358f0b1ddf36f663642a930acb0b6050689a5b43ca85df63fbd354a736fbda9ca5d830c397b1a162bcd0f696d2
-
Filesize
591KB
MD50f2b02086295811395a96a99556cc9da
SHA179c1034e8204ec0945463620949f56280dd6f931
SHA2565f8453b2a1536f903f83357852e84b01e37498d8ae993d118716dae9aec9fcb0
SHA512820b614a9108bfd1cd90c04aa458b5ca010686358f0b1ddf36f663642a930acb0b6050689a5b43ca85df63fbd354a736fbda9ca5d830c397b1a162bcd0f696d2
-
Filesize
591KB
MD53479033a5ec6626ec2c2d24a9d19f796
SHA1827ae23c2a0e8f287fd8ca301218481cfef3c2e6
SHA2568badf47caa4eefafae7b15d7e2d17bbdd0d2bb55addd10bafefd20f251f75d24
SHA512b361f6b96241f42fc39836bc65b8dc693603d4136226baf22a9d307fd6ce14133ff10a8c1529e8b2a98ed71104e1a18294fb90ca9b7fc2ec3e3e5e68ad4cd618
-
Filesize
591KB
MD50f2b02086295811395a96a99556cc9da
SHA179c1034e8204ec0945463620949f56280dd6f931
SHA2565f8453b2a1536f903f83357852e84b01e37498d8ae993d118716dae9aec9fcb0
SHA512820b614a9108bfd1cd90c04aa458b5ca010686358f0b1ddf36f663642a930acb0b6050689a5b43ca85df63fbd354a736fbda9ca5d830c397b1a162bcd0f696d2
-
Filesize
591KB
MD515e3cde75461e37aba5b3982fb9cf6e5
SHA1d54fdfcbdcb6ac4e1552b42acc19e680825329c5
SHA25651c515f1d30cc4345521f2f113fafce5ddca143d20d58d6768a53dacf781900a
SHA512abc883fa0190ba4fa9b6bcd3b707af3c36324179ce74c0c4218456df03d133cef85cdee80d3405bf73b5da3c60dd7ac0198431fbaede6f92da0feaaf376daeca