Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2022, 22:33
Behavioral task
behavioral1
Sample
10112022.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
10112022.xls
Resource
win10v2004-20220901-en
General
-
Target
10112022.xls
-
Size
91KB
-
MD5
5cdc9928185d3c019b1093e980037a1c
-
SHA1
6ac9ea81dbdbef10f8a733d7038fb3997dfce404
-
SHA256
82d3e0feb4e9fb53a00a23700f936021aba598ffc08e1d8b8c5f33e327d09912
-
SHA512
e2ed78f9e765cbcf6fb332f3b535981390d28e6bc356da27f3e82aca13b19d9724bb623789f150a891026800595910aca46b0371743291ee0ecd7b13d8b8c250
-
SSDEEP
1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgIbCXuZH4gb4CEn9J4ZJlQvj:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgZ
Malware Config
Extracted
http://fixoutlet.com/logs/OGlRuU/
http://www.cesasin.com.ar/administrator/viA95RR/
http://blacktequila.com.br/2fb62HWWoKi5nfEq2D/XB5VOAXZkhVhSKveYUV/
http://case.co.il/_js/dooigYa/
Extracted
emotet
Epoch5
178.238.225.252:8080
139.196.72.155:8080
36.67.23.59:443
103.56.149.105:8080
37.44.244.177:8080
85.25.120.45:8080
202.134.4.210:7080
78.47.204.80:443
83.229.80.93:8080
93.104.209.107:8080
80.211.107.116:8080
165.22.254.236:8080
104.244.79.94:443
185.148.169.10:8080
190.145.8.4:443
175.126.176.79:8080
139.59.80.108:8080
188.165.79.151:443
128.199.217.206:443
64.227.55.231:8080
218.38.121.17:443
103.71.99.57:8080
103.224.241.74:8080
128.199.242.164:8080
85.214.67.203:8080
103.254.12.236:7080
46.101.98.60:8080
178.62.112.199:8080
210.57.209.142:8080
195.77.239.39:8080
103.126.216.86:443
82.98.180.154:7080
202.28.34.99:8080
174.138.33.49:7080
160.16.143.191:8080
51.75.33.122:443
103.41.204.169:8080
186.250.48.5:443
87.106.97.83:7080
118.98.72.86:443
196.44.98.190:8080
103.85.95.4:8080
62.171.178.147:8080
54.37.228.122:443
114.79.130.68:443
198.199.70.22:8080
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2012 1828 regsvr32.exe 80 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1420 1828 regsvr32.exe 80 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2256 1828 regsvr32.exe 80 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2876 1828 regsvr32.exe 80 -
Downloads MZ/PE file
-
Loads dropped DLL 8 IoCs
pid Process 2012 regsvr32.exe 368 regsvr32.exe 1420 regsvr32.exe 4852 regsvr32.exe 2256 regsvr32.exe 2392 regsvr32.exe 2876 regsvr32.exe 3416 regsvr32.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KKIZGakMKi.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\FGzPLzZXeyROMld\\KKIZGakMKi.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nxii.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\NWJKpDRbes\\nxii.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ISuiZaCOWWt.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\AZsAIR\\ISuiZaCOWWt.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VNJOWVVI.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\AcyiPSNZc\\VNJOWVVI.dll\"" regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1828 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2012 regsvr32.exe 2012 regsvr32.exe 368 regsvr32.exe 368 regsvr32.exe 368 regsvr32.exe 368 regsvr32.exe 1420 regsvr32.exe 1420 regsvr32.exe 4852 regsvr32.exe 4852 regsvr32.exe 4852 regsvr32.exe 4852 regsvr32.exe 2256 regsvr32.exe 2256 regsvr32.exe 2392 regsvr32.exe 2392 regsvr32.exe 2392 regsvr32.exe 2392 regsvr32.exe 2876 regsvr32.exe 2876 regsvr32.exe 3416 regsvr32.exe 3416 regsvr32.exe 3416 regsvr32.exe 3416 regsvr32.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1828 EXCEL.EXE 1828 EXCEL.EXE 1828 EXCEL.EXE 1828 EXCEL.EXE 1828 EXCEL.EXE 1828 EXCEL.EXE 1828 EXCEL.EXE 1828 EXCEL.EXE 1828 EXCEL.EXE 1828 EXCEL.EXE 1828 EXCEL.EXE 1828 EXCEL.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1828 wrote to memory of 2012 1828 EXCEL.EXE 85 PID 1828 wrote to memory of 2012 1828 EXCEL.EXE 85 PID 2012 wrote to memory of 368 2012 regsvr32.exe 87 PID 2012 wrote to memory of 368 2012 regsvr32.exe 87 PID 1828 wrote to memory of 1420 1828 EXCEL.EXE 90 PID 1828 wrote to memory of 1420 1828 EXCEL.EXE 90 PID 1420 wrote to memory of 4852 1420 regsvr32.exe 91 PID 1420 wrote to memory of 4852 1420 regsvr32.exe 91 PID 1828 wrote to memory of 2256 1828 EXCEL.EXE 92 PID 1828 wrote to memory of 2256 1828 EXCEL.EXE 92 PID 2256 wrote to memory of 2392 2256 regsvr32.exe 93 PID 2256 wrote to memory of 2392 2256 regsvr32.exe 93 PID 1828 wrote to memory of 2876 1828 EXCEL.EXE 94 PID 1828 wrote to memory of 2876 1828 EXCEL.EXE 94 PID 2876 wrote to memory of 3416 2876 regsvr32.exe 95 PID 2876 wrote to memory of 3416 2876 regsvr32.exe 95
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\10112022.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\NWJKpDRbes\nxii.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:368
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\AZsAIR\ISuiZaCOWWt.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4852
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\AcyiPSNZc\VNJOWVVI.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2392
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\FGzPLzZXeyROMld\KKIZGakMKi.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3416
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
591KB
MD57e8fee77132c086dee1d35b3883093c0
SHA1cb76cf15cc4b8a9716234ddad4dacf31310fff22
SHA256c92ff622c42f6ec9de3fda948add268884f3f490514d539e6bff37af5321ac86
SHA512b3aa4869b58962fff26d487a8fd9de48bc957fe31d9d99870e9318ce2d48d04e1de445966c0e2d5e87590848c981db08e497874f535b45e0b689bb9edfdb2448
-
Filesize
591KB
MD57e8fee77132c086dee1d35b3883093c0
SHA1cb76cf15cc4b8a9716234ddad4dacf31310fff22
SHA256c92ff622c42f6ec9de3fda948add268884f3f490514d539e6bff37af5321ac86
SHA512b3aa4869b58962fff26d487a8fd9de48bc957fe31d9d99870e9318ce2d48d04e1de445966c0e2d5e87590848c981db08e497874f535b45e0b689bb9edfdb2448
-
Filesize
591KB
MD54e7d14eb59c3e63be0ce4d1b1af6a551
SHA1594d9dceb37b5a61d1e9cf4ed1a6be2808ee730f
SHA25689b29bad84ce0fa4d806b481a996c180a95e47e370d573ff590094261cfe4e91
SHA512c1f1b192db14e315fc3dc7230eb6e2dfa9612d938b5170d4da920146dfd6ebea3279e6a1402757d3f203fe985cd5d37be231e9389bbae04461b25f61814483ac
-
Filesize
591KB
MD54e7d14eb59c3e63be0ce4d1b1af6a551
SHA1594d9dceb37b5a61d1e9cf4ed1a6be2808ee730f
SHA25689b29bad84ce0fa4d806b481a996c180a95e47e370d573ff590094261cfe4e91
SHA512c1f1b192db14e315fc3dc7230eb6e2dfa9612d938b5170d4da920146dfd6ebea3279e6a1402757d3f203fe985cd5d37be231e9389bbae04461b25f61814483ac
-
Filesize
591KB
MD56867f2d861160fbfeed5b7c6d0208a8c
SHA1ef8d76eeb4a1bf3500f2b0a75ecf8db9ec7755d8
SHA256957505bbcf458e5b668d2c9ad930e7268f1edc16028c6e8547044963754d3d6d
SHA512b86f9ce88fd416c34c858712349f6b857052f6e6b4c631c3637d8a611c299337d2de5d214dc4775ed9fe5b3e4f6de2715470e57b1d8d8022f37cb94faca958fb
-
Filesize
591KB
MD56867f2d861160fbfeed5b7c6d0208a8c
SHA1ef8d76eeb4a1bf3500f2b0a75ecf8db9ec7755d8
SHA256957505bbcf458e5b668d2c9ad930e7268f1edc16028c6e8547044963754d3d6d
SHA512b86f9ce88fd416c34c858712349f6b857052f6e6b4c631c3637d8a611c299337d2de5d214dc4775ed9fe5b3e4f6de2715470e57b1d8d8022f37cb94faca958fb
-
Filesize
591KB
MD53995fa09a20398b02e68d778b8f24f60
SHA11780771df76d11a5bb023ad2cb41728004743769
SHA256134baf345332ba4de3b080a1fb3b72758c52e72c9896937921b0e92cc9fa3f34
SHA51237f3ea200b7380e8f9426fbe8dbf29b6d94042e9a795b22ebd459e9da57e3b0b4462f94f00a6d43ebeb5cd2746a50631da7953071563f65023b6d790b528388a
-
Filesize
591KB
MD53995fa09a20398b02e68d778b8f24f60
SHA11780771df76d11a5bb023ad2cb41728004743769
SHA256134baf345332ba4de3b080a1fb3b72758c52e72c9896937921b0e92cc9fa3f34
SHA51237f3ea200b7380e8f9426fbe8dbf29b6d94042e9a795b22ebd459e9da57e3b0b4462f94f00a6d43ebeb5cd2746a50631da7953071563f65023b6d790b528388a
-
Filesize
591KB
MD54e7d14eb59c3e63be0ce4d1b1af6a551
SHA1594d9dceb37b5a61d1e9cf4ed1a6be2808ee730f
SHA25689b29bad84ce0fa4d806b481a996c180a95e47e370d573ff590094261cfe4e91
SHA512c1f1b192db14e315fc3dc7230eb6e2dfa9612d938b5170d4da920146dfd6ebea3279e6a1402757d3f203fe985cd5d37be231e9389bbae04461b25f61814483ac
-
Filesize
591KB
MD56867f2d861160fbfeed5b7c6d0208a8c
SHA1ef8d76eeb4a1bf3500f2b0a75ecf8db9ec7755d8
SHA256957505bbcf458e5b668d2c9ad930e7268f1edc16028c6e8547044963754d3d6d
SHA512b86f9ce88fd416c34c858712349f6b857052f6e6b4c631c3637d8a611c299337d2de5d214dc4775ed9fe5b3e4f6de2715470e57b1d8d8022f37cb94faca958fb
-
Filesize
591KB
MD53995fa09a20398b02e68d778b8f24f60
SHA11780771df76d11a5bb023ad2cb41728004743769
SHA256134baf345332ba4de3b080a1fb3b72758c52e72c9896937921b0e92cc9fa3f34
SHA51237f3ea200b7380e8f9426fbe8dbf29b6d94042e9a795b22ebd459e9da57e3b0b4462f94f00a6d43ebeb5cd2746a50631da7953071563f65023b6d790b528388a
-
Filesize
591KB
MD57e8fee77132c086dee1d35b3883093c0
SHA1cb76cf15cc4b8a9716234ddad4dacf31310fff22
SHA256c92ff622c42f6ec9de3fda948add268884f3f490514d539e6bff37af5321ac86
SHA512b3aa4869b58962fff26d487a8fd9de48bc957fe31d9d99870e9318ce2d48d04e1de445966c0e2d5e87590848c981db08e497874f535b45e0b689bb9edfdb2448