Analysis
-
max time kernel
142s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2022, 19:34
Behavioral task
behavioral1
Sample
256581586.xls
Resource
win10v2004-20220812-en
General
-
Target
256581586.xls
-
Size
91KB
-
MD5
b9e3899b2ae75df09dbaf867f05c2fea
-
SHA1
372aa094aa996e2b52d89c733aa7b07f360baa1a
-
SHA256
d3e5727470b3be97dec07e5c7ae9bfec89665502b188f462710f9adcc8ce9473
-
SHA512
616025177c59edadcdb14da60e6e44cb6c037f0ea3d041367dbecc77ae57fc4609fc83c9410fe6ec3f640821d8b2e2cfde8a967569af7399759c45504bcd644f
-
SSDEEP
1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgEbCXuZH4gb4CEn9J4ZwEM:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgJ
Malware Config
Extracted
http://www.muyehuayi.com/cmp/8asA99KPsyA/v6lUsWbLen/
http://concivilpa.com.py/wp-admin/i3CQu9dzDrMW/
https://wijsneusmedia.nl/cgi-bin/kFB/
http://www.angloextrema.com.br/assets/oEt1yYckHKlnNIq/
Extracted
emotet
Epoch5
178.238.225.252:8080
139.196.72.155:8080
36.67.23.59:443
103.56.149.105:8080
37.44.244.177:8080
85.25.120.45:8080
202.134.4.210:7080
78.47.204.80:443
83.229.80.93:8080
93.104.209.107:8080
80.211.107.116:8080
165.22.254.236:8080
104.244.79.94:443
185.148.169.10:8080
190.145.8.4:443
175.126.176.79:8080
139.59.80.108:8080
188.165.79.151:443
128.199.217.206:443
64.227.55.231:8080
218.38.121.17:443
103.71.99.57:8080
103.224.241.74:8080
128.199.242.164:8080
85.214.67.203:8080
103.254.12.236:7080
46.101.98.60:8080
178.62.112.199:8080
210.57.209.142:8080
195.77.239.39:8080
103.126.216.86:443
82.98.180.154:7080
202.28.34.99:8080
174.138.33.49:7080
160.16.143.191:8080
51.75.33.122:443
103.41.204.169:8080
186.250.48.5:443
87.106.97.83:7080
118.98.72.86:443
196.44.98.190:8080
103.85.95.4:8080
62.171.178.147:8080
54.37.228.122:443
114.79.130.68:443
198.199.70.22:8080
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3916 2732 regsvr32.exe 38 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4496 2732 regsvr32.exe 38 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 360 2732 regsvr32.exe 38 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2196 2732 regsvr32.exe 38 -
Downloads MZ/PE file
-
Loads dropped DLL 4 IoCs
pid Process 3916 regsvr32.exe 3472 regsvr32.exe 2196 regsvr32.exe 884 regsvr32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VHVrZ.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\NHlDOVzXlJLCj\\VHVrZ.dll\"" regsvr32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4224 2596 WerFault.exe 84 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2732 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3916 regsvr32.exe 3916 regsvr32.exe 3472 regsvr32.exe 3472 regsvr32.exe 3472 regsvr32.exe 3472 regsvr32.exe 2196 regsvr32.exe 2196 regsvr32.exe 884 regsvr32.exe 884 regsvr32.exe 884 regsvr32.exe 884 regsvr32.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE 2732 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2732 wrote to memory of 3916 2732 EXCEL.EXE 83 PID 2732 wrote to memory of 3916 2732 EXCEL.EXE 83 PID 3916 wrote to memory of 3472 3916 regsvr32.exe 85 PID 3916 wrote to memory of 3472 3916 regsvr32.exe 85 PID 2732 wrote to memory of 4496 2732 EXCEL.EXE 86 PID 2732 wrote to memory of 4496 2732 EXCEL.EXE 86 PID 2732 wrote to memory of 360 2732 EXCEL.EXE 90 PID 2732 wrote to memory of 360 2732 EXCEL.EXE 90 PID 2732 wrote to memory of 2196 2732 EXCEL.EXE 91 PID 2732 wrote to memory of 2196 2732 EXCEL.EXE 91 PID 2196 wrote to memory of 884 2196 regsvr32.exe 92 PID 2196 wrote to memory of 884 2196 regsvr32.exe 92
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\256581586.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\NHlDOVzXlJLCj\VHVrZ.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3472
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx2⤵
- Process spawned unexpected child process
PID:4496
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx2⤵
- Process spawned unexpected child process
PID:360
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\EZJwu\soQzHXK.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:884
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 452 -p 2596 -ip 25961⤵PID:4180
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2596 -s 8441⤵
- Program crash
PID:4224
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
434KB
MD58fcbefc5b851ebbe296ab0ca1b0daa67
SHA108ce9adb6d13889e342a564ae633b521967aa0cb
SHA256295a8d38959e891564030a972db112a9f433d098b0c2cf0e83e8e0f96942dfa4
SHA5129a0d878bea5f9441c6c72d3629b36110185a39c487d516b24aaada36ebe2554cc87c1f90f88b788b1495006390c1dd94247f4d01867a3c6ee1e6884c0b507b08
-
Filesize
434KB
MD58fcbefc5b851ebbe296ab0ca1b0daa67
SHA108ce9adb6d13889e342a564ae633b521967aa0cb
SHA256295a8d38959e891564030a972db112a9f433d098b0c2cf0e83e8e0f96942dfa4
SHA5129a0d878bea5f9441c6c72d3629b36110185a39c487d516b24aaada36ebe2554cc87c1f90f88b788b1495006390c1dd94247f4d01867a3c6ee1e6884c0b507b08
-
Filesize
434KB
MD5a95ef8ddf776f91c231f2a270b67f117
SHA1e0585229980fd7ce46cdc93e7dfd516789b0cdfb
SHA2563cce3c3874ad1fa95a2cbbc13edad110b09f5f6733790c7d771668615ceb5acb
SHA51253bea77d728421fe95594f9b58256fd44f535a94a4a3a3ff4a8d26fa45ba26f3ba6f0d642aac3388bdece2fc8b0a9280e36416fb33b8701f50acafb7331c3387
-
Filesize
434KB
MD5a95ef8ddf776f91c231f2a270b67f117
SHA1e0585229980fd7ce46cdc93e7dfd516789b0cdfb
SHA2563cce3c3874ad1fa95a2cbbc13edad110b09f5f6733790c7d771668615ceb5acb
SHA51253bea77d728421fe95594f9b58256fd44f535a94a4a3a3ff4a8d26fa45ba26f3ba6f0d642aac3388bdece2fc8b0a9280e36416fb33b8701f50acafb7331c3387
-
Filesize
434KB
MD5a95ef8ddf776f91c231f2a270b67f117
SHA1e0585229980fd7ce46cdc93e7dfd516789b0cdfb
SHA2563cce3c3874ad1fa95a2cbbc13edad110b09f5f6733790c7d771668615ceb5acb
SHA51253bea77d728421fe95594f9b58256fd44f535a94a4a3a3ff4a8d26fa45ba26f3ba6f0d642aac3388bdece2fc8b0a9280e36416fb33b8701f50acafb7331c3387
-
Filesize
434KB
MD58fcbefc5b851ebbe296ab0ca1b0daa67
SHA108ce9adb6d13889e342a564ae633b521967aa0cb
SHA256295a8d38959e891564030a972db112a9f433d098b0c2cf0e83e8e0f96942dfa4
SHA5129a0d878bea5f9441c6c72d3629b36110185a39c487d516b24aaada36ebe2554cc87c1f90f88b788b1495006390c1dd94247f4d01867a3c6ee1e6884c0b507b08