Analysis Overview
SHA256
ab0cfe816ec9a9844a86c8f8b55ca317fa485fcee1bdf167fdcc9a5d388cdad2
Threat Level: Known bad
The file 256581586.zip was found to be: Known bad.
Malicious Activity Summary
Emotet
Process spawned unexpected child process
Suspicious Office macro
Downloads MZ/PE file
Loads dropped DLL
Adds Run key to start application
Program crash
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-09 19:34
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-09 19:34
Reported
2022-11-09 19:37
Platform
win10v2004-20220812-en
Max time kernel
142s
Max time network
156s
Command Line
Signatures
Emotet
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VHVrZ.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\NHlDOVzXlJLCj\\VHVrZ.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\256581586.xls"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NHlDOVzXlJLCj\VHVrZ.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 2596 -ip 2596
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2596 -s 844
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\EZJwu\soQzHXK.dll"
Network
| Country | Destination | Domain | Proto |
| US | 72.21.91.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | www.muyehuayi.com | udp |
| HK | 103.229.183.58:80 | www.muyehuayi.com | tcp |
| US | 20.42.65.89:443 | tcp | |
| US | 8.8.8.8:53 | concivilpa.com.py | udp |
| CA | 51.161.12.60:80 | concivilpa.com.py | tcp |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 8.8.8.8:53 | wijsneusmedia.nl | udp |
| NL | 185.182.56.21:443 | wijsneusmedia.nl | tcp |
| KR | 218.38.121.17:443 | tcp | |
| US | 8.8.8.8:53 | www.angloextrema.com.br | udp |
| US | 108.179.252.23:80 | www.angloextrema.com.br | tcp |
| BR | 186.250.48.5:443 | 186.250.48.5 | tcp |
Files
memory/2732-132-0x00007FFA45370000-0x00007FFA45380000-memory.dmp
memory/2732-133-0x00007FFA45370000-0x00007FFA45380000-memory.dmp
memory/2732-134-0x00007FFA45370000-0x00007FFA45380000-memory.dmp
memory/2732-136-0x00007FFA45370000-0x00007FFA45380000-memory.dmp
memory/2732-135-0x00007FFA45370000-0x00007FFA45380000-memory.dmp
memory/2732-137-0x00007FFA42FA0000-0x00007FFA42FB0000-memory.dmp
memory/2732-138-0x00007FFA42FA0000-0x00007FFA42FB0000-memory.dmp
memory/3916-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv1.ooocccxxx
| MD5 | 8fcbefc5b851ebbe296ab0ca1b0daa67 |
| SHA1 | 08ce9adb6d13889e342a564ae633b521967aa0cb |
| SHA256 | 295a8d38959e891564030a972db112a9f433d098b0c2cf0e83e8e0f96942dfa4 |
| SHA512 | 9a0d878bea5f9441c6c72d3629b36110185a39c487d516b24aaada36ebe2554cc87c1f90f88b788b1495006390c1dd94247f4d01867a3c6ee1e6884c0b507b08 |
C:\Users\Admin\elv1.ooocccxxx
| MD5 | 8fcbefc5b851ebbe296ab0ca1b0daa67 |
| SHA1 | 08ce9adb6d13889e342a564ae633b521967aa0cb |
| SHA256 | 295a8d38959e891564030a972db112a9f433d098b0c2cf0e83e8e0f96942dfa4 |
| SHA512 | 9a0d878bea5f9441c6c72d3629b36110185a39c487d516b24aaada36ebe2554cc87c1f90f88b788b1495006390c1dd94247f4d01867a3c6ee1e6884c0b507b08 |
memory/3916-142-0x0000000180000000-0x0000000180030000-memory.dmp
memory/3472-145-0x0000000000000000-mapping.dmp
C:\Windows\System32\NHlDOVzXlJLCj\VHVrZ.dll
| MD5 | 8fcbefc5b851ebbe296ab0ca1b0daa67 |
| SHA1 | 08ce9adb6d13889e342a564ae633b521967aa0cb |
| SHA256 | 295a8d38959e891564030a972db112a9f433d098b0c2cf0e83e8e0f96942dfa4 |
| SHA512 | 9a0d878bea5f9441c6c72d3629b36110185a39c487d516b24aaada36ebe2554cc87c1f90f88b788b1495006390c1dd94247f4d01867a3c6ee1e6884c0b507b08 |
memory/4496-150-0x0000000000000000-mapping.dmp
memory/360-151-0x0000000000000000-mapping.dmp
memory/2196-152-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv4.ooocccxxx
| MD5 | a95ef8ddf776f91c231f2a270b67f117 |
| SHA1 | e0585229980fd7ce46cdc93e7dfd516789b0cdfb |
| SHA256 | 3cce3c3874ad1fa95a2cbbc13edad110b09f5f6733790c7d771668615ceb5acb |
| SHA512 | 53bea77d728421fe95594f9b58256fd44f535a94a4a3a3ff4a8d26fa45ba26f3ba6f0d642aac3388bdece2fc8b0a9280e36416fb33b8701f50acafb7331c3387 |
C:\Users\Admin\elv4.ooocccxxx
| MD5 | a95ef8ddf776f91c231f2a270b67f117 |
| SHA1 | e0585229980fd7ce46cdc93e7dfd516789b0cdfb |
| SHA256 | 3cce3c3874ad1fa95a2cbbc13edad110b09f5f6733790c7d771668615ceb5acb |
| SHA512 | 53bea77d728421fe95594f9b58256fd44f535a94a4a3a3ff4a8d26fa45ba26f3ba6f0d642aac3388bdece2fc8b0a9280e36416fb33b8701f50acafb7331c3387 |
memory/884-158-0x0000000000000000-mapping.dmp
C:\Windows\System32\EZJwu\soQzHXK.dll
| MD5 | a95ef8ddf776f91c231f2a270b67f117 |
| SHA1 | e0585229980fd7ce46cdc93e7dfd516789b0cdfb |
| SHA256 | 3cce3c3874ad1fa95a2cbbc13edad110b09f5f6733790c7d771668615ceb5acb |
| SHA512 | 53bea77d728421fe95594f9b58256fd44f535a94a4a3a3ff4a8d26fa45ba26f3ba6f0d642aac3388bdece2fc8b0a9280e36416fb33b8701f50acafb7331c3387 |