Analysis
-
max time kernel
145s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2022, 18:44
Behavioral task
behavioral1
Sample
96837761.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
96837761.xls
Resource
win10v2004-20220901-en
General
-
Target
96837761.xls
-
Size
91KB
-
MD5
cc505355a0a7f9f6732e8913f09cdda3
-
SHA1
ec68034f3f9e1b46dc8758ff33eb269ba6b7371e
-
SHA256
f13e833091f1cad44f055e15956642e0939329cb910bd1c3b7a15f0059052a8b
-
SHA512
8ddd843d1b4b0d601a4c5a84954c183e8f450c1196a481bda949a01cdc24ec3b7f2e8fc8a442503d45eb1fdf7069dd23ffa6689739afef88bb2a3b43f6a05f29
-
SSDEEP
1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dg2bCXuZH4gb4CEn9J4Zmcvp:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgu
Malware Config
Extracted
http://bundlefilm.com/headers/lkfBH3Czw9CjEW07P2/
http://camsanparke.net/wp-content/h2Ja5bwB03hnyfCb/
http://royreid.co.uk/wp-content/dCwG/
https://cs.com.sg/admin/a1lR5wu/
Extracted
emotet
Epoch5
178.238.225.252:8080
139.196.72.155:8080
36.67.23.59:443
103.56.149.105:8080
37.44.244.177:8080
85.25.120.45:8080
202.134.4.210:7080
78.47.204.80:443
83.229.80.93:8080
93.104.209.107:8080
80.211.107.116:8080
165.22.254.236:8080
104.244.79.94:443
185.148.169.10:8080
190.145.8.4:443
175.126.176.79:8080
139.59.80.108:8080
188.165.79.151:443
128.199.217.206:443
64.227.55.231:8080
218.38.121.17:443
103.71.99.57:8080
103.224.241.74:8080
128.199.242.164:8080
85.214.67.203:8080
103.254.12.236:7080
46.101.98.60:8080
178.62.112.199:8080
210.57.209.142:8080
195.77.239.39:8080
103.126.216.86:443
82.98.180.154:7080
202.28.34.99:8080
174.138.33.49:7080
160.16.143.191:8080
51.75.33.122:443
103.41.204.169:8080
186.250.48.5:443
87.106.97.83:7080
118.98.72.86:443
196.44.98.190:8080
103.85.95.4:8080
62.171.178.147:8080
54.37.228.122:443
114.79.130.68:443
198.199.70.22:8080
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4440 2340 regsvr32.exe 80 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4032 2340 regsvr32.exe 80 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1056 2340 regsvr32.exe 80 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4300 2340 regsvr32.exe 80 -
Downloads MZ/PE file
-
Loads dropped DLL 8 IoCs
pid Process 4440 regsvr32.exe 3052 regsvr32.exe 4032 regsvr32.exe 4892 regsvr32.exe 1056 regsvr32.exe 4600 regsvr32.exe 4300 regsvr32.exe 3184 regsvr32.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OuCdaVxAn.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\BHAGAhZpwqrS\\OuCdaVxAn.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wFrlztpVGvvjT.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\CFgbNs\\wFrlztpVGvvjT.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HiOJOQ.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\PUEMsySucXl\\HiOJOQ.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KxDvbhXGg.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\OyTttBKvTZUkwYCZg\\KxDvbhXGg.dll\"" regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2340 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 4440 regsvr32.exe 4440 regsvr32.exe 3052 regsvr32.exe 3052 regsvr32.exe 4032 regsvr32.exe 4032 regsvr32.exe 3052 regsvr32.exe 3052 regsvr32.exe 4892 regsvr32.exe 4892 regsvr32.exe 4892 regsvr32.exe 4892 regsvr32.exe 1056 regsvr32.exe 1056 regsvr32.exe 4600 regsvr32.exe 4600 regsvr32.exe 4600 regsvr32.exe 4600 regsvr32.exe 4300 regsvr32.exe 4300 regsvr32.exe 3184 regsvr32.exe 3184 regsvr32.exe 3184 regsvr32.exe 3184 regsvr32.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2340 EXCEL.EXE 2340 EXCEL.EXE 2340 EXCEL.EXE 2340 EXCEL.EXE 2340 EXCEL.EXE 2340 EXCEL.EXE 2340 EXCEL.EXE 2340 EXCEL.EXE 2340 EXCEL.EXE 2340 EXCEL.EXE 2340 EXCEL.EXE 2340 EXCEL.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2340 wrote to memory of 4440 2340 EXCEL.EXE 82 PID 2340 wrote to memory of 4440 2340 EXCEL.EXE 82 PID 4440 wrote to memory of 3052 4440 regsvr32.exe 83 PID 4440 wrote to memory of 3052 4440 regsvr32.exe 83 PID 2340 wrote to memory of 4032 2340 EXCEL.EXE 84 PID 2340 wrote to memory of 4032 2340 EXCEL.EXE 84 PID 4032 wrote to memory of 4892 4032 regsvr32.exe 85 PID 4032 wrote to memory of 4892 4032 regsvr32.exe 85 PID 2340 wrote to memory of 1056 2340 EXCEL.EXE 86 PID 2340 wrote to memory of 1056 2340 EXCEL.EXE 86 PID 1056 wrote to memory of 4600 1056 regsvr32.exe 89 PID 1056 wrote to memory of 4600 1056 regsvr32.exe 89 PID 2340 wrote to memory of 4300 2340 EXCEL.EXE 91 PID 2340 wrote to memory of 4300 2340 EXCEL.EXE 91 PID 4300 wrote to memory of 3184 4300 regsvr32.exe 92 PID 4300 wrote to memory of 3184 4300 regsvr32.exe 92
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\96837761.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\CFgbNs\wFrlztpVGvvjT.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3052
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\PUEMsySucXl\HiOJOQ.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4892
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\OyTttBKvTZUkwYCZg\KxDvbhXGg.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4600
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\BHAGAhZpwqrS\OuCdaVxAn.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3184
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
434KB
MD512354d1919a3beaa3e306bdf184f913b
SHA1f0205a4f9876c01624315d3a827d34ce23687c38
SHA256b3671aa915b4ed51c943f727080f00a113c39e6f42285e53b043b3589ca82bfe
SHA512e32bb0c3c28c696412fe649b34449f518efce19373a87d9c43b65f6a6797d6fd1ba20730df3a23fb66941fb6914a84c9f2b472f43b07de5be57f350202ea14dc
-
Filesize
434KB
MD512354d1919a3beaa3e306bdf184f913b
SHA1f0205a4f9876c01624315d3a827d34ce23687c38
SHA256b3671aa915b4ed51c943f727080f00a113c39e6f42285e53b043b3589ca82bfe
SHA512e32bb0c3c28c696412fe649b34449f518efce19373a87d9c43b65f6a6797d6fd1ba20730df3a23fb66941fb6914a84c9f2b472f43b07de5be57f350202ea14dc
-
Filesize
434KB
MD596d0f19dadf7e525c82cd8e7c684dfc9
SHA1312db9c846726aa6f3818162de95f9d2601efc9f
SHA256cdeabbda90740402a21ac803a172a077784d08d92c4d17dfdff5330eb880e0f5
SHA5123d7322793456bb7622ae6fb7c1da8600b5a720215e24a4441b13f6c93d2084ef60c7d42dcd88a66afb45ade764722b4c910884e6f0f385b4b1296c0740b0a4a4
-
Filesize
434KB
MD596d0f19dadf7e525c82cd8e7c684dfc9
SHA1312db9c846726aa6f3818162de95f9d2601efc9f
SHA256cdeabbda90740402a21ac803a172a077784d08d92c4d17dfdff5330eb880e0f5
SHA5123d7322793456bb7622ae6fb7c1da8600b5a720215e24a4441b13f6c93d2084ef60c7d42dcd88a66afb45ade764722b4c910884e6f0f385b4b1296c0740b0a4a4
-
Filesize
434KB
MD5370be5c5bc215c6a42a67517e62fef4f
SHA1cdd3e9153044b5617997fed67e1120d74cbe9303
SHA256d4b92df6e11665d9597954c6bc35db45a66a7467817b5090ae6110610e6f7f62
SHA51212782602c680d99e0e6fd5555dfa023f3e7b61609a19bdc7abb788949c3705b4d076eddf10cb0788dee518c9a310f9aad3724bd6334983c32ed61247b0624878
-
Filesize
434KB
MD5370be5c5bc215c6a42a67517e62fef4f
SHA1cdd3e9153044b5617997fed67e1120d74cbe9303
SHA256d4b92df6e11665d9597954c6bc35db45a66a7467817b5090ae6110610e6f7f62
SHA51212782602c680d99e0e6fd5555dfa023f3e7b61609a19bdc7abb788949c3705b4d076eddf10cb0788dee518c9a310f9aad3724bd6334983c32ed61247b0624878
-
Filesize
434KB
MD567f769bd07718877fefc9f4822eec1ff
SHA1ecd6de04af9f1269e1877b905099cb28fb73ef2d
SHA256cd99cfbc6b157b304343de2ad008fd9670a7fa48fecd6ae08ace5011faf600d2
SHA5123c42f01317992eb4fefcec0e8a51f894e9df649f9700063db811ac8927d4bcbc68bab1b0f362fa6862bddec3b44466af855a8c859e0fc54ecf02183cd8174e7e
-
Filesize
434KB
MD567f769bd07718877fefc9f4822eec1ff
SHA1ecd6de04af9f1269e1877b905099cb28fb73ef2d
SHA256cd99cfbc6b157b304343de2ad008fd9670a7fa48fecd6ae08ace5011faf600d2
SHA5123c42f01317992eb4fefcec0e8a51f894e9df649f9700063db811ac8927d4bcbc68bab1b0f362fa6862bddec3b44466af855a8c859e0fc54ecf02183cd8174e7e
-
Filesize
434KB
MD567f769bd07718877fefc9f4822eec1ff
SHA1ecd6de04af9f1269e1877b905099cb28fb73ef2d
SHA256cd99cfbc6b157b304343de2ad008fd9670a7fa48fecd6ae08ace5011faf600d2
SHA5123c42f01317992eb4fefcec0e8a51f894e9df649f9700063db811ac8927d4bcbc68bab1b0f362fa6862bddec3b44466af855a8c859e0fc54ecf02183cd8174e7e
-
Filesize
434KB
MD512354d1919a3beaa3e306bdf184f913b
SHA1f0205a4f9876c01624315d3a827d34ce23687c38
SHA256b3671aa915b4ed51c943f727080f00a113c39e6f42285e53b043b3589ca82bfe
SHA512e32bb0c3c28c696412fe649b34449f518efce19373a87d9c43b65f6a6797d6fd1ba20730df3a23fb66941fb6914a84c9f2b472f43b07de5be57f350202ea14dc
-
Filesize
434KB
MD5370be5c5bc215c6a42a67517e62fef4f
SHA1cdd3e9153044b5617997fed67e1120d74cbe9303
SHA256d4b92df6e11665d9597954c6bc35db45a66a7467817b5090ae6110610e6f7f62
SHA51212782602c680d99e0e6fd5555dfa023f3e7b61609a19bdc7abb788949c3705b4d076eddf10cb0788dee518c9a310f9aad3724bd6334983c32ed61247b0624878
-
Filesize
434KB
MD596d0f19dadf7e525c82cd8e7c684dfc9
SHA1312db9c846726aa6f3818162de95f9d2601efc9f
SHA256cdeabbda90740402a21ac803a172a077784d08d92c4d17dfdff5330eb880e0f5
SHA5123d7322793456bb7622ae6fb7c1da8600b5a720215e24a4441b13f6c93d2084ef60c7d42dcd88a66afb45ade764722b4c910884e6f0f385b4b1296c0740b0a4a4