Analysis Overview
SHA256
fe996f7a16c72bb3a849d07f6bd36bdecf5f09a46c3be6c04f858c02c062aa92
Threat Level: Known bad
The file fe996f7a16c72bb3a849d07f6bd36bdecf5f09a46c3be6c04f858c02c062aa92.xls was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Emotet
Suspicious Office macro
Downloads MZ/PE file
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-09 19:04
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-09 19:04
Reported
2022-11-09 19:06
Platform
win10-20220901-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\fe996f7a16c72bb3a849d07f6bd36bdecf5f09a46c3be6c04f858c02c062aa92.xls"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bundlefilm.com | udp |
| N/A | 100.122.142.46:80 | bundlefilm.com | tcp |
| US | 8.8.8.8:53 | camsanparke.net | udp |
| N/A | 100.84.22.66:80 | camsanparke.net | tcp |
| US | 8.8.8.8:53 | royreid.co.uk | udp |
| N/A | 100.69.0.127:80 | royreid.co.uk | tcp |
| US | 8.8.8.8:53 | cs.com.sg | udp |
| N/A | 100.117.217.42:443 | cs.com.sg | tcp |
| US | 20.189.173.2:443 | tcp | |
| NL | 87.248.202.1:80 | tcp |
Files
memory/2864-120-0x00007FFC4E220000-0x00007FFC4E230000-memory.dmp
memory/2864-121-0x00007FFC4E220000-0x00007FFC4E230000-memory.dmp
memory/2864-122-0x00007FFC4E220000-0x00007FFC4E230000-memory.dmp
memory/2864-123-0x00007FFC4E220000-0x00007FFC4E230000-memory.dmp
memory/2864-132-0x00007FFC4B4B0000-0x00007FFC4B4C0000-memory.dmp
memory/2864-133-0x00007FFC4B4B0000-0x00007FFC4B4C0000-memory.dmp
memory/4956-262-0x0000000000000000-mapping.dmp
memory/3392-263-0x0000000000000000-mapping.dmp
memory/4892-264-0x0000000000000000-mapping.dmp
memory/3648-267-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-09 19:04
Reported
2022-11-09 19:06
Platform
win10-20220812-en
Max time kernel
143s
Max time network
150s
Command Line
Signatures
Emotet
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gFXdwqPKIWTf.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\LqgAXRFRvnIQmYLI\\gFXdwqPKIWTf.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mlRPmESO.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\FyLtxzh\\mlRPmESO.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HGEAcfEuhxagxiAN.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\YlExtWS\\HGEAcfEuhxagxiAN.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sEAFtcEFimF.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\VDTsOw\\sEAFtcEFimF.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\fe996f7a16c72bb3a849d07f6bd36bdecf5f09a46c3be6c04f858c02c062aa92.xls"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FyLtxzh\mlRPmESO.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YlExtWS\HGEAcfEuhxagxiAN.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VDTsOw\sEAFtcEFimF.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LqgAXRFRvnIQmYLI\gFXdwqPKIWTf.dll"
Network
| Country | Destination | Domain | Proto |
| GB | 51.105.71.137:443 | tcp | |
| US | 8.8.8.8:53 | bundlefilm.com | udp |
| US | 74.207.252.187:80 | bundlefilm.com | tcp |
| US | 8.8.8.8:53 | camsanparke.net | udp |
| TR | 213.142.148.59:80 | camsanparke.net | tcp |
| US | 8.8.8.8:53 | royreid.co.uk | udp |
| GB | 77.68.64.0:80 | royreid.co.uk | tcp |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | cs.com.sg | udp |
| SG | 103.237.169.99:443 | cs.com.sg | tcp |
| KR | 218.38.121.17:443 | 218.38.121.17 | tcp |
| KR | 218.38.121.17:443 | 218.38.121.17 | tcp |
| KR | 218.38.121.17:443 | 218.38.121.17 | tcp |
| KR | 218.38.121.17:443 | 218.38.121.17 | tcp |
Files
memory/1756-116-0x00007FFA5CE30000-0x00007FFA5CE40000-memory.dmp
memory/1756-117-0x00007FFA5CE30000-0x00007FFA5CE40000-memory.dmp
memory/1756-118-0x00007FFA5CE30000-0x00007FFA5CE40000-memory.dmp
memory/1756-119-0x00007FFA5CE30000-0x00007FFA5CE40000-memory.dmp
memory/1756-128-0x00007FFA5A110000-0x00007FFA5A120000-memory.dmp
memory/1756-129-0x00007FFA5A110000-0x00007FFA5A120000-memory.dmp
memory/4624-253-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv1.ooocccxxx
| MD5 | 5f04d2e6eeb8df0d76016bd209d59be2 |
| SHA1 | 2b4ef824d17286c46accb996af968a5c7e1e5823 |
| SHA256 | 2bdbae1e248ed343948edd156ccdbecd642e968311b44d47eac9a772713f9c94 |
| SHA512 | 51f069cfdb469c184262a19da5165b2fd776d708243ba4cfb53dfe373e1098fd508c6dca622fee6a825e520bbbf245012198c5cbefa24849a94bec08c00e6a70 |
\Users\Admin\elv1.ooocccxxx
| MD5 | 5f04d2e6eeb8df0d76016bd209d59be2 |
| SHA1 | 2b4ef824d17286c46accb996af968a5c7e1e5823 |
| SHA256 | 2bdbae1e248ed343948edd156ccdbecd642e968311b44d47eac9a772713f9c94 |
| SHA512 | 51f069cfdb469c184262a19da5165b2fd776d708243ba4cfb53dfe373e1098fd508c6dca622fee6a825e520bbbf245012198c5cbefa24849a94bec08c00e6a70 |
memory/4624-256-0x0000000180000000-0x0000000180030000-memory.dmp
memory/840-261-0x0000000000000000-mapping.dmp
memory/500-267-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv2.ooocccxxx
| MD5 | 9c8f00e14b4b52b38bb5fbe52794c4dd |
| SHA1 | a2c4c431b6a90bf6c2563d3f50268f3df2081919 |
| SHA256 | 54dd1c745a964f11e4203a2ef907c7b25d48668eb72fc0a1a675f646eeeba308 |
| SHA512 | 5614eda5787be6c4dfde40ead0b2fa9944ed25c7a1cff82a2b1d7ce176fb69d8adcf9043a8a70047efa6a4ad18bb2f1f6ff73bafd1ec40421bdbdd70ae2d56da |
\Users\Admin\elv2.ooocccxxx
| MD5 | 9c8f00e14b4b52b38bb5fbe52794c4dd |
| SHA1 | a2c4c431b6a90bf6c2563d3f50268f3df2081919 |
| SHA256 | 54dd1c745a964f11e4203a2ef907c7b25d48668eb72fc0a1a675f646eeeba308 |
| SHA512 | 5614eda5787be6c4dfde40ead0b2fa9944ed25c7a1cff82a2b1d7ce176fb69d8adcf9043a8a70047efa6a4ad18bb2f1f6ff73bafd1ec40421bdbdd70ae2d56da |
memory/1596-275-0x0000000000000000-mapping.dmp
memory/1468-281-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv3.ooocccxxx
| MD5 | 243d7271cdb5d8f5d7d76fa6c733e51e |
| SHA1 | 6a422907d1ff8a0ebc78c04a30175f0d8b3c761c |
| SHA256 | 399d4ef7fdd503db0c5e558c02beb73ca230e141b169b5784f2ee74ae784c883 |
| SHA512 | e34211a45fcd7351d8b3f5c440ad1e8cb0e8ce292aade586fe9e4d84f01fe309e47ee832195f2820151b5a00123d349784ecd7d14d7950a37bc78c88f98b9b32 |
\Users\Admin\elv3.ooocccxxx
| MD5 | 243d7271cdb5d8f5d7d76fa6c733e51e |
| SHA1 | 6a422907d1ff8a0ebc78c04a30175f0d8b3c761c |
| SHA256 | 399d4ef7fdd503db0c5e558c02beb73ca230e141b169b5784f2ee74ae784c883 |
| SHA512 | e34211a45fcd7351d8b3f5c440ad1e8cb0e8ce292aade586fe9e4d84f01fe309e47ee832195f2820151b5a00123d349784ecd7d14d7950a37bc78c88f98b9b32 |
memory/3368-291-0x0000000000000000-mapping.dmp
memory/3316-297-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv4.ooocccxxx
| MD5 | 691ecff2e5acc42434712b64a8f01a90 |
| SHA1 | f7a06fb5a495bbbdd70ddf9757fac7e76e395df7 |
| SHA256 | ddd01651b9db906d977b53e95c2ee4637489c53189563d0b300c1aa2a95f5449 |
| SHA512 | 0ae0f18142d5bc035777e5668325fa78a5f2d7edcba275bc9919d65faf868e9fbb495381fb4e09f06f4ba7a6e42655160e8e184c5b504457c5fbfce5277676f4 |
\Users\Admin\elv4.ooocccxxx
| MD5 | 691ecff2e5acc42434712b64a8f01a90 |
| SHA1 | f7a06fb5a495bbbdd70ddf9757fac7e76e395df7 |
| SHA256 | ddd01651b9db906d977b53e95c2ee4637489c53189563d0b300c1aa2a95f5449 |
| SHA512 | 0ae0f18142d5bc035777e5668325fa78a5f2d7edcba275bc9919d65faf868e9fbb495381fb4e09f06f4ba7a6e42655160e8e184c5b504457c5fbfce5277676f4 |
memory/2356-308-0x0000000000000000-mapping.dmp
memory/1756-334-0x00007FFA5CE30000-0x00007FFA5CE40000-memory.dmp
memory/1756-335-0x00007FFA5CE30000-0x00007FFA5CE40000-memory.dmp
memory/1756-336-0x00007FFA5CE30000-0x00007FFA5CE40000-memory.dmp
memory/1756-337-0x00007FFA5CE30000-0x00007FFA5CE40000-memory.dmp