Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
09/11/2022, 19:10
Behavioral task
behavioral1
Sample
a17257a4a1a71d882ccfd9037e726639b49a70bde211c5dc647492f26d27c430.xls
Resource
win10-20220812-en
Behavioral task
behavioral2
Sample
a17257a4a1a71d882ccfd9037e726639b49a70bde211c5dc647492f26d27c430.xls
Resource
win10-20220812-en
General
-
Target
a17257a4a1a71d882ccfd9037e726639b49a70bde211c5dc647492f26d27c430.xls
-
Size
91KB
-
MD5
50edf8e28a4c5f13e49b31a07ce50ab5
-
SHA1
73dcd5bb08692eedccc64c5e42d450acb4961ea9
-
SHA256
a17257a4a1a71d882ccfd9037e726639b49a70bde211c5dc647492f26d27c430
-
SHA512
3c2ec56da9616f23a69ededeeb21cfc86d7e5750701a14e498e2a5e21bf99316175f90330cc0c8cad6224a9ea28a61624112b7132277c1b7a72d0e98d7024772
-
SSDEEP
1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgEbCXuZH4gb4CEn9J4ZMEM:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgF
Malware Config
Extracted
http://www.muyehuayi.com/cmp/8asA99KPsyA/v6lUsWbLen/
http://concivilpa.com.py/wp-admin/i3CQu9dzDrMW/
https://wijsneusmedia.nl/cgi-bin/kFB/
http://www.angloextrema.com.br/assets/oEt1yYckHKlnNIq/
Extracted
emotet
Epoch5
178.238.225.252:8080
139.196.72.155:8080
36.67.23.59:443
103.56.149.105:8080
37.44.244.177:8080
85.25.120.45:8080
202.134.4.210:7080
78.47.204.80:443
83.229.80.93:8080
93.104.209.107:8080
80.211.107.116:8080
165.22.254.236:8080
104.244.79.94:443
185.148.169.10:8080
190.145.8.4:443
175.126.176.79:8080
139.59.80.108:8080
188.165.79.151:443
128.199.217.206:443
64.227.55.231:8080
218.38.121.17:443
103.71.99.57:8080
103.224.241.74:8080
128.199.242.164:8080
85.214.67.203:8080
103.254.12.236:7080
46.101.98.60:8080
178.62.112.199:8080
210.57.209.142:8080
195.77.239.39:8080
103.126.216.86:443
82.98.180.154:7080
202.28.34.99:8080
174.138.33.49:7080
160.16.143.191:8080
51.75.33.122:443
103.41.204.169:8080
186.250.48.5:443
87.106.97.83:7080
118.98.72.86:443
196.44.98.190:8080
103.85.95.4:8080
62.171.178.147:8080
54.37.228.122:443
114.79.130.68:443
198.199.70.22:8080
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4648 1892 regsvr32.exe 66 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4704 1892 regsvr32.exe 66 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4852 1892 regsvr32.exe 66 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2084 1892 regsvr32.exe 66 -
Downloads MZ/PE file
-
Loads dropped DLL 3 IoCs
pid Process 4648 regsvr32.exe 4852 regsvr32.exe 2084 regsvr32.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EqRgm.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\FXPqAHiSmmjers\\EqRgm.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wEsiGKGc.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\HyXsVjW\\wEsiGKGc.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qElJNI.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\FbaRvo\\qElJNI.dll\"" regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1892 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 4648 regsvr32.exe 4648 regsvr32.exe 4924 regsvr32.exe 4924 regsvr32.exe 4924 regsvr32.exe 4924 regsvr32.exe 4852 regsvr32.exe 4852 regsvr32.exe 68 regsvr32.exe 68 regsvr32.exe 68 regsvr32.exe 68 regsvr32.exe 2084 regsvr32.exe 2084 regsvr32.exe 3284 regsvr32.exe 3284 regsvr32.exe 3284 regsvr32.exe 3284 regsvr32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1892 EXCEL.EXE 1892 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE 1892 EXCEL.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1892 wrote to memory of 4648 1892 EXCEL.EXE 73 PID 1892 wrote to memory of 4648 1892 EXCEL.EXE 73 PID 4648 wrote to memory of 4924 4648 regsvr32.exe 74 PID 4648 wrote to memory of 4924 4648 regsvr32.exe 74 PID 1892 wrote to memory of 4704 1892 EXCEL.EXE 75 PID 1892 wrote to memory of 4704 1892 EXCEL.EXE 75 PID 1892 wrote to memory of 4852 1892 EXCEL.EXE 76 PID 1892 wrote to memory of 4852 1892 EXCEL.EXE 76 PID 4852 wrote to memory of 68 4852 regsvr32.exe 79 PID 4852 wrote to memory of 68 4852 regsvr32.exe 79 PID 1892 wrote to memory of 2084 1892 EXCEL.EXE 80 PID 1892 wrote to memory of 2084 1892 EXCEL.EXE 80 PID 2084 wrote to memory of 3284 2084 regsvr32.exe 81 PID 2084 wrote to memory of 3284 2084 regsvr32.exe 81
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a17257a4a1a71d882ccfd9037e726639b49a70bde211c5dc647492f26d27c430.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\FXPqAHiSmmjers\EqRgm.dll"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4924
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx2⤵
- Process spawned unexpected child process
PID:4704
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\HyXsVjW\wEsiGKGc.dll"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:68
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\FbaRvo\qElJNI.dll"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3284
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
434KB
MD505bacb67e130c31419036b3281f4b10b
SHA13cabe19968c9836e3438b2763fd46c38c07d6391
SHA256979cff8440bb0f0b555fadde036f10b1c859962e3d35b61d3b1b01e6fa2a6529
SHA512b555b2efb460c2e2a0643baa27cabf33dbed61fd4a24b8b6ef5b4fbdcef9ef413ce94e5226f65150e5acbd960c3e17383195a38c487f6fefd1215637ada86240
-
Filesize
434KB
MD53db1cb5400f35563d8ce55057152e7f7
SHA1846073b00dce497d7e1f37b2082f0b2c552b267b
SHA25628450a3f58d6fa6f0df122750348d8788c0e9b97b5600ed29ebdc65838ce5c8c
SHA5124db4b7112521ee9d55e5b552adaa999f53a02af8a6f29eb2fff9c2a27074e06140ec350d58df4e3a274603fbafae0ec5aa7969965d8ce509bfdd1c5333c2dcbb
-
Filesize
434KB
MD5414ff0a2e4731e3dd9427df098233819
SHA1850f35574fdafe22df9a02fe04ad69ee2a286e1e
SHA256163187b153de523c3f3786a350d4f53e34c36808a81bcad3d84cefd944226130
SHA5124b351891a7f507904318abf171a3b788cd542881af94738b7983956a43212290e36ec7087072e78d96cb95b86a1d727f7c939557dacc74fe926b21909f5e9b10
-
Filesize
434KB
MD505bacb67e130c31419036b3281f4b10b
SHA13cabe19968c9836e3438b2763fd46c38c07d6391
SHA256979cff8440bb0f0b555fadde036f10b1c859962e3d35b61d3b1b01e6fa2a6529
SHA512b555b2efb460c2e2a0643baa27cabf33dbed61fd4a24b8b6ef5b4fbdcef9ef413ce94e5226f65150e5acbd960c3e17383195a38c487f6fefd1215637ada86240
-
Filesize
434KB
MD53db1cb5400f35563d8ce55057152e7f7
SHA1846073b00dce497d7e1f37b2082f0b2c552b267b
SHA25628450a3f58d6fa6f0df122750348d8788c0e9b97b5600ed29ebdc65838ce5c8c
SHA5124db4b7112521ee9d55e5b552adaa999f53a02af8a6f29eb2fff9c2a27074e06140ec350d58df4e3a274603fbafae0ec5aa7969965d8ce509bfdd1c5333c2dcbb
-
Filesize
434KB
MD5414ff0a2e4731e3dd9427df098233819
SHA1850f35574fdafe22df9a02fe04ad69ee2a286e1e
SHA256163187b153de523c3f3786a350d4f53e34c36808a81bcad3d84cefd944226130
SHA5124b351891a7f507904318abf171a3b788cd542881af94738b7983956a43212290e36ec7087072e78d96cb95b86a1d727f7c939557dacc74fe926b21909f5e9b10