Analysis Overview
SHA256
fb816a1b9ff22c57c03219df6113bbb91ef15734513a0b9722165280a990a3e7
Threat Level: Known bad
The file fb816a1b9ff22c57c03219df6113bbb91ef15734513a0b9722165280a990a3e7.xls was found to be: Known bad.
Malicious Activity Summary
Emotet
Process spawned unexpected child process
Downloads MZ/PE file
Suspicious Office macro
Loads dropped DLL
Adds Run key to start application
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-09 19:15
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-09 19:15
Reported
2022-11-09 19:18
Platform
win10-20220901-en
Max time kernel
148s
Max time network
147s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\fb816a1b9ff22c57c03219df6113bbb91ef15734513a0b9722165280a990a3e7.xls"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.muyehuayi.com | udp |
| N/A | 100.108.62.141:80 | www.muyehuayi.com | tcp |
| US | 8.8.8.8:53 | concivilpa.com.py | udp |
| N/A | 100.91.60.207:80 | concivilpa.com.py | tcp |
| US | 8.8.8.8:53 | wijsneusmedia.nl | udp |
| N/A | 100.79.183.128:443 | wijsneusmedia.nl | tcp |
| US | 8.8.8.8:53 | www.angloextrema.com.br | udp |
| N/A | 100.78.16.15:80 | www.angloextrema.com.br | tcp |
| US | 20.42.73.27:443 | tcp | |
| NL | 84.53.175.11:80 | tcp |
Files
memory/2476-120-0x00007FFC91840000-0x00007FFC91850000-memory.dmp
memory/2476-121-0x00007FFC91840000-0x00007FFC91850000-memory.dmp
memory/2476-122-0x00007FFC91840000-0x00007FFC91850000-memory.dmp
memory/2476-123-0x00007FFC91840000-0x00007FFC91850000-memory.dmp
memory/2476-132-0x00007FFC8E0F0000-0x00007FFC8E100000-memory.dmp
memory/2476-133-0x00007FFC8E0F0000-0x00007FFC8E100000-memory.dmp
memory/5092-254-0x0000000000000000-mapping.dmp
memory/3600-255-0x0000000000000000-mapping.dmp
memory/4512-258-0x0000000000000000-mapping.dmp
memory/3964-259-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-09 19:15
Reported
2022-11-09 19:19
Platform
win10-20220812-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Emotet
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SWLIoJVO.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\DFapEvaJNMW\\SWLIoJVO.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bpSvwasgAiiL.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\FJhxk\\bpSvwasgAiiL.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wwTNONveQl.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\VGXyktTUIjrlTpSni\\wwTNONveQl.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\fb816a1b9ff22c57c03219df6113bbb91ef15734513a0b9722165280a990a3e7.xls"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FJhxk\bpSvwasgAiiL.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VGXyktTUIjrlTpSni\wwTNONveQl.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\DFapEvaJNMW\SWLIoJVO.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.muyehuayi.com | udp |
| HK | 103.229.183.58:80 | www.muyehuayi.com | tcp |
| US | 8.8.8.8:53 | concivilpa.com.py | udp |
| CA | 51.161.12.60:80 | concivilpa.com.py | tcp |
| US | 8.8.8.8:53 | wijsneusmedia.nl | udp |
| NL | 185.182.56.21:443 | wijsneusmedia.nl | tcp |
| US | 8.8.8.8:53 | www.angloextrema.com.br | udp |
| US | 108.179.252.23:80 | www.angloextrema.com.br | tcp |
| US | 20.189.173.1:443 | tcp | |
| KR | 218.38.121.17:443 | 218.38.121.17 | tcp |
| KR | 218.38.121.17:443 | 218.38.121.17 | tcp |
| KR | 218.38.121.17:443 | 218.38.121.17 | tcp |
Files
memory/1004-115-0x00007FFC75C00000-0x00007FFC75C10000-memory.dmp
memory/1004-116-0x00007FFC75C00000-0x00007FFC75C10000-memory.dmp
memory/1004-117-0x00007FFC75C00000-0x00007FFC75C10000-memory.dmp
memory/1004-118-0x00007FFC75C00000-0x00007FFC75C10000-memory.dmp
memory/1004-127-0x00007FFC722E0000-0x00007FFC722F0000-memory.dmp
memory/1004-128-0x00007FFC722E0000-0x00007FFC722F0000-memory.dmp
memory/4584-276-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv1.ooocccxxx
| MD5 | d12e251df2a5886a8dc018c98db175b2 |
| SHA1 | 018054205fb71632c6b3d20f414c95cf90e73894 |
| SHA256 | e06298f62b3bede61c45ef2f9c1901fe74f56ce142fda08c03facf2229448ef0 |
| SHA512 | 261d837ec8bce76d9b40158144ff5c9d77987db64af2ad2b431a97142aef8d3f4932edaaee5733af8c5631bed8125c440796d1563f010036526678064bc47881 |
\Users\Admin\elv1.ooocccxxx
| MD5 | d12e251df2a5886a8dc018c98db175b2 |
| SHA1 | 018054205fb71632c6b3d20f414c95cf90e73894 |
| SHA256 | e06298f62b3bede61c45ef2f9c1901fe74f56ce142fda08c03facf2229448ef0 |
| SHA512 | 261d837ec8bce76d9b40158144ff5c9d77987db64af2ad2b431a97142aef8d3f4932edaaee5733af8c5631bed8125c440796d1563f010036526678064bc47881 |
memory/4584-279-0x0000000180000000-0x0000000180030000-memory.dmp
memory/496-289-0x0000000000000000-mapping.dmp
memory/4868-295-0x0000000000000000-mapping.dmp
memory/1480-300-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv3.ooocccxxx
| MD5 | 1a48307a6fe1eedfc00909c4dba628e2 |
| SHA1 | 177721c2854b0eda92e11eddb5c19ac8d2f4bf4a |
| SHA256 | 62e9764e9f3687f0afcd295c171241f1c0f133592a5e5184d95e9365029a36c8 |
| SHA512 | 24f8c6429290b8503b5402579a563be968f009b2e2ff0a4a5a8dda37567e68075d5aaeda3c3da3b382dd02f14d6cd93f8305a148bb8b7849e7f3fa79238b63ea |
\Users\Admin\elv3.ooocccxxx
| MD5 | 1a48307a6fe1eedfc00909c4dba628e2 |
| SHA1 | 177721c2854b0eda92e11eddb5c19ac8d2f4bf4a |
| SHA256 | 62e9764e9f3687f0afcd295c171241f1c0f133592a5e5184d95e9365029a36c8 |
| SHA512 | 24f8c6429290b8503b5402579a563be968f009b2e2ff0a4a5a8dda37567e68075d5aaeda3c3da3b382dd02f14d6cd93f8305a148bb8b7849e7f3fa79238b63ea |
memory/784-310-0x0000000000000000-mapping.dmp
memory/4700-311-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv4.ooocccxxx
| MD5 | 414ff0a2e4731e3dd9427df098233819 |
| SHA1 | 850f35574fdafe22df9a02fe04ad69ee2a286e1e |
| SHA256 | 163187b153de523c3f3786a350d4f53e34c36808a81bcad3d84cefd944226130 |
| SHA512 | 4b351891a7f507904318abf171a3b788cd542881af94738b7983956a43212290e36ec7087072e78d96cb95b86a1d727f7c939557dacc74fe926b21909f5e9b10 |
\Users\Admin\elv4.ooocccxxx
| MD5 | 414ff0a2e4731e3dd9427df098233819 |
| SHA1 | 850f35574fdafe22df9a02fe04ad69ee2a286e1e |
| SHA256 | 163187b153de523c3f3786a350d4f53e34c36808a81bcad3d84cefd944226130 |
| SHA512 | 4b351891a7f507904318abf171a3b788cd542881af94738b7983956a43212290e36ec7087072e78d96cb95b86a1d727f7c939557dacc74fe926b21909f5e9b10 |
memory/3096-324-0x0000000000000000-mapping.dmp
memory/1004-354-0x00007FFC75C00000-0x00007FFC75C10000-memory.dmp
memory/1004-355-0x00007FFC75C00000-0x00007FFC75C10000-memory.dmp
memory/1004-356-0x00007FFC75C00000-0x00007FFC75C10000-memory.dmp
memory/1004-357-0x00007FFC75C00000-0x00007FFC75C10000-memory.dmp