Analysis
-
max time kernel
170s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2022, 20:24
Behavioral task
behavioral1
Sample
0.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0.xls
Resource
win10v2004-20220812-en
General
-
Target
0.xls
-
Size
91KB
-
MD5
25ef4c34a256c4017c2347bd483354d8
-
SHA1
b3a5a62a7c7179b9b1bb8fb4bcb5b14b5487bcf4
-
SHA256
9fc02186bf2d3daf15dcf68f436dcd4a95bcd879ff916acc04d91bbad8ca1aef
-
SHA512
e886f3419d248e509b5b38930ac5e890f3a34068981a3e953444af07c022ff378035d7563dfae1e47841306887c9f0a73735b0a373b679f3831bf9f7e28fe8f2
-
SSDEEP
1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgEbCXuZH4gb4CEn9J4Z8EM:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgV
Malware Config
Extracted
http://www.muyehuayi.com/cmp/8asA99KPsyA/v6lUsWbLen/
http://concivilpa.com.py/wp-admin/i3CQu9dzDrMW/
https://wijsneusmedia.nl/cgi-bin/kFB/
http://www.angloextrema.com.br/assets/oEt1yYckHKlnNIq/
Extracted
emotet
Epoch5
178.238.225.252:8080
139.196.72.155:8080
36.67.23.59:443
103.56.149.105:8080
37.44.244.177:8080
85.25.120.45:8080
202.134.4.210:7080
78.47.204.80:443
83.229.80.93:8080
93.104.209.107:8080
80.211.107.116:8080
165.22.254.236:8080
104.244.79.94:443
185.148.169.10:8080
190.145.8.4:443
175.126.176.79:8080
139.59.80.108:8080
188.165.79.151:443
128.199.217.206:443
64.227.55.231:8080
218.38.121.17:443
103.71.99.57:8080
103.224.241.74:8080
128.199.242.164:8080
85.214.67.203:8080
103.254.12.236:7080
46.101.98.60:8080
178.62.112.199:8080
210.57.209.142:8080
195.77.239.39:8080
103.126.216.86:443
82.98.180.154:7080
202.28.34.99:8080
174.138.33.49:7080
160.16.143.191:8080
51.75.33.122:443
103.41.204.169:8080
186.250.48.5:443
87.106.97.83:7080
118.98.72.86:443
196.44.98.190:8080
103.85.95.4:8080
62.171.178.147:8080
54.37.228.122:443
114.79.130.68:443
198.199.70.22:8080
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 204 4476 regsvr32.exe 78 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4880 4476 regsvr32.exe 78 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1888 4476 regsvr32.exe 78 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2920 4476 regsvr32.exe 78 -
Downloads MZ/PE file
-
Loads dropped DLL 4 IoCs
pid Process 204 regsvr32.exe 2116 regsvr32.exe 2920 regsvr32.exe 2060 regsvr32.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bBktYvKcN.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\AGbJUpTi\\bBktYvKcN.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CUWq.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\CSXgSuhqHUMASrF\\CUWq.dll\"" regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4476 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 204 regsvr32.exe 204 regsvr32.exe 2116 regsvr32.exe 2116 regsvr32.exe 2116 regsvr32.exe 2116 regsvr32.exe 2920 regsvr32.exe 2920 regsvr32.exe 2060 regsvr32.exe 2060 regsvr32.exe 2060 regsvr32.exe 2060 regsvr32.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4476 EXCEL.EXE 4476 EXCEL.EXE 4476 EXCEL.EXE 4476 EXCEL.EXE 4476 EXCEL.EXE 4476 EXCEL.EXE 4476 EXCEL.EXE 4476 EXCEL.EXE 4476 EXCEL.EXE 4476 EXCEL.EXE 4476 EXCEL.EXE 4476 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4476 wrote to memory of 204 4476 EXCEL.EXE 82 PID 4476 wrote to memory of 204 4476 EXCEL.EXE 82 PID 204 wrote to memory of 2116 204 regsvr32.exe 83 PID 204 wrote to memory of 2116 204 regsvr32.exe 83 PID 4476 wrote to memory of 4880 4476 EXCEL.EXE 84 PID 4476 wrote to memory of 4880 4476 EXCEL.EXE 84 PID 4476 wrote to memory of 1888 4476 EXCEL.EXE 85 PID 4476 wrote to memory of 1888 4476 EXCEL.EXE 85 PID 4476 wrote to memory of 2920 4476 EXCEL.EXE 86 PID 4476 wrote to memory of 2920 4476 EXCEL.EXE 86 PID 2920 wrote to memory of 2060 2920 regsvr32.exe 87 PID 2920 wrote to memory of 2060 2920 regsvr32.exe 87
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\0.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:204 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\AGbJUpTi\bBktYvKcN.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2116
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx2⤵
- Process spawned unexpected child process
PID:4880
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx2⤵
- Process spawned unexpected child process
PID:1888
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\CSXgSuhqHUMASrF\CUWq.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2060
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
434KB
MD56ca137135a9e5955a42bc0450ed97e9c
SHA1b1df39850d1e317f5a4b9ef40533b96a1203fac6
SHA25659f307cfc52b7a16dc2ac52a99cfb8c6cccf71e4b47d133d190c7d584550a0d9
SHA512a7fa55bf1749c14f4977f82b6353eb57bfffbb4ed28817caaf17b34542f65a282daa80f40fa1b261f4106d371adb4449f2335bbdf4961242e33faa5e30171233
-
Filesize
434KB
MD56ca137135a9e5955a42bc0450ed97e9c
SHA1b1df39850d1e317f5a4b9ef40533b96a1203fac6
SHA25659f307cfc52b7a16dc2ac52a99cfb8c6cccf71e4b47d133d190c7d584550a0d9
SHA512a7fa55bf1749c14f4977f82b6353eb57bfffbb4ed28817caaf17b34542f65a282daa80f40fa1b261f4106d371adb4449f2335bbdf4961242e33faa5e30171233
-
Filesize
434KB
MD5185cae52db52f22b575a4ff8e32e7ebb
SHA1f60307b7f98b90042e8e84287bab2688f4c0d7d9
SHA256f75b9ddef817d6e151304b37a5fe286fefa01887d2d298622fcdfa9ace43ab55
SHA512e489c7ddeb64e4872b661dc3d0521899d1a25e3271700735c673cdb6537684d9a3bdc95ef815986bba67ab02711ac550bd0feb73d283483deaf5da620ef0b5dc
-
Filesize
434KB
MD5185cae52db52f22b575a4ff8e32e7ebb
SHA1f60307b7f98b90042e8e84287bab2688f4c0d7d9
SHA256f75b9ddef817d6e151304b37a5fe286fefa01887d2d298622fcdfa9ace43ab55
SHA512e489c7ddeb64e4872b661dc3d0521899d1a25e3271700735c673cdb6537684d9a3bdc95ef815986bba67ab02711ac550bd0feb73d283483deaf5da620ef0b5dc
-
Filesize
434KB
MD56ca137135a9e5955a42bc0450ed97e9c
SHA1b1df39850d1e317f5a4b9ef40533b96a1203fac6
SHA25659f307cfc52b7a16dc2ac52a99cfb8c6cccf71e4b47d133d190c7d584550a0d9
SHA512a7fa55bf1749c14f4977f82b6353eb57bfffbb4ed28817caaf17b34542f65a282daa80f40fa1b261f4106d371adb4449f2335bbdf4961242e33faa5e30171233
-
Filesize
434KB
MD5185cae52db52f22b575a4ff8e32e7ebb
SHA1f60307b7f98b90042e8e84287bab2688f4c0d7d9
SHA256f75b9ddef817d6e151304b37a5fe286fefa01887d2d298622fcdfa9ace43ab55
SHA512e489c7ddeb64e4872b661dc3d0521899d1a25e3271700735c673cdb6537684d9a3bdc95ef815986bba67ab02711ac550bd0feb73d283483deaf5da620ef0b5dc