Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2022, 19:35
Behavioral task
behavioral1
Sample
4.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4.xls
Resource
win10v2004-20220901-en
General
-
Target
4.xls
-
Size
91KB
-
MD5
518db719eab811eb243ef390901973df
-
SHA1
b92c8aecf6e2787ad622078608005a8631406018
-
SHA256
3b63af75058a6f9cf21158e21aae03bb378853d4920f9405cb8a350d3d8499bb
-
SHA512
250713a44c8dd6e080ac5b61a5b840b6eb3c73e6b65970f29303645b878503eb4d40abbf9e0fccfe617db7e5ad09630ecdb0e73e3ececacd93cf8a38825b6cbf
-
SSDEEP
1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dg2bCXuZH4gb4CEn9J4Zacvp:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgy
Malware Config
Extracted
http://bundlefilm.com/headers/lkfBH3Czw9CjEW07P2/
http://camsanparke.net/wp-content/h2Ja5bwB03hnyfCb/
http://royreid.co.uk/wp-content/dCwG/
https://cs.com.sg/admin/a1lR5wu/
Extracted
emotet
Epoch5
178.238.225.252:8080
139.196.72.155:8080
36.67.23.59:443
103.56.149.105:8080
37.44.244.177:8080
85.25.120.45:8080
202.134.4.210:7080
78.47.204.80:443
83.229.80.93:8080
93.104.209.107:8080
80.211.107.116:8080
165.22.254.236:8080
104.244.79.94:443
185.148.169.10:8080
190.145.8.4:443
175.126.176.79:8080
139.59.80.108:8080
188.165.79.151:443
128.199.217.206:443
64.227.55.231:8080
218.38.121.17:443
103.71.99.57:8080
103.224.241.74:8080
128.199.242.164:8080
85.214.67.203:8080
103.254.12.236:7080
46.101.98.60:8080
178.62.112.199:8080
210.57.209.142:8080
195.77.239.39:8080
103.126.216.86:443
82.98.180.154:7080
202.28.34.99:8080
174.138.33.49:7080
160.16.143.191:8080
51.75.33.122:443
103.41.204.169:8080
186.250.48.5:443
87.106.97.83:7080
118.98.72.86:443
196.44.98.190:8080
103.85.95.4:8080
62.171.178.147:8080
54.37.228.122:443
114.79.130.68:443
198.199.70.22:8080
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1420 516 regsvr32.exe 62 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 772 516 regsvr32.exe 62 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1416 516 regsvr32.exe 62 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3140 516 regsvr32.exe 62 -
Downloads MZ/PE file
-
Loads dropped DLL 8 IoCs
pid Process 1420 regsvr32.exe 4340 regsvr32.exe 772 regsvr32.exe 2132 regsvr32.exe 1416 regsvr32.exe 4504 regsvr32.exe 3140 regsvr32.exe 1904 regsvr32.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVMUrvKKIAqT.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\MVFAr\\YVMUrvKKIAqT.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PwRmlx.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\FEejEczvu\\PwRmlx.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\czRX.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\JPPUPqNWU\\czRX.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zKfbD.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\ORatXgyAInH\\zKfbD.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 516 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 1420 regsvr32.exe 1420 regsvr32.exe 4340 regsvr32.exe 4340 regsvr32.exe 4340 regsvr32.exe 4340 regsvr32.exe 772 regsvr32.exe 772 regsvr32.exe 2132 regsvr32.exe 2132 regsvr32.exe 2132 regsvr32.exe 2132 regsvr32.exe 1416 regsvr32.exe 1416 regsvr32.exe 4504 regsvr32.exe 4504 regsvr32.exe 4504 regsvr32.exe 4504 regsvr32.exe 3140 regsvr32.exe 3140 regsvr32.exe 1904 regsvr32.exe 1904 regsvr32.exe 1904 regsvr32.exe 1904 regsvr32.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 516 EXCEL.EXE 516 EXCEL.EXE 516 EXCEL.EXE 516 EXCEL.EXE 516 EXCEL.EXE 516 EXCEL.EXE 516 EXCEL.EXE 516 EXCEL.EXE 516 EXCEL.EXE 516 EXCEL.EXE 516 EXCEL.EXE 516 EXCEL.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 516 wrote to memory of 1420 516 EXCEL.EXE 85 PID 516 wrote to memory of 1420 516 EXCEL.EXE 85 PID 1420 wrote to memory of 4340 1420 regsvr32.exe 87 PID 1420 wrote to memory of 4340 1420 regsvr32.exe 87 PID 516 wrote to memory of 772 516 EXCEL.EXE 88 PID 516 wrote to memory of 772 516 EXCEL.EXE 88 PID 772 wrote to memory of 2132 772 regsvr32.exe 91 PID 772 wrote to memory of 2132 772 regsvr32.exe 91 PID 516 wrote to memory of 1416 516 EXCEL.EXE 92 PID 516 wrote to memory of 1416 516 EXCEL.EXE 92 PID 1416 wrote to memory of 4504 1416 regsvr32.exe 93 PID 1416 wrote to memory of 4504 1416 regsvr32.exe 93 PID 516 wrote to memory of 3140 516 EXCEL.EXE 94 PID 516 wrote to memory of 3140 516 EXCEL.EXE 94 PID 3140 wrote to memory of 1904 3140 regsvr32.exe 95 PID 3140 wrote to memory of 1904 3140 regsvr32.exe 95
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\JPPUPqNWU\czRX.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4340
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\ORatXgyAInH\zKfbD.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2132
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\MVFAr\YVMUrvKKIAqT.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4504
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\FEejEczvu\PwRmlx.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1904
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
434KB
MD56d30440f37903b479535498973e1ed8e
SHA1c379f0ebcf62c9339ecebbf7128d4ac0c2f32bb9
SHA256d1a2a7f73ad803b3b0b802d7221623b85e63837c7545f010b91df5ef4237b940
SHA512b233f69da07174b0c9811f49b3eddfd34459f82249290736c764d4d80bedeb542715dc5f457102f185f6a76f5d17cdf41ec2dfcb927d8eda66110b71e396089d
-
Filesize
434KB
MD56d30440f37903b479535498973e1ed8e
SHA1c379f0ebcf62c9339ecebbf7128d4ac0c2f32bb9
SHA256d1a2a7f73ad803b3b0b802d7221623b85e63837c7545f010b91df5ef4237b940
SHA512b233f69da07174b0c9811f49b3eddfd34459f82249290736c764d4d80bedeb542715dc5f457102f185f6a76f5d17cdf41ec2dfcb927d8eda66110b71e396089d
-
Filesize
434KB
MD59bcf42bf10629fa5d184ab876993d010
SHA174039e833172becdcbd65e42b699dccc54286e88
SHA2560882c33b7b6301165fd2dad00d132b027f352dd1819d89c24c5d753268fa461f
SHA51287082246187226ac40e63cace06cf304972c025629d1cdd0ec0f717192bff3dc15f2416d7800befc09dca7baf348901636283d6b14c3e1d432b2ea51a8067dfa
-
Filesize
434KB
MD59bcf42bf10629fa5d184ab876993d010
SHA174039e833172becdcbd65e42b699dccc54286e88
SHA2560882c33b7b6301165fd2dad00d132b027f352dd1819d89c24c5d753268fa461f
SHA51287082246187226ac40e63cace06cf304972c025629d1cdd0ec0f717192bff3dc15f2416d7800befc09dca7baf348901636283d6b14c3e1d432b2ea51a8067dfa
-
Filesize
434KB
MD5fd3fb2ebc40a6a7f8dd82b3d3eeb5411
SHA1c1013563a11100c067ebecac5cf714540b49e93a
SHA25625331d10951d0910a9efb4a92aed0fc504f12ce2cbcfcea0fdcb162186d163f5
SHA512e8d16d610b9db4776f15923604b06471215a28227a4d1279439db5e1d9bd386e186de533dc44321968c926c655979acad3b1a217792387168bfb6f6088ca6b5f
-
Filesize
434KB
MD5fd3fb2ebc40a6a7f8dd82b3d3eeb5411
SHA1c1013563a11100c067ebecac5cf714540b49e93a
SHA25625331d10951d0910a9efb4a92aed0fc504f12ce2cbcfcea0fdcb162186d163f5
SHA512e8d16d610b9db4776f15923604b06471215a28227a4d1279439db5e1d9bd386e186de533dc44321968c926c655979acad3b1a217792387168bfb6f6088ca6b5f
-
Filesize
434KB
MD5244fc6f29851847822634d79eba92873
SHA1078c2003ab3bfae424b27537a4ca11d42ab15e3c
SHA2561c318f06df719dc4be23f48493b495c85187e2bd5fe12fdcaa5d5edb16f81bc2
SHA512cc868767163ac54345245418dfbe83ceb4cf161d95b8e2441b5d14429468b107c53fd30dbc488a991ceef0712d3384eea5944414e9f783286129820d1fe9397e
-
Filesize
434KB
MD5244fc6f29851847822634d79eba92873
SHA1078c2003ab3bfae424b27537a4ca11d42ab15e3c
SHA2561c318f06df719dc4be23f48493b495c85187e2bd5fe12fdcaa5d5edb16f81bc2
SHA512cc868767163ac54345245418dfbe83ceb4cf161d95b8e2441b5d14429468b107c53fd30dbc488a991ceef0712d3384eea5944414e9f783286129820d1fe9397e
-
Filesize
434KB
MD5244fc6f29851847822634d79eba92873
SHA1078c2003ab3bfae424b27537a4ca11d42ab15e3c
SHA2561c318f06df719dc4be23f48493b495c85187e2bd5fe12fdcaa5d5edb16f81bc2
SHA512cc868767163ac54345245418dfbe83ceb4cf161d95b8e2441b5d14429468b107c53fd30dbc488a991ceef0712d3384eea5944414e9f783286129820d1fe9397e
-
Filesize
434KB
MD56d30440f37903b479535498973e1ed8e
SHA1c379f0ebcf62c9339ecebbf7128d4ac0c2f32bb9
SHA256d1a2a7f73ad803b3b0b802d7221623b85e63837c7545f010b91df5ef4237b940
SHA512b233f69da07174b0c9811f49b3eddfd34459f82249290736c764d4d80bedeb542715dc5f457102f185f6a76f5d17cdf41ec2dfcb927d8eda66110b71e396089d
-
Filesize
434KB
MD5fd3fb2ebc40a6a7f8dd82b3d3eeb5411
SHA1c1013563a11100c067ebecac5cf714540b49e93a
SHA25625331d10951d0910a9efb4a92aed0fc504f12ce2cbcfcea0fdcb162186d163f5
SHA512e8d16d610b9db4776f15923604b06471215a28227a4d1279439db5e1d9bd386e186de533dc44321968c926c655979acad3b1a217792387168bfb6f6088ca6b5f
-
Filesize
434KB
MD59bcf42bf10629fa5d184ab876993d010
SHA174039e833172becdcbd65e42b699dccc54286e88
SHA2560882c33b7b6301165fd2dad00d132b027f352dd1819d89c24c5d753268fa461f
SHA51287082246187226ac40e63cace06cf304972c025629d1cdd0ec0f717192bff3dc15f2416d7800befc09dca7baf348901636283d6b14c3e1d432b2ea51a8067dfa