Analysis
-
max time kernel
151s -
max time network
171s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
09/11/2022, 19:50
Behavioral task
behavioral1
Sample
17.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
17.xls
Resource
win10v2004-20220812-en
General
-
Target
17.xls
-
Size
91KB
-
MD5
af875caf5a0ef77a409eddc73498df81
-
SHA1
09a3d4e2526a40fa140e6875e17c7bfd7ff17e4a
-
SHA256
62fab9c35ea8be9f22973fc904f2312508b86f78f8320d724847542dd2d558e4
-
SHA512
dbfec343ac03ad27e408fd778545901f1cbb0d71ead639d890eb777d729fe0ffff81d4e284386d7c799bc241138680005c5d3f87b237048ac27e7fcb9063f9e3
-
SSDEEP
1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dg2bCXuZH4gb4CEn9J4ZKcvp:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgC
Malware Config
Extracted
http://bundlefilm.com/headers/lkfBH3Czw9CjEW07P2/
http://camsanparke.net/wp-content/h2Ja5bwB03hnyfCb/
http://royreid.co.uk/wp-content/dCwG/
https://cs.com.sg/admin/a1lR5wu/
Extracted
emotet
Epoch5
178.238.225.252:8080
139.196.72.155:8080
36.67.23.59:443
103.56.149.105:8080
37.44.244.177:8080
85.25.120.45:8080
202.134.4.210:7080
78.47.204.80:443
83.229.80.93:8080
93.104.209.107:8080
80.211.107.116:8080
165.22.254.236:8080
104.244.79.94:443
185.148.169.10:8080
190.145.8.4:443
175.126.176.79:8080
139.59.80.108:8080
188.165.79.151:443
128.199.217.206:443
64.227.55.231:8080
218.38.121.17:443
103.71.99.57:8080
103.224.241.74:8080
128.199.242.164:8080
85.214.67.203:8080
103.254.12.236:7080
46.101.98.60:8080
178.62.112.199:8080
210.57.209.142:8080
195.77.239.39:8080
103.126.216.86:443
82.98.180.154:7080
202.28.34.99:8080
174.138.33.49:7080
160.16.143.191:8080
51.75.33.122:443
103.41.204.169:8080
186.250.48.5:443
87.106.97.83:7080
118.98.72.86:443
196.44.98.190:8080
103.85.95.4:8080
62.171.178.147:8080
54.37.228.122:443
114.79.130.68:443
198.199.70.22:8080
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1292 980 regsvr32.exe 27 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1736 980 regsvr32.exe 27 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 2000 980 regsvr32.exe 27 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 904 980 regsvr32.exe 27 -
Downloads MZ/PE file
-
Loads dropped DLL 8 IoCs
pid Process 1292 regsvr32.exe 920 regsvr32.exe 1736 regsvr32.exe 524 regsvr32.exe 2000 regsvr32.exe 1368 regsvr32.exe 904 regsvr32.exe 1240 regsvr32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 980 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 920 regsvr32.exe 1220 regsvr32.exe 1220 regsvr32.exe 524 regsvr32.exe 1588 regsvr32.exe 1588 regsvr32.exe 1368 regsvr32.exe 2028 regsvr32.exe 2028 regsvr32.exe 1240 regsvr32.exe 868 regsvr32.exe 868 regsvr32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 980 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 980 EXCEL.EXE 980 EXCEL.EXE 980 EXCEL.EXE 980 EXCEL.EXE 980 EXCEL.EXE 980 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 980 wrote to memory of 1292 980 EXCEL.EXE 30 PID 980 wrote to memory of 1292 980 EXCEL.EXE 30 PID 980 wrote to memory of 1292 980 EXCEL.EXE 30 PID 980 wrote to memory of 1292 980 EXCEL.EXE 30 PID 980 wrote to memory of 1292 980 EXCEL.EXE 30 PID 980 wrote to memory of 1292 980 EXCEL.EXE 30 PID 980 wrote to memory of 1292 980 EXCEL.EXE 30 PID 1292 wrote to memory of 920 1292 regsvr32.exe 31 PID 1292 wrote to memory of 920 1292 regsvr32.exe 31 PID 1292 wrote to memory of 920 1292 regsvr32.exe 31 PID 1292 wrote to memory of 920 1292 regsvr32.exe 31 PID 1292 wrote to memory of 920 1292 regsvr32.exe 31 PID 1292 wrote to memory of 920 1292 regsvr32.exe 31 PID 1292 wrote to memory of 920 1292 regsvr32.exe 31 PID 920 wrote to memory of 1220 920 regsvr32.exe 32 PID 920 wrote to memory of 1220 920 regsvr32.exe 32 PID 920 wrote to memory of 1220 920 regsvr32.exe 32 PID 920 wrote to memory of 1220 920 regsvr32.exe 32 PID 920 wrote to memory of 1220 920 regsvr32.exe 32 PID 980 wrote to memory of 1736 980 EXCEL.EXE 33 PID 980 wrote to memory of 1736 980 EXCEL.EXE 33 PID 980 wrote to memory of 1736 980 EXCEL.EXE 33 PID 980 wrote to memory of 1736 980 EXCEL.EXE 33 PID 980 wrote to memory of 1736 980 EXCEL.EXE 33 PID 980 wrote to memory of 1736 980 EXCEL.EXE 33 PID 980 wrote to memory of 1736 980 EXCEL.EXE 33 PID 1736 wrote to memory of 524 1736 regsvr32.exe 34 PID 1736 wrote to memory of 524 1736 regsvr32.exe 34 PID 1736 wrote to memory of 524 1736 regsvr32.exe 34 PID 1736 wrote to memory of 524 1736 regsvr32.exe 34 PID 1736 wrote to memory of 524 1736 regsvr32.exe 34 PID 1736 wrote to memory of 524 1736 regsvr32.exe 34 PID 1736 wrote to memory of 524 1736 regsvr32.exe 34 PID 524 wrote to memory of 1588 524 regsvr32.exe 35 PID 524 wrote to memory of 1588 524 regsvr32.exe 35 PID 524 wrote to memory of 1588 524 regsvr32.exe 35 PID 524 wrote to memory of 1588 524 regsvr32.exe 35 PID 524 wrote to memory of 1588 524 regsvr32.exe 35 PID 980 wrote to memory of 2000 980 EXCEL.EXE 36 PID 980 wrote to memory of 2000 980 EXCEL.EXE 36 PID 980 wrote to memory of 2000 980 EXCEL.EXE 36 PID 980 wrote to memory of 2000 980 EXCEL.EXE 36 PID 980 wrote to memory of 2000 980 EXCEL.EXE 36 PID 980 wrote to memory of 2000 980 EXCEL.EXE 36 PID 980 wrote to memory of 2000 980 EXCEL.EXE 36 PID 2000 wrote to memory of 1368 2000 regsvr32.exe 37 PID 2000 wrote to memory of 1368 2000 regsvr32.exe 37 PID 2000 wrote to memory of 1368 2000 regsvr32.exe 37 PID 2000 wrote to memory of 1368 2000 regsvr32.exe 37 PID 2000 wrote to memory of 1368 2000 regsvr32.exe 37 PID 2000 wrote to memory of 1368 2000 regsvr32.exe 37 PID 2000 wrote to memory of 1368 2000 regsvr32.exe 37 PID 1368 wrote to memory of 2028 1368 regsvr32.exe 38 PID 1368 wrote to memory of 2028 1368 regsvr32.exe 38 PID 1368 wrote to memory of 2028 1368 regsvr32.exe 38 PID 1368 wrote to memory of 2028 1368 regsvr32.exe 38 PID 1368 wrote to memory of 2028 1368 regsvr32.exe 38 PID 980 wrote to memory of 904 980 EXCEL.EXE 39 PID 980 wrote to memory of 904 980 EXCEL.EXE 39 PID 980 wrote to memory of 904 980 EXCEL.EXE 39 PID 980 wrote to memory of 904 980 EXCEL.EXE 39 PID 980 wrote to memory of 904 980 EXCEL.EXE 39 PID 980 wrote to memory of 904 980 EXCEL.EXE 39 PID 980 wrote to memory of 904 980 EXCEL.EXE 39
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\17.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\system32\regsvr32.exe/S ..\elv1.ooocccxxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\VFlbO\MJQlqeCvrPBIhcbM.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1220
-
-
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\system32\regsvr32.exe/S ..\elv2.ooocccxxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\XmkgLDqX\ukiyVHcmQ.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1588
-
-
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\system32\regsvr32.exe/S ..\elv3.ooocccxxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\XnmDavJ\BImejDaQNRgaasKL.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2028
-
-
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
PID:904 -
C:\Windows\system32\regsvr32.exe/S ..\elv4.ooocccxxx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1240 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\EwGQJyBr\hFTAeXkGcahRzjOb.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:868
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
434KB
MD5f438653780bf4822560e5d8d2e907185
SHA15d78b1857b07de375da8c0ed9d2cd148a6fc42d6
SHA2562c89b7f2afe59fdb9048be6a46ca0b6d39c762e6425820ddeee83daeb5819f7e
SHA512fd4dfdf444f524b53fda26d47ec1affc406c2d326c59e6c18e25bcaac1c5ef291adf9b72679d39e700d0f422559d57c9f8e53c19f37c2c89c0d1b80a96290402
-
Filesize
434KB
MD5eef36d2e209df249fc8a2b371b32efd8
SHA1ddf4c64d5162a51f19f84ae11b6b8be0c056c389
SHA256507b6f41884566fa4c7e552953b1cfb7a6c2913926511e4a7980085489163fef
SHA512b81f1a508e1840b51e7552342ee87d697d63481f3d24357b80b904ea7f09c183475ea1d75b0c7bfe6a9e2c4532b41e77e43ab40c1ffe07ced7815cd731a0c021
-
Filesize
434KB
MD599effcdd371092bf45673ee5b91b81b4
SHA17553f5050ed44d36c4f393860d2636ac97ed865a
SHA256409528b0610c2a53ba8f343a3f674c25b3c03bc865d95204db76980d6815bc48
SHA51245594e3e800d56e78a70f6ad45d6fd0243f3093647db40bc31b0257e7d473f8c07e4e978ae3f3f14b5ec81d3e34833b60fe06d80a563287fcaa021bc4755fcdc
-
Filesize
434KB
MD54095598a5e1c0cb57ee9137521fc935f
SHA101c7b799fba8cab7bc9d486fa2f5b0fd5f51004f
SHA2566dc8324e6ff7f01ef9d6f3b310ce84d4acddd388a124ee1dcfa9e03246b74631
SHA5123395b26c020359d6a801f97f3a767a0be04b0d766b257474e2b78f5426d79f6b3003f9c8091cdb1a24576909203067627c3f5ef6ec564e7b4816b9df0caf4228
-
Filesize
434KB
MD5f438653780bf4822560e5d8d2e907185
SHA15d78b1857b07de375da8c0ed9d2cd148a6fc42d6
SHA2562c89b7f2afe59fdb9048be6a46ca0b6d39c762e6425820ddeee83daeb5819f7e
SHA512fd4dfdf444f524b53fda26d47ec1affc406c2d326c59e6c18e25bcaac1c5ef291adf9b72679d39e700d0f422559d57c9f8e53c19f37c2c89c0d1b80a96290402
-
Filesize
434KB
MD5f438653780bf4822560e5d8d2e907185
SHA15d78b1857b07de375da8c0ed9d2cd148a6fc42d6
SHA2562c89b7f2afe59fdb9048be6a46ca0b6d39c762e6425820ddeee83daeb5819f7e
SHA512fd4dfdf444f524b53fda26d47ec1affc406c2d326c59e6c18e25bcaac1c5ef291adf9b72679d39e700d0f422559d57c9f8e53c19f37c2c89c0d1b80a96290402
-
Filesize
434KB
MD5eef36d2e209df249fc8a2b371b32efd8
SHA1ddf4c64d5162a51f19f84ae11b6b8be0c056c389
SHA256507b6f41884566fa4c7e552953b1cfb7a6c2913926511e4a7980085489163fef
SHA512b81f1a508e1840b51e7552342ee87d697d63481f3d24357b80b904ea7f09c183475ea1d75b0c7bfe6a9e2c4532b41e77e43ab40c1ffe07ced7815cd731a0c021
-
Filesize
434KB
MD5eef36d2e209df249fc8a2b371b32efd8
SHA1ddf4c64d5162a51f19f84ae11b6b8be0c056c389
SHA256507b6f41884566fa4c7e552953b1cfb7a6c2913926511e4a7980085489163fef
SHA512b81f1a508e1840b51e7552342ee87d697d63481f3d24357b80b904ea7f09c183475ea1d75b0c7bfe6a9e2c4532b41e77e43ab40c1ffe07ced7815cd731a0c021
-
Filesize
434KB
MD599effcdd371092bf45673ee5b91b81b4
SHA17553f5050ed44d36c4f393860d2636ac97ed865a
SHA256409528b0610c2a53ba8f343a3f674c25b3c03bc865d95204db76980d6815bc48
SHA51245594e3e800d56e78a70f6ad45d6fd0243f3093647db40bc31b0257e7d473f8c07e4e978ae3f3f14b5ec81d3e34833b60fe06d80a563287fcaa021bc4755fcdc
-
Filesize
434KB
MD599effcdd371092bf45673ee5b91b81b4
SHA17553f5050ed44d36c4f393860d2636ac97ed865a
SHA256409528b0610c2a53ba8f343a3f674c25b3c03bc865d95204db76980d6815bc48
SHA51245594e3e800d56e78a70f6ad45d6fd0243f3093647db40bc31b0257e7d473f8c07e4e978ae3f3f14b5ec81d3e34833b60fe06d80a563287fcaa021bc4755fcdc
-
Filesize
434KB
MD54095598a5e1c0cb57ee9137521fc935f
SHA101c7b799fba8cab7bc9d486fa2f5b0fd5f51004f
SHA2566dc8324e6ff7f01ef9d6f3b310ce84d4acddd388a124ee1dcfa9e03246b74631
SHA5123395b26c020359d6a801f97f3a767a0be04b0d766b257474e2b78f5426d79f6b3003f9c8091cdb1a24576909203067627c3f5ef6ec564e7b4816b9df0caf4228
-
Filesize
434KB
MD54095598a5e1c0cb57ee9137521fc935f
SHA101c7b799fba8cab7bc9d486fa2f5b0fd5f51004f
SHA2566dc8324e6ff7f01ef9d6f3b310ce84d4acddd388a124ee1dcfa9e03246b74631
SHA5123395b26c020359d6a801f97f3a767a0be04b0d766b257474e2b78f5426d79f6b3003f9c8091cdb1a24576909203067627c3f5ef6ec564e7b4816b9df0caf4228