Analysis
-
max time kernel
151s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2022, 19:50
Behavioral task
behavioral1
Sample
17.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
17.xls
Resource
win10v2004-20220812-en
General
-
Target
17.xls
-
Size
91KB
-
MD5
af875caf5a0ef77a409eddc73498df81
-
SHA1
09a3d4e2526a40fa140e6875e17c7bfd7ff17e4a
-
SHA256
62fab9c35ea8be9f22973fc904f2312508b86f78f8320d724847542dd2d558e4
-
SHA512
dbfec343ac03ad27e408fd778545901f1cbb0d71ead639d890eb777d729fe0ffff81d4e284386d7c799bc241138680005c5d3f87b237048ac27e7fcb9063f9e3
-
SSDEEP
1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dg2bCXuZH4gb4CEn9J4ZKcvp:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgC
Malware Config
Extracted
http://bundlefilm.com/headers/lkfBH3Czw9CjEW07P2/
http://camsanparke.net/wp-content/h2Ja5bwB03hnyfCb/
http://royreid.co.uk/wp-content/dCwG/
https://cs.com.sg/admin/a1lR5wu/
Extracted
emotet
Epoch5
178.238.225.252:8080
139.196.72.155:8080
36.67.23.59:443
103.56.149.105:8080
37.44.244.177:8080
85.25.120.45:8080
202.134.4.210:7080
78.47.204.80:443
83.229.80.93:8080
93.104.209.107:8080
80.211.107.116:8080
165.22.254.236:8080
104.244.79.94:443
185.148.169.10:8080
190.145.8.4:443
175.126.176.79:8080
139.59.80.108:8080
188.165.79.151:443
128.199.217.206:443
64.227.55.231:8080
218.38.121.17:443
103.71.99.57:8080
103.224.241.74:8080
128.199.242.164:8080
85.214.67.203:8080
103.254.12.236:7080
46.101.98.60:8080
178.62.112.199:8080
210.57.209.142:8080
195.77.239.39:8080
103.126.216.86:443
82.98.180.154:7080
202.28.34.99:8080
174.138.33.49:7080
160.16.143.191:8080
51.75.33.122:443
103.41.204.169:8080
186.250.48.5:443
87.106.97.83:7080
118.98.72.86:443
196.44.98.190:8080
103.85.95.4:8080
62.171.178.147:8080
54.37.228.122:443
114.79.130.68:443
198.199.70.22:8080
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3500 1940 regsvr32.exe 80 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2328 1940 regsvr32.exe 80 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3192 1940 regsvr32.exe 80 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1528 1940 regsvr32.exe 80 -
Downloads MZ/PE file
-
Loads dropped DLL 8 IoCs
pid Process 3500 regsvr32.exe 2344 regsvr32.exe 2328 regsvr32.exe 1652 regsvr32.exe 3192 regsvr32.exe 4020 regsvr32.exe 1528 regsvr32.exe 4408 regsvr32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ArSUlwQhNNqCW.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\RwhrSrOnDATwdBElz\\ArSUlwQhNNqCW.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1940 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3500 regsvr32.exe 3500 regsvr32.exe 2344 regsvr32.exe 2344 regsvr32.exe 2344 regsvr32.exe 2344 regsvr32.exe 2328 regsvr32.exe 2328 regsvr32.exe 1652 regsvr32.exe 1652 regsvr32.exe 1652 regsvr32.exe 1652 regsvr32.exe 3192 regsvr32.exe 3192 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 4020 regsvr32.exe 1528 regsvr32.exe 1528 regsvr32.exe 4408 regsvr32.exe 4408 regsvr32.exe 4408 regsvr32.exe 4408 regsvr32.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 1940 EXCEL.EXE 1940 EXCEL.EXE 1940 EXCEL.EXE 1940 EXCEL.EXE 1940 EXCEL.EXE 1940 EXCEL.EXE 1940 EXCEL.EXE 1940 EXCEL.EXE 1940 EXCEL.EXE 1940 EXCEL.EXE 1940 EXCEL.EXE 1940 EXCEL.EXE 1940 EXCEL.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1940 wrote to memory of 3500 1940 EXCEL.EXE 87 PID 1940 wrote to memory of 3500 1940 EXCEL.EXE 87 PID 1940 wrote to memory of 2328 1940 EXCEL.EXE 90 PID 1940 wrote to memory of 2328 1940 EXCEL.EXE 90 PID 3500 wrote to memory of 2344 3500 regsvr32.exe 91 PID 3500 wrote to memory of 2344 3500 regsvr32.exe 91 PID 2328 wrote to memory of 1652 2328 regsvr32.exe 92 PID 2328 wrote to memory of 1652 2328 regsvr32.exe 92 PID 1940 wrote to memory of 3192 1940 EXCEL.EXE 94 PID 1940 wrote to memory of 3192 1940 EXCEL.EXE 94 PID 3192 wrote to memory of 4020 3192 regsvr32.exe 95 PID 3192 wrote to memory of 4020 3192 regsvr32.exe 95 PID 1940 wrote to memory of 1528 1940 EXCEL.EXE 96 PID 1940 wrote to memory of 1528 1940 EXCEL.EXE 96 PID 1528 wrote to memory of 4408 1528 regsvr32.exe 97 PID 1528 wrote to memory of 4408 1528 regsvr32.exe 97
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\17.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\GplWhrsyv\BDFVxwqSmJFOgtRE.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2344
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\KPRRLa\tladshhSUz.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1652
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\RwhrSrOnDATwdBElz\ArSUlwQhNNqCW.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4020
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\JyRkZe\AlFdQIogA.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4408
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
434KB
MD5f438653780bf4822560e5d8d2e907185
SHA15d78b1857b07de375da8c0ed9d2cd148a6fc42d6
SHA2562c89b7f2afe59fdb9048be6a46ca0b6d39c762e6425820ddeee83daeb5819f7e
SHA512fd4dfdf444f524b53fda26d47ec1affc406c2d326c59e6c18e25bcaac1c5ef291adf9b72679d39e700d0f422559d57c9f8e53c19f37c2c89c0d1b80a96290402
-
Filesize
434KB
MD5f438653780bf4822560e5d8d2e907185
SHA15d78b1857b07de375da8c0ed9d2cd148a6fc42d6
SHA2562c89b7f2afe59fdb9048be6a46ca0b6d39c762e6425820ddeee83daeb5819f7e
SHA512fd4dfdf444f524b53fda26d47ec1affc406c2d326c59e6c18e25bcaac1c5ef291adf9b72679d39e700d0f422559d57c9f8e53c19f37c2c89c0d1b80a96290402
-
Filesize
434KB
MD5eef36d2e209df249fc8a2b371b32efd8
SHA1ddf4c64d5162a51f19f84ae11b6b8be0c056c389
SHA256507b6f41884566fa4c7e552953b1cfb7a6c2913926511e4a7980085489163fef
SHA512b81f1a508e1840b51e7552342ee87d697d63481f3d24357b80b904ea7f09c183475ea1d75b0c7bfe6a9e2c4532b41e77e43ab40c1ffe07ced7815cd731a0c021
-
Filesize
434KB
MD5eef36d2e209df249fc8a2b371b32efd8
SHA1ddf4c64d5162a51f19f84ae11b6b8be0c056c389
SHA256507b6f41884566fa4c7e552953b1cfb7a6c2913926511e4a7980085489163fef
SHA512b81f1a508e1840b51e7552342ee87d697d63481f3d24357b80b904ea7f09c183475ea1d75b0c7bfe6a9e2c4532b41e77e43ab40c1ffe07ced7815cd731a0c021
-
Filesize
434KB
MD599effcdd371092bf45673ee5b91b81b4
SHA17553f5050ed44d36c4f393860d2636ac97ed865a
SHA256409528b0610c2a53ba8f343a3f674c25b3c03bc865d95204db76980d6815bc48
SHA51245594e3e800d56e78a70f6ad45d6fd0243f3093647db40bc31b0257e7d473f8c07e4e978ae3f3f14b5ec81d3e34833b60fe06d80a563287fcaa021bc4755fcdc
-
Filesize
434KB
MD599effcdd371092bf45673ee5b91b81b4
SHA17553f5050ed44d36c4f393860d2636ac97ed865a
SHA256409528b0610c2a53ba8f343a3f674c25b3c03bc865d95204db76980d6815bc48
SHA51245594e3e800d56e78a70f6ad45d6fd0243f3093647db40bc31b0257e7d473f8c07e4e978ae3f3f14b5ec81d3e34833b60fe06d80a563287fcaa021bc4755fcdc
-
Filesize
434KB
MD54095598a5e1c0cb57ee9137521fc935f
SHA101c7b799fba8cab7bc9d486fa2f5b0fd5f51004f
SHA2566dc8324e6ff7f01ef9d6f3b310ce84d4acddd388a124ee1dcfa9e03246b74631
SHA5123395b26c020359d6a801f97f3a767a0be04b0d766b257474e2b78f5426d79f6b3003f9c8091cdb1a24576909203067627c3f5ef6ec564e7b4816b9df0caf4228
-
Filesize
434KB
MD54095598a5e1c0cb57ee9137521fc935f
SHA101c7b799fba8cab7bc9d486fa2f5b0fd5f51004f
SHA2566dc8324e6ff7f01ef9d6f3b310ce84d4acddd388a124ee1dcfa9e03246b74631
SHA5123395b26c020359d6a801f97f3a767a0be04b0d766b257474e2b78f5426d79f6b3003f9c8091cdb1a24576909203067627c3f5ef6ec564e7b4816b9df0caf4228
-
Filesize
434KB
MD5f438653780bf4822560e5d8d2e907185
SHA15d78b1857b07de375da8c0ed9d2cd148a6fc42d6
SHA2562c89b7f2afe59fdb9048be6a46ca0b6d39c762e6425820ddeee83daeb5819f7e
SHA512fd4dfdf444f524b53fda26d47ec1affc406c2d326c59e6c18e25bcaac1c5ef291adf9b72679d39e700d0f422559d57c9f8e53c19f37c2c89c0d1b80a96290402
-
Filesize
434KB
MD54095598a5e1c0cb57ee9137521fc935f
SHA101c7b799fba8cab7bc9d486fa2f5b0fd5f51004f
SHA2566dc8324e6ff7f01ef9d6f3b310ce84d4acddd388a124ee1dcfa9e03246b74631
SHA5123395b26c020359d6a801f97f3a767a0be04b0d766b257474e2b78f5426d79f6b3003f9c8091cdb1a24576909203067627c3f5ef6ec564e7b4816b9df0caf4228
-
Filesize
434KB
MD5eef36d2e209df249fc8a2b371b32efd8
SHA1ddf4c64d5162a51f19f84ae11b6b8be0c056c389
SHA256507b6f41884566fa4c7e552953b1cfb7a6c2913926511e4a7980085489163fef
SHA512b81f1a508e1840b51e7552342ee87d697d63481f3d24357b80b904ea7f09c183475ea1d75b0c7bfe6a9e2c4532b41e77e43ab40c1ffe07ced7815cd731a0c021
-
Filesize
434KB
MD599effcdd371092bf45673ee5b91b81b4
SHA17553f5050ed44d36c4f393860d2636ac97ed865a
SHA256409528b0610c2a53ba8f343a3f674c25b3c03bc865d95204db76980d6815bc48
SHA51245594e3e800d56e78a70f6ad45d6fd0243f3093647db40bc31b0257e7d473f8c07e4e978ae3f3f14b5ec81d3e34833b60fe06d80a563287fcaa021bc4755fcdc