Malware Analysis Report

2025-08-11 01:42

Sample ID 221109-ykrjbaddar
Target 17.xls
SHA256 62fab9c35ea8be9f22973fc904f2312508b86f78f8320d724847542dd2d558e4
Tags
macro xlm emotet epoch5 banker trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62fab9c35ea8be9f22973fc904f2312508b86f78f8320d724847542dd2d558e4

Threat Level: Known bad

The file 17.xls was found to be: Known bad.

Malicious Activity Summary

macro xlm emotet epoch5 banker trojan persistence

Process spawned unexpected child process

Emotet

Suspicious Office macro

Downloads MZ/PE file

Loads dropped DLL

Adds Run key to start application

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-09 19:50

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-09 19:50

Reported

2022-11-09 19:54

Platform

win7-20220812-en

Max time kernel

151s

Max time network

171s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\17.xls

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Downloads MZ/PE file

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 980 wrote to memory of 1292 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 1292 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 1292 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 1292 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 1292 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 1292 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 1292 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1292 wrote to memory of 920 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1292 wrote to memory of 920 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1292 wrote to memory of 920 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1292 wrote to memory of 920 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1292 wrote to memory of 920 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1292 wrote to memory of 920 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1292 wrote to memory of 920 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 920 wrote to memory of 1220 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 920 wrote to memory of 1220 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 920 wrote to memory of 1220 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 920 wrote to memory of 1220 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 920 wrote to memory of 1220 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 980 wrote to memory of 1736 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 1736 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 1736 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 1736 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 1736 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 1736 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 1736 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1736 wrote to memory of 524 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1736 wrote to memory of 524 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1736 wrote to memory of 524 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1736 wrote to memory of 524 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1736 wrote to memory of 524 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1736 wrote to memory of 524 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1736 wrote to memory of 524 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 524 wrote to memory of 1588 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 524 wrote to memory of 1588 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 524 wrote to memory of 1588 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 524 wrote to memory of 1588 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 524 wrote to memory of 1588 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 980 wrote to memory of 2000 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 2000 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 2000 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 2000 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 2000 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 2000 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 2000 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 2000 wrote to memory of 1368 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2000 wrote to memory of 1368 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2000 wrote to memory of 1368 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2000 wrote to memory of 1368 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2000 wrote to memory of 1368 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2000 wrote to memory of 1368 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2000 wrote to memory of 1368 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1368 wrote to memory of 2028 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1368 wrote to memory of 2028 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1368 wrote to memory of 2028 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1368 wrote to memory of 2028 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1368 wrote to memory of 2028 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 980 wrote to memory of 904 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 904 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 904 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 904 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 904 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 904 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 980 wrote to memory of 904 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\17.xls

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx

C:\Windows\system32\regsvr32.exe

/S ..\elv1.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VFlbO\MJQlqeCvrPBIhcbM.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx

C:\Windows\system32\regsvr32.exe

/S ..\elv2.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XmkgLDqX\ukiyVHcmQ.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx

C:\Windows\system32\regsvr32.exe

/S ..\elv3.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XnmDavJ\BImejDaQNRgaasKL.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx

C:\Windows\system32\regsvr32.exe

/S ..\elv4.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\EwGQJyBr\hFTAeXkGcahRzjOb.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bundlefilm.com udp
US 74.207.252.187:80 bundlefilm.com tcp
US 8.8.8.8:53 camsanparke.net udp
TR 213.142.148.59:80 camsanparke.net tcp
US 8.8.8.8:53 royreid.co.uk udp
GB 77.68.64.0:80 royreid.co.uk tcp
US 8.8.8.8:53 cs.com.sg udp
SG 103.237.169.99:443 cs.com.sg tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 104.109.143.75:80 apps.identrust.com tcp
KR 218.38.121.17:443 tcp
KR 218.38.121.17:443 tcp
BR 186.250.48.5:443 tcp
BR 186.250.48.5:443 tcp
KR 218.38.121.17:443 tcp
KR 218.38.121.17:443 tcp
IT 80.211.107.116:8080 tcp
IT 80.211.107.116:8080 tcp
BR 186.250.48.5:443 tcp
BR 186.250.48.5:443 tcp
US 174.138.33.49:7080 tcp
US 174.138.33.49:7080 tcp
KR 218.38.121.17:443 tcp
IT 80.211.107.116:8080 tcp
IT 80.211.107.116:8080 tcp
KR 218.38.121.17:443 tcp
SG 165.22.254.236:8080 tcp
BR 186.250.48.5:443 tcp
US 174.138.33.49:7080 tcp
US 174.138.33.49:7080 tcp
BR 186.250.48.5:443 tcp
DE 185.148.169.10:8080 tcp
SG 165.22.254.236:8080 tcp
IT 80.211.107.116:8080 tcp

Files

memory/980-54-0x000000002F8B1000-0x000000002F8B4000-memory.dmp

memory/980-55-0x0000000070F81000-0x0000000070F83000-memory.dmp

memory/980-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/980-57-0x0000000071F6D000-0x0000000071F78000-memory.dmp

memory/980-58-0x0000000075811000-0x0000000075813000-memory.dmp

memory/980-59-0x0000000071F6D000-0x0000000071F78000-memory.dmp

memory/1292-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv1.ooocccxxx

MD5 f438653780bf4822560e5d8d2e907185
SHA1 5d78b1857b07de375da8c0ed9d2cd148a6fc42d6
SHA256 2c89b7f2afe59fdb9048be6a46ca0b6d39c762e6425820ddeee83daeb5819f7e
SHA512 fd4dfdf444f524b53fda26d47ec1affc406c2d326c59e6c18e25bcaac1c5ef291adf9b72679d39e700d0f422559d57c9f8e53c19f37c2c89c0d1b80a96290402

\Users\Admin\elv1.ooocccxxx

MD5 f438653780bf4822560e5d8d2e907185
SHA1 5d78b1857b07de375da8c0ed9d2cd148a6fc42d6
SHA256 2c89b7f2afe59fdb9048be6a46ca0b6d39c762e6425820ddeee83daeb5819f7e
SHA512 fd4dfdf444f524b53fda26d47ec1affc406c2d326c59e6c18e25bcaac1c5ef291adf9b72679d39e700d0f422559d57c9f8e53c19f37c2c89c0d1b80a96290402

memory/920-64-0x0000000000000000-mapping.dmp

memory/920-65-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

\Users\Admin\elv1.ooocccxxx

MD5 f438653780bf4822560e5d8d2e907185
SHA1 5d78b1857b07de375da8c0ed9d2cd148a6fc42d6
SHA256 2c89b7f2afe59fdb9048be6a46ca0b6d39c762e6425820ddeee83daeb5819f7e
SHA512 fd4dfdf444f524b53fda26d47ec1affc406c2d326c59e6c18e25bcaac1c5ef291adf9b72679d39e700d0f422559d57c9f8e53c19f37c2c89c0d1b80a96290402

memory/920-67-0x0000000180000000-0x0000000180030000-memory.dmp

memory/1220-70-0x0000000000000000-mapping.dmp

memory/1736-75-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv2.ooocccxxx

MD5 eef36d2e209df249fc8a2b371b32efd8
SHA1 ddf4c64d5162a51f19f84ae11b6b8be0c056c389
SHA256 507b6f41884566fa4c7e552953b1cfb7a6c2913926511e4a7980085489163fef
SHA512 b81f1a508e1840b51e7552342ee87d697d63481f3d24357b80b904ea7f09c183475ea1d75b0c7bfe6a9e2c4532b41e77e43ab40c1ffe07ced7815cd731a0c021

\Users\Admin\elv2.ooocccxxx

MD5 eef36d2e209df249fc8a2b371b32efd8
SHA1 ddf4c64d5162a51f19f84ae11b6b8be0c056c389
SHA256 507b6f41884566fa4c7e552953b1cfb7a6c2913926511e4a7980085489163fef
SHA512 b81f1a508e1840b51e7552342ee87d697d63481f3d24357b80b904ea7f09c183475ea1d75b0c7bfe6a9e2c4532b41e77e43ab40c1ffe07ced7815cd731a0c021

memory/524-79-0x0000000000000000-mapping.dmp

\Users\Admin\elv2.ooocccxxx

MD5 eef36d2e209df249fc8a2b371b32efd8
SHA1 ddf4c64d5162a51f19f84ae11b6b8be0c056c389
SHA256 507b6f41884566fa4c7e552953b1cfb7a6c2913926511e4a7980085489163fef
SHA512 b81f1a508e1840b51e7552342ee87d697d63481f3d24357b80b904ea7f09c183475ea1d75b0c7bfe6a9e2c4532b41e77e43ab40c1ffe07ced7815cd731a0c021

memory/1588-85-0x0000000000000000-mapping.dmp

memory/2000-90-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv3.ooocccxxx

MD5 99effcdd371092bf45673ee5b91b81b4
SHA1 7553f5050ed44d36c4f393860d2636ac97ed865a
SHA256 409528b0610c2a53ba8f343a3f674c25b3c03bc865d95204db76980d6815bc48
SHA512 45594e3e800d56e78a70f6ad45d6fd0243f3093647db40bc31b0257e7d473f8c07e4e978ae3f3f14b5ec81d3e34833b60fe06d80a563287fcaa021bc4755fcdc

memory/1368-94-0x0000000000000000-mapping.dmp

\Users\Admin\elv3.ooocccxxx

MD5 99effcdd371092bf45673ee5b91b81b4
SHA1 7553f5050ed44d36c4f393860d2636ac97ed865a
SHA256 409528b0610c2a53ba8f343a3f674c25b3c03bc865d95204db76980d6815bc48
SHA512 45594e3e800d56e78a70f6ad45d6fd0243f3093647db40bc31b0257e7d473f8c07e4e978ae3f3f14b5ec81d3e34833b60fe06d80a563287fcaa021bc4755fcdc

\Users\Admin\elv3.ooocccxxx

MD5 99effcdd371092bf45673ee5b91b81b4
SHA1 7553f5050ed44d36c4f393860d2636ac97ed865a
SHA256 409528b0610c2a53ba8f343a3f674c25b3c03bc865d95204db76980d6815bc48
SHA512 45594e3e800d56e78a70f6ad45d6fd0243f3093647db40bc31b0257e7d473f8c07e4e978ae3f3f14b5ec81d3e34833b60fe06d80a563287fcaa021bc4755fcdc

memory/2028-100-0x0000000000000000-mapping.dmp

memory/904-105-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv4.ooocccxxx

MD5 4095598a5e1c0cb57ee9137521fc935f
SHA1 01c7b799fba8cab7bc9d486fa2f5b0fd5f51004f
SHA256 6dc8324e6ff7f01ef9d6f3b310ce84d4acddd388a124ee1dcfa9e03246b74631
SHA512 3395b26c020359d6a801f97f3a767a0be04b0d766b257474e2b78f5426d79f6b3003f9c8091cdb1a24576909203067627c3f5ef6ec564e7b4816b9df0caf4228

\Users\Admin\elv4.ooocccxxx

MD5 4095598a5e1c0cb57ee9137521fc935f
SHA1 01c7b799fba8cab7bc9d486fa2f5b0fd5f51004f
SHA256 6dc8324e6ff7f01ef9d6f3b310ce84d4acddd388a124ee1dcfa9e03246b74631
SHA512 3395b26c020359d6a801f97f3a767a0be04b0d766b257474e2b78f5426d79f6b3003f9c8091cdb1a24576909203067627c3f5ef6ec564e7b4816b9df0caf4228

memory/1240-109-0x0000000000000000-mapping.dmp

\Users\Admin\elv4.ooocccxxx

MD5 4095598a5e1c0cb57ee9137521fc935f
SHA1 01c7b799fba8cab7bc9d486fa2f5b0fd5f51004f
SHA256 6dc8324e6ff7f01ef9d6f3b310ce84d4acddd388a124ee1dcfa9e03246b74631
SHA512 3395b26c020359d6a801f97f3a767a0be04b0d766b257474e2b78f5426d79f6b3003f9c8091cdb1a24576909203067627c3f5ef6ec564e7b4816b9df0caf4228

memory/868-115-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-09 19:50

Reported

2022-11-09 19:54

Platform

win10v2004-20220812-en

Max time kernel

151s

Max time network

165s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\17.xls"

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ArSUlwQhNNqCW.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\RwhrSrOnDATwdBElz\\ArSUlwQhNNqCW.dll\"" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 3500 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 1940 wrote to memory of 3500 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 1940 wrote to memory of 2328 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 1940 wrote to memory of 2328 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 3500 wrote to memory of 2344 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 3500 wrote to memory of 2344 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2328 wrote to memory of 1652 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2328 wrote to memory of 1652 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1940 wrote to memory of 3192 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 1940 wrote to memory of 3192 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 3192 wrote to memory of 4020 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 3192 wrote to memory of 4020 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1940 wrote to memory of 1528 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 1940 wrote to memory of 1528 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 1528 wrote to memory of 4408 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1528 wrote to memory of 4408 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\17.xls"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GplWhrsyv\BDFVxwqSmJFOgtRE.dll"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KPRRLa\tladshhSUz.dll"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RwhrSrOnDATwdBElz\ArSUlwQhNNqCW.dll"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JyRkZe\AlFdQIogA.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa udp
GB 51.132.193.104:443 tcp
US 8.8.8.8:53 bundlefilm.com udp
US 74.207.252.187:80 bundlefilm.com tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 camsanparke.net udp
TR 213.142.148.59:80 camsanparke.net tcp
US 8.8.8.8:53 royreid.co.uk udp
GB 77.68.64.0:80 royreid.co.uk tcp
US 8.8.8.8:53 cs.com.sg udp
SG 103.237.169.99:443 cs.com.sg tcp
KR 218.38.121.17:443 218.38.121.17 tcp
KR 218.38.121.17:443 218.38.121.17 tcp
KR 218.38.121.17:443 218.38.121.17 tcp
NL 104.123.40.135:443 tcp
BR 186.250.48.5:443 186.250.48.5 tcp
BR 186.250.48.5:443 186.250.48.5 tcp
IT 80.211.107.116:8080 80.211.107.116 tcp
IT 80.211.107.116:8080 80.211.107.116 tcp
US 174.138.33.49:7080 174.138.33.49 tcp
US 174.138.33.49:7080 174.138.33.49 tcp
SG 165.22.254.236:8080 tcp
SG 165.22.254.236:8080 tcp

Files

memory/1940-132-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

memory/1940-133-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

memory/1940-134-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

memory/1940-135-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

memory/1940-136-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

memory/1940-137-0x00007FFAB5780000-0x00007FFAB5790000-memory.dmp

memory/1940-138-0x00007FFAB5780000-0x00007FFAB5790000-memory.dmp

memory/3500-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv1.ooocccxxx

MD5 f438653780bf4822560e5d8d2e907185
SHA1 5d78b1857b07de375da8c0ed9d2cd148a6fc42d6
SHA256 2c89b7f2afe59fdb9048be6a46ca0b6d39c762e6425820ddeee83daeb5819f7e
SHA512 fd4dfdf444f524b53fda26d47ec1affc406c2d326c59e6c18e25bcaac1c5ef291adf9b72679d39e700d0f422559d57c9f8e53c19f37c2c89c0d1b80a96290402

C:\Users\Admin\elv1.ooocccxxx

MD5 f438653780bf4822560e5d8d2e907185
SHA1 5d78b1857b07de375da8c0ed9d2cd148a6fc42d6
SHA256 2c89b7f2afe59fdb9048be6a46ca0b6d39c762e6425820ddeee83daeb5819f7e
SHA512 fd4dfdf444f524b53fda26d47ec1affc406c2d326c59e6c18e25bcaac1c5ef291adf9b72679d39e700d0f422559d57c9f8e53c19f37c2c89c0d1b80a96290402

memory/3500-142-0x0000000180000000-0x0000000180030000-memory.dmp

memory/2328-145-0x0000000000000000-mapping.dmp

memory/2344-147-0x0000000000000000-mapping.dmp

C:\Windows\System32\GplWhrsyv\BDFVxwqSmJFOgtRE.dll

MD5 f438653780bf4822560e5d8d2e907185
SHA1 5d78b1857b07de375da8c0ed9d2cd148a6fc42d6
SHA256 2c89b7f2afe59fdb9048be6a46ca0b6d39c762e6425820ddeee83daeb5819f7e
SHA512 fd4dfdf444f524b53fda26d47ec1affc406c2d326c59e6c18e25bcaac1c5ef291adf9b72679d39e700d0f422559d57c9f8e53c19f37c2c89c0d1b80a96290402

C:\Users\Admin\elv2.ooocccxxx

MD5 eef36d2e209df249fc8a2b371b32efd8
SHA1 ddf4c64d5162a51f19f84ae11b6b8be0c056c389
SHA256 507b6f41884566fa4c7e552953b1cfb7a6c2913926511e4a7980085489163fef
SHA512 b81f1a508e1840b51e7552342ee87d697d63481f3d24357b80b904ea7f09c183475ea1d75b0c7bfe6a9e2c4532b41e77e43ab40c1ffe07ced7815cd731a0c021

C:\Users\Admin\elv2.ooocccxxx

MD5 eef36d2e209df249fc8a2b371b32efd8
SHA1 ddf4c64d5162a51f19f84ae11b6b8be0c056c389
SHA256 507b6f41884566fa4c7e552953b1cfb7a6c2913926511e4a7980085489163fef
SHA512 b81f1a508e1840b51e7552342ee87d697d63481f3d24357b80b904ea7f09c183475ea1d75b0c7bfe6a9e2c4532b41e77e43ab40c1ffe07ced7815cd731a0c021

memory/1652-156-0x0000000000000000-mapping.dmp

C:\Windows\System32\KPRRLa\tladshhSUz.dll

MD5 eef36d2e209df249fc8a2b371b32efd8
SHA1 ddf4c64d5162a51f19f84ae11b6b8be0c056c389
SHA256 507b6f41884566fa4c7e552953b1cfb7a6c2913926511e4a7980085489163fef
SHA512 b81f1a508e1840b51e7552342ee87d697d63481f3d24357b80b904ea7f09c183475ea1d75b0c7bfe6a9e2c4532b41e77e43ab40c1ffe07ced7815cd731a0c021

memory/3192-161-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv3.ooocccxxx

MD5 99effcdd371092bf45673ee5b91b81b4
SHA1 7553f5050ed44d36c4f393860d2636ac97ed865a
SHA256 409528b0610c2a53ba8f343a3f674c25b3c03bc865d95204db76980d6815bc48
SHA512 45594e3e800d56e78a70f6ad45d6fd0243f3093647db40bc31b0257e7d473f8c07e4e978ae3f3f14b5ec81d3e34833b60fe06d80a563287fcaa021bc4755fcdc

C:\Users\Admin\elv3.ooocccxxx

MD5 99effcdd371092bf45673ee5b91b81b4
SHA1 7553f5050ed44d36c4f393860d2636ac97ed865a
SHA256 409528b0610c2a53ba8f343a3f674c25b3c03bc865d95204db76980d6815bc48
SHA512 45594e3e800d56e78a70f6ad45d6fd0243f3093647db40bc31b0257e7d473f8c07e4e978ae3f3f14b5ec81d3e34833b60fe06d80a563287fcaa021bc4755fcdc

memory/4020-167-0x0000000000000000-mapping.dmp

C:\Windows\System32\RwhrSrOnDATwdBElz\ArSUlwQhNNqCW.dll

MD5 99effcdd371092bf45673ee5b91b81b4
SHA1 7553f5050ed44d36c4f393860d2636ac97ed865a
SHA256 409528b0610c2a53ba8f343a3f674c25b3c03bc865d95204db76980d6815bc48
SHA512 45594e3e800d56e78a70f6ad45d6fd0243f3093647db40bc31b0257e7d473f8c07e4e978ae3f3f14b5ec81d3e34833b60fe06d80a563287fcaa021bc4755fcdc

memory/1528-172-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv4.ooocccxxx

MD5 4095598a5e1c0cb57ee9137521fc935f
SHA1 01c7b799fba8cab7bc9d486fa2f5b0fd5f51004f
SHA256 6dc8324e6ff7f01ef9d6f3b310ce84d4acddd388a124ee1dcfa9e03246b74631
SHA512 3395b26c020359d6a801f97f3a767a0be04b0d766b257474e2b78f5426d79f6b3003f9c8091cdb1a24576909203067627c3f5ef6ec564e7b4816b9df0caf4228

C:\Users\Admin\elv4.ooocccxxx

MD5 4095598a5e1c0cb57ee9137521fc935f
SHA1 01c7b799fba8cab7bc9d486fa2f5b0fd5f51004f
SHA256 6dc8324e6ff7f01ef9d6f3b310ce84d4acddd388a124ee1dcfa9e03246b74631
SHA512 3395b26c020359d6a801f97f3a767a0be04b0d766b257474e2b78f5426d79f6b3003f9c8091cdb1a24576909203067627c3f5ef6ec564e7b4816b9df0caf4228

memory/4408-178-0x0000000000000000-mapping.dmp

C:\Windows\System32\JyRkZe\AlFdQIogA.dll

MD5 4095598a5e1c0cb57ee9137521fc935f
SHA1 01c7b799fba8cab7bc9d486fa2f5b0fd5f51004f
SHA256 6dc8324e6ff7f01ef9d6f3b310ce84d4acddd388a124ee1dcfa9e03246b74631
SHA512 3395b26c020359d6a801f97f3a767a0be04b0d766b257474e2b78f5426d79f6b3003f9c8091cdb1a24576909203067627c3f5ef6ec564e7b4816b9df0caf4228