Analysis
-
max time kernel
152s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2022, 19:51
Behavioral task
behavioral1
Sample
0911.xls
Resource
win7-20220812-en
General
-
Target
0911.xls
-
Size
91KB
-
MD5
d686700342ca2e512f2c0db4f2c091fe
-
SHA1
7311c4dda1d12ec68e491ab8b62b7500c78cb778
-
SHA256
699b70644f54d0a8b1bd3127ef6770c6c19f0de82087ad76108a0d68055c2ba1
-
SHA512
34b30785dc117b4a1b2230f2b5af1b745c0f5ce736fc31ca84e1bcc9b24191dbbe72662196d2b328cb533e161c9a435d42a3ff469b9a125c291a97eaf1c727ee
-
SSDEEP
1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgEbCXuZH4gb4CEn9J4ZwEM:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgJ
Malware Config
Extracted
http://www.muyehuayi.com/cmp/8asA99KPsyA/v6lUsWbLen/
http://concivilpa.com.py/wp-admin/i3CQu9dzDrMW/
Extracted
emotet
Epoch5
178.238.225.252:8080
139.196.72.155:8080
36.67.23.59:443
103.56.149.105:8080
37.44.244.177:8080
85.25.120.45:8080
202.134.4.210:7080
78.47.204.80:443
83.229.80.93:8080
93.104.209.107:8080
80.211.107.116:8080
165.22.254.236:8080
104.244.79.94:443
185.148.169.10:8080
190.145.8.4:443
175.126.176.79:8080
139.59.80.108:8080
188.165.79.151:443
128.199.217.206:443
64.227.55.231:8080
218.38.121.17:443
103.71.99.57:8080
103.224.241.74:8080
128.199.242.164:8080
85.214.67.203:8080
103.254.12.236:7080
46.101.98.60:8080
178.62.112.199:8080
210.57.209.142:8080
195.77.239.39:8080
103.126.216.86:443
82.98.180.154:7080
202.28.34.99:8080
174.138.33.49:7080
160.16.143.191:8080
51.75.33.122:443
103.41.204.169:8080
186.250.48.5:443
87.106.97.83:7080
118.98.72.86:443
196.44.98.190:8080
103.85.95.4:8080
62.171.178.147:8080
54.37.228.122:443
114.79.130.68:443
198.199.70.22:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1840 4584 regsvr32.exe 78 -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
pid Process 1840 regsvr32.exe 2616 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4584 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1840 regsvr32.exe 1840 regsvr32.exe 2616 regsvr32.exe 2616 regsvr32.exe 2616 regsvr32.exe 2616 regsvr32.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 4584 EXCEL.EXE 4584 EXCEL.EXE 4584 EXCEL.EXE 4584 EXCEL.EXE 4584 EXCEL.EXE 4584 EXCEL.EXE 4584 EXCEL.EXE 4584 EXCEL.EXE 4584 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4584 wrote to memory of 1840 4584 EXCEL.EXE 87 PID 4584 wrote to memory of 1840 4584 EXCEL.EXE 87 PID 1840 wrote to memory of 2616 1840 regsvr32.exe 88 PID 1840 wrote to memory of 2616 1840 regsvr32.exe 88
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\0911.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\YxwFFfAoZ\xpkWf.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2616
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
434KB
MD5de7cd2d114263b25ae1c8a5a3329d052
SHA1579265b7f8f8efc7e2bf2dc86529bd700a972e67
SHA256852095de883291fc3f0368c5540e49c1d25fb12d678a1a14a5c576169870a33b
SHA51237ce20fb163fe3d10d9dadc7e315907363a963cb9277e51e9c7ffb4686195df18a64af66199572fd8272bea5ae8c6380ab4d16f0bdfb3a378bca88adce6159f4
-
Filesize
434KB
MD5de7cd2d114263b25ae1c8a5a3329d052
SHA1579265b7f8f8efc7e2bf2dc86529bd700a972e67
SHA256852095de883291fc3f0368c5540e49c1d25fb12d678a1a14a5c576169870a33b
SHA51237ce20fb163fe3d10d9dadc7e315907363a963cb9277e51e9c7ffb4686195df18a64af66199572fd8272bea5ae8c6380ab4d16f0bdfb3a378bca88adce6159f4
-
Filesize
434KB
MD5de7cd2d114263b25ae1c8a5a3329d052
SHA1579265b7f8f8efc7e2bf2dc86529bd700a972e67
SHA256852095de883291fc3f0368c5540e49c1d25fb12d678a1a14a5c576169870a33b
SHA51237ce20fb163fe3d10d9dadc7e315907363a963cb9277e51e9c7ffb4686195df18a64af66199572fd8272bea5ae8c6380ab4d16f0bdfb3a378bca88adce6159f4