Analysis
-
max time kernel
151s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2022, 21:11
Behavioral task
behavioral1
Sample
8780e38ceea5e9c1fdb8b950b3a2b722b4127b59b1bcd59c5fb0c38973c8fc63.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8780e38ceea5e9c1fdb8b950b3a2b722b4127b59b1bcd59c5fb0c38973c8fc63.xls
Resource
win10v2004-20220812-en
General
-
Target
8780e38ceea5e9c1fdb8b950b3a2b722b4127b59b1bcd59c5fb0c38973c8fc63.xls
-
Size
91KB
-
MD5
c923d2a2d9c4193171d80a850babe90a
-
SHA1
8e729e6fe2491b6566a3f41973c8891423c5ac3b
-
SHA256
8780e38ceea5e9c1fdb8b950b3a2b722b4127b59b1bcd59c5fb0c38973c8fc63
-
SHA512
4058f7dc49889aa04e8168f7e2471c327014842a5cfffe605d1cb74a9dfd5588a6ae9fdfebbbc2d43a8087698bd415439485502423319519a53f85512c00ca19
-
SSDEEP
1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgsbCXuZH4gb4CEn9J4Z3ip:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgL
Malware Config
Extracted
http://cubicegg.asia/assets/hQlJfFO/
http://darwinistic.com/icon/pvxwXfuOXowTDDg/
http://devinagallagher.com/NSA/BVks/
http://brittknight.com/PHP/qy6/
Extracted
emotet
Epoch4
45.235.8.30:8080
94.23.45.86:4143
119.59.103.152:8080
169.60.181.70:8080
164.68.99.3:8080
172.105.226.75:8080
107.170.39.149:8080
206.189.28.199:8080
1.234.2.232:8080
188.44.20.25:443
186.194.240.217:443
103.43.75.120:443
149.28.143.92:443
159.89.202.34:443
209.97.163.214:443
183.111.227.137:8080
129.232.188.93:443
139.59.126.41:443
110.232.117.186:8080
139.59.56.73:8080
103.75.201.2:443
91.207.28.33:8080
164.90.222.65:443
197.242.150.244:8080
212.24.98.99:8080
51.161.73.194:443
115.68.227.76:8080
159.65.88.10:8080
201.94.166.162:443
95.217.221.146:8080
173.212.193.249:8080
82.223.21.224:8080
103.132.242.26:8080
213.239.212.5:443
153.126.146.25:7080
45.176.232.124:443
182.162.143.56:443
169.57.156.166:8080
159.65.140.115:443
163.44.196.120:8080
172.104.251.154:8080
167.172.253.162:8080
91.187.140.35:8080
45.118.115.99:8080
147.139.166.154:8080
72.15.201.15:8080
149.56.131.28:8080
167.172.199.165:8080
101.50.0.91:8080
160.16.142.56:8080
185.4.135.165:8080
104.168.155.143:8080
79.137.35.198:8080
5.135.159.50:443
187.63.160.88:80
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1440 2412 regsvr32.exe 78 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2180 2412 regsvr32.exe 78 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3856 2412 regsvr32.exe 78 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2936 2412 regsvr32.exe 78 -
Downloads MZ/PE file
-
Loads dropped DLL 6 IoCs
pid Process 1440 regsvr32.exe 1660 regsvr32.exe 2180 regsvr32.exe 4972 regsvr32.exe 3856 regsvr32.exe 4176 regsvr32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sjCsxfMPtvHd.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\LipmV\\sjCsxfMPtvHd.dll\"" regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2412 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1440 regsvr32.exe 1440 regsvr32.exe 1660 regsvr32.exe 1660 regsvr32.exe 1660 regsvr32.exe 1660 regsvr32.exe 2180 regsvr32.exe 2180 regsvr32.exe 4972 regsvr32.exe 4972 regsvr32.exe 4972 regsvr32.exe 4972 regsvr32.exe 3856 regsvr32.exe 3856 regsvr32.exe 4176 regsvr32.exe 4176 regsvr32.exe 4176 regsvr32.exe 4176 regsvr32.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2412 EXCEL.EXE 2412 EXCEL.EXE 2412 EXCEL.EXE 2412 EXCEL.EXE 2412 EXCEL.EXE 2412 EXCEL.EXE 2412 EXCEL.EXE 2412 EXCEL.EXE 2412 EXCEL.EXE 2412 EXCEL.EXE 2412 EXCEL.EXE 2412 EXCEL.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2412 wrote to memory of 1440 2412 EXCEL.EXE 81 PID 2412 wrote to memory of 1440 2412 EXCEL.EXE 81 PID 1440 wrote to memory of 1660 1440 regsvr32.exe 82 PID 1440 wrote to memory of 1660 1440 regsvr32.exe 82 PID 2412 wrote to memory of 2180 2412 EXCEL.EXE 84 PID 2412 wrote to memory of 2180 2412 EXCEL.EXE 84 PID 2180 wrote to memory of 4972 2180 regsvr32.exe 85 PID 2180 wrote to memory of 4972 2180 regsvr32.exe 85 PID 2412 wrote to memory of 3856 2412 EXCEL.EXE 86 PID 2412 wrote to memory of 3856 2412 EXCEL.EXE 86 PID 3856 wrote to memory of 4176 3856 regsvr32.exe 87 PID 3856 wrote to memory of 4176 3856 regsvr32.exe 87 PID 2412 wrote to memory of 2936 2412 EXCEL.EXE 88 PID 2412 wrote to memory of 2936 2412 EXCEL.EXE 88
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8780e38ceea5e9c1fdb8b950b3a2b722b4127b59b1bcd59c5fb0c38973c8fc63.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\Srohl\HEYFPyP.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1660
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\LipmV\sjCsxfMPtvHd.dll"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4972
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\FLdtVVYrZQYHDn\gSXNoh.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4176
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx2⤵
- Process spawned unexpected child process
PID:2936
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
855KB
MD5e4d4ddbb48b7c5d8d04e64bcfd241162
SHA1841cb873109728065ff3907e0a19af8d4b363b6b
SHA256220d0bf5b02e2405afdb47c3569ca1bbc5770d7226a5479a01742ac26619e928
SHA5128133893139c8e680416adbe5ae7e8dd789508cf5bc5d68ad36afcb7e43f43460e5c2947b4ec8605043d4290c5f0caffd745533ea55b788396cb45e3f0919448d
-
Filesize
855KB
MD5e4d4ddbb48b7c5d8d04e64bcfd241162
SHA1841cb873109728065ff3907e0a19af8d4b363b6b
SHA256220d0bf5b02e2405afdb47c3569ca1bbc5770d7226a5479a01742ac26619e928
SHA5128133893139c8e680416adbe5ae7e8dd789508cf5bc5d68ad36afcb7e43f43460e5c2947b4ec8605043d4290c5f0caffd745533ea55b788396cb45e3f0919448d
-
Filesize
855KB
MD51209ebba5bb4117ee10b719ddba8b7c4
SHA17454dbf8268ce69d0d256d103808bd7e5c744662
SHA25675fecc5c2b56359a9743030058046081f3011a518a3900de442181c6d0f81c7e
SHA512f2c27d530232ddb9b9c258cfbbb10a36cd4c26b9b9a2b51f6d30ba0b177ee972b811c267bf25b88783faffc31b7139147b1cf4114e7ea73bc3ee6b7365a5ff28
-
Filesize
855KB
MD51209ebba5bb4117ee10b719ddba8b7c4
SHA17454dbf8268ce69d0d256d103808bd7e5c744662
SHA25675fecc5c2b56359a9743030058046081f3011a518a3900de442181c6d0f81c7e
SHA512f2c27d530232ddb9b9c258cfbbb10a36cd4c26b9b9a2b51f6d30ba0b177ee972b811c267bf25b88783faffc31b7139147b1cf4114e7ea73bc3ee6b7365a5ff28
-
Filesize
573KB
MD59b3be6dd84a212ea83fb3a7c184dbb07
SHA1fb60c9c114bac54c83cccc2e0ddc6f85e3eeae13
SHA2564e1c2fcbd27ebf54e55c0c69c855a32110bc86196de3dc03253ad4241eda6e03
SHA512f136dd003d092102c38eb6e0a9a8a917866d27a7b5d5062778712cd55ba9f9b1e64bed4b1dd67aa39dcef8c639b96e7760e0cf21fbc516f5b4dd779ecc5c6427
-
Filesize
573KB
MD59b3be6dd84a212ea83fb3a7c184dbb07
SHA1fb60c9c114bac54c83cccc2e0ddc6f85e3eeae13
SHA2564e1c2fcbd27ebf54e55c0c69c855a32110bc86196de3dc03253ad4241eda6e03
SHA512f136dd003d092102c38eb6e0a9a8a917866d27a7b5d5062778712cd55ba9f9b1e64bed4b1dd67aa39dcef8c639b96e7760e0cf21fbc516f5b4dd779ecc5c6427
-
Filesize
573KB
MD59b3be6dd84a212ea83fb3a7c184dbb07
SHA1fb60c9c114bac54c83cccc2e0ddc6f85e3eeae13
SHA2564e1c2fcbd27ebf54e55c0c69c855a32110bc86196de3dc03253ad4241eda6e03
SHA512f136dd003d092102c38eb6e0a9a8a917866d27a7b5d5062778712cd55ba9f9b1e64bed4b1dd67aa39dcef8c639b96e7760e0cf21fbc516f5b4dd779ecc5c6427
-
Filesize
855KB
MD51209ebba5bb4117ee10b719ddba8b7c4
SHA17454dbf8268ce69d0d256d103808bd7e5c744662
SHA25675fecc5c2b56359a9743030058046081f3011a518a3900de442181c6d0f81c7e
SHA512f2c27d530232ddb9b9c258cfbbb10a36cd4c26b9b9a2b51f6d30ba0b177ee972b811c267bf25b88783faffc31b7139147b1cf4114e7ea73bc3ee6b7365a5ff28
-
Filesize
855KB
MD5e4d4ddbb48b7c5d8d04e64bcfd241162
SHA1841cb873109728065ff3907e0a19af8d4b363b6b
SHA256220d0bf5b02e2405afdb47c3569ca1bbc5770d7226a5479a01742ac26619e928
SHA5128133893139c8e680416adbe5ae7e8dd789508cf5bc5d68ad36afcb7e43f43460e5c2947b4ec8605043d4290c5f0caffd745533ea55b788396cb45e3f0919448d