Analysis Overview
SHA256
4a09548ed23227d26027e97ed1d9ef6c66f388327072bc9f298853e238d14d25
Threat Level: Known bad
The file 4a09548ed23227d26027e97ed1d9ef6c66f388327072bc9f298853e238d14d25.xls was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Emotet
Downloads MZ/PE file
Suspicious Office macro
Loads dropped DLL
Adds Run key to start application
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-10 11:01
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-10 11:01
Reported
2022-11-10 11:03
Platform
win10-20220901-en
Max time kernel
148s
Max time network
148s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4a09548ed23227d26027e97ed1d9ef6c66f388327072bc9f298853e238d14d25.xls"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bosny.com | udp |
| N/A | 100.119.88.223:443 | bosny.com | tcp |
| US | 8.8.8.8:53 | navylin.com | udp |
| N/A | 100.83.48.57:80 | navylin.com | tcp |
| US | 8.8.8.8:53 | asrani.garudaputih.com | udp |
| N/A | 100.88.143.216:80 | asrani.garudaputih.com | tcp |
| US | 8.8.8.8:53 | db.rikaz.tech | udp |
| N/A | 100.86.45.20:80 | db.rikaz.tech | tcp |
| IE | 20.50.80.210:443 | tcp | |
| NL | 8.248.7.254:80 | tcp |
Files
memory/4828-120-0x00007FF9500F0000-0x00007FF950100000-memory.dmp
memory/4828-121-0x00007FF9500F0000-0x00007FF950100000-memory.dmp
memory/4828-122-0x00007FF9500F0000-0x00007FF950100000-memory.dmp
memory/4828-123-0x00007FF9500F0000-0x00007FF950100000-memory.dmp
memory/4828-132-0x00007FF94CC80000-0x00007FF94CC90000-memory.dmp
memory/4828-133-0x00007FF94CC80000-0x00007FF94CC90000-memory.dmp
memory/4652-262-0x0000000000000000-mapping.dmp
memory/4704-265-0x0000000000000000-mapping.dmp
memory/4496-266-0x0000000000000000-mapping.dmp
memory/4396-267-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-10 11:01
Reported
2022-11-10 11:03
Platform
win10-20220812-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Emotet
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MkSeHVq.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\GQjSeIzlnHgpyGI\\MkSeHVq.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpNoFLKbj.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\WJEYdVLMHeUz\\hpNoFLKbj.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4a09548ed23227d26027e97ed1d9ef6c66f388327072bc9f298853e238d14d25.xls"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WJEYdVLMHeUz\hpNoFLKbj.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GQjSeIzlnHgpyGI\MkSeHVq.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
Network
| Country | Destination | Domain | Proto |
| FR | 2.16.119.157:443 | tcp | |
| US | 8.8.8.8:53 | bosny.com | udp |
| TH | 203.151.59.20:443 | bosny.com | tcp |
| US | 8.8.8.8:53 | navylin.com | udp |
| CN | 47.92.133.65:80 | navylin.com | tcp |
| US | 20.42.65.90:443 | tcp | |
| ID | 115.178.55.22:80 | 115.178.55.22 | tcp |
| US | 8.8.8.8:53 | asrani.garudaputih.com | udp |
| SG | 51.79.133.157:80 | asrani.garudaputih.com | tcp |
| US | 8.8.8.8:53 | db.rikaz.tech | udp |
| DE | 135.125.230.197:80 | db.rikaz.tech | tcp |
| ID | 115.178.55.22:80 | 115.178.55.22 | tcp |
| US | 8.247.211.126:80 | tcp |
Files
memory/4660-116-0x00007FFE7FCC0000-0x00007FFE7FCD0000-memory.dmp
memory/4660-117-0x00007FFE7FCC0000-0x00007FFE7FCD0000-memory.dmp
memory/4660-118-0x00007FFE7FCC0000-0x00007FFE7FCD0000-memory.dmp
memory/4660-119-0x00007FFE7FCC0000-0x00007FFE7FCD0000-memory.dmp
memory/4660-128-0x00007FFE7C260000-0x00007FFE7C270000-memory.dmp
memory/4660-129-0x00007FFE7C260000-0x00007FFE7C270000-memory.dmp
memory/4804-257-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv1.ooocccxxx
| MD5 | 66b4491439355f09a830aaabb32dd6c7 |
| SHA1 | d0fa88a5246e077a31b3d28ddb454bfd01abc6a0 |
| SHA256 | 81c25740c8a58339de9cdb142b02a810e99db1b0f614d79ee8250f8829ad4a81 |
| SHA512 | f1eba1233e319e968aefaff0b600a4b0ddf474d888d3638b023f6eca159ac0babab0e538b0ba608dacfcc836c79b3ab986709e360a139b928ab1f594c7332e2f |
\Users\Admin\elv1.ooocccxxx
| MD5 | 66b4491439355f09a830aaabb32dd6c7 |
| SHA1 | d0fa88a5246e077a31b3d28ddb454bfd01abc6a0 |
| SHA256 | 81c25740c8a58339de9cdb142b02a810e99db1b0f614d79ee8250f8829ad4a81 |
| SHA512 | f1eba1233e319e968aefaff0b600a4b0ddf474d888d3638b023f6eca159ac0babab0e538b0ba608dacfcc836c79b3ab986709e360a139b928ab1f594c7332e2f |
memory/4804-260-0x00000000026E0000-0x000000000270E000-memory.dmp
memory/3924-268-0x0000000000000000-mapping.dmp
memory/476-274-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv2.ooocccxxx
| MD5 | aeb676d2fa1854a89f970736dbb6ebf7 |
| SHA1 | f937c2cd80d116c535113c9a1d85528de0df94ad |
| SHA256 | 5ae9ca3c9d45304810d3c3eb599a2e33e749e08984941b119ff0a85b8350dd7a |
| SHA512 | 9f4d0f94b84f299253a8014f9aef49391363e8a620cfecda87e20974190f24b318dfe48bde6ec09a4d63669655063552a6ed837e0f487cb4a373566684c66884 |
\Users\Admin\elv2.ooocccxxx
| MD5 | aeb676d2fa1854a89f970736dbb6ebf7 |
| SHA1 | f937c2cd80d116c535113c9a1d85528de0df94ad |
| SHA256 | 5ae9ca3c9d45304810d3c3eb599a2e33e749e08984941b119ff0a85b8350dd7a |
| SHA512 | 9f4d0f94b84f299253a8014f9aef49391363e8a620cfecda87e20974190f24b318dfe48bde6ec09a4d63669655063552a6ed837e0f487cb4a373566684c66884 |
memory/1164-282-0x0000000000000000-mapping.dmp
memory/3280-288-0x0000000000000000-mapping.dmp
memory/3300-289-0x0000000000000000-mapping.dmp
memory/4660-312-0x00007FFE7FCC0000-0x00007FFE7FCD0000-memory.dmp
memory/4660-313-0x00007FFE7FCC0000-0x00007FFE7FCD0000-memory.dmp
memory/4660-314-0x00007FFE7FCC0000-0x00007FFE7FCD0000-memory.dmp
memory/4660-315-0x00007FFE7FCC0000-0x00007FFE7FCD0000-memory.dmp