Analysis Overview
SHA256
bab1f7d9f9682defcb98a0b8e61cdeb4550a41ce31644ea0bb0c0bd4383a3460
Threat Level: Known bad
The file bab1f7d9f9682defcb98a0b8e61cdeb4550a41ce31644ea0bb0c0bd4383a3460.xls was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Emotet
Downloads MZ/PE file
Suspicious Office macro
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Enumerates system info in registry
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-10 10:18
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-10 10:18
Reported
2022-11-10 10:21
Platform
win10-20220901-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\bab1f7d9f9682defcb98a0b8e61cdeb4550a41ce31644ea0bb0c0bd4383a3460.xls"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bosny.com | udp |
| N/A | 100.121.66.61:443 | bosny.com | tcp |
| US | 8.8.8.8:53 | navylin.com | udp |
| N/A | 100.104.224.56:80 | navylin.com | tcp |
| US | 8.8.8.8:53 | asrani.garudaputih.com | udp |
| N/A | 100.110.135.43:80 | asrani.garudaputih.com | tcp |
| US | 8.8.8.8:53 | db.rikaz.tech | udp |
| N/A | 100.87.165.89:80 | db.rikaz.tech | tcp |
| NL | 20.50.201.195:443 | tcp | |
| NL | 67.26.111.254:80 | tcp |
Files
memory/2956-120-0x00007FFDA1840000-0x00007FFDA1850000-memory.dmp
memory/2956-121-0x00007FFDA1840000-0x00007FFDA1850000-memory.dmp
memory/2956-122-0x00007FFDA1840000-0x00007FFDA1850000-memory.dmp
memory/2956-123-0x00007FFDA1840000-0x00007FFDA1850000-memory.dmp
memory/2956-132-0x00007FFD9DD80000-0x00007FFD9DD90000-memory.dmp
memory/2956-133-0x00007FFD9DD80000-0x00007FFD9DD90000-memory.dmp
memory/3792-256-0x0000000000000000-mapping.dmp
memory/5068-257-0x0000000000000000-mapping.dmp
memory/4948-258-0x0000000000000000-mapping.dmp
memory/4036-259-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-10 10:18
Reported
2022-11-10 10:21
Platform
win10-20220812-en
Max time kernel
138s
Max time network
150s
Command Line
Signatures
Emotet
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LbbCiOkLPobUgUF.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\KbJKHLZge\\LbbCiOkLPobUgUF.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tNfJlYZcw.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\LUvyIT\\tNfJlYZcw.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\bab1f7d9f9682defcb98a0b8e61cdeb4550a41ce31644ea0bb0c0bd4383a3460.xls"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KbJKHLZge\LbbCiOkLPobUgUF.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LUvyIT\tNfJlYZcw.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bosny.com | udp |
| TH | 203.151.59.20:443 | bosny.com | tcp |
| US | 20.189.173.13:443 | tcp | |
| US | 8.8.8.8:53 | navylin.com | udp |
| CN | 47.92.133.65:80 | navylin.com | tcp |
| US | 93.184.221.240:80 | tcp | |
| ID | 115.178.55.22:80 | 115.178.55.22 | tcp |
| US | 8.8.8.8:53 | asrani.garudaputih.com | udp |
| SG | 51.79.133.157:80 | asrani.garudaputih.com | tcp |
| US | 8.8.8.8:53 | db.rikaz.tech | udp |
| DE | 135.125.230.197:80 | db.rikaz.tech | tcp |
| ID | 115.178.55.22:80 | 115.178.55.22 | tcp |
Files
memory/3528-118-0x00007FF851770000-0x00007FF851780000-memory.dmp
memory/3528-119-0x00007FF851770000-0x00007FF851780000-memory.dmp
memory/3528-120-0x00007FF851770000-0x00007FF851780000-memory.dmp
memory/3528-121-0x00007FF851770000-0x00007FF851780000-memory.dmp
memory/3528-130-0x00007FF84DFE0000-0x00007FF84DFF0000-memory.dmp
memory/3528-131-0x00007FF84DFE0000-0x00007FF84DFF0000-memory.dmp
memory/488-283-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv1.ooocccxxx
| MD5 | f84e4a08139f4d10143eb8a2cc848c5a |
| SHA1 | eb9f11f6b81d879aea3d072eb12e853e2e52ea31 |
| SHA256 | 4f49b622a423bf1583fe4c46917254068e9d15c2f6ba6ac4642b8e238d8f8d4d |
| SHA512 | d6022c6a9931eae5f63d077663e3f3205cd5bb7f35d30244dbd5df5c317d944a423bc55b659280cc811b12434322e6238349e37bbffe9fe418059e573b20f6a7 |
\Users\Admin\elv1.ooocccxxx
| MD5 | f84e4a08139f4d10143eb8a2cc848c5a |
| SHA1 | eb9f11f6b81d879aea3d072eb12e853e2e52ea31 |
| SHA256 | 4f49b622a423bf1583fe4c46917254068e9d15c2f6ba6ac4642b8e238d8f8d4d |
| SHA512 | d6022c6a9931eae5f63d077663e3f3205cd5bb7f35d30244dbd5df5c317d944a423bc55b659280cc811b12434322e6238349e37bbffe9fe418059e573b20f6a7 |
memory/488-286-0x0000000002A10000-0x0000000002A3E000-memory.dmp
memory/1160-294-0x0000000000000000-mapping.dmp
memory/1748-300-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv2.ooocccxxx
| MD5 | 7b447808b85ea687ebe67889de9f097a |
| SHA1 | 79cdca603375b8df5dbdce72be9221625af3d334 |
| SHA256 | 1e0f3ef4743c30ba309c426a382b42c64c9fdbd56f3d00e6b7ea5fb8729724ad |
| SHA512 | 4c905c52958d035dca0287c293b5578da77ecd03505fa44b969dcd52d6f7b74537366448989d58683ca8d1cd6ba8a5199a6917c2b28ff0a28fa2f1fda5280bbb |
\Users\Admin\elv2.ooocccxxx
| MD5 | 7b447808b85ea687ebe67889de9f097a |
| SHA1 | 79cdca603375b8df5dbdce72be9221625af3d334 |
| SHA256 | 1e0f3ef4743c30ba309c426a382b42c64c9fdbd56f3d00e6b7ea5fb8729724ad |
| SHA512 | 4c905c52958d035dca0287c293b5578da77ecd03505fa44b969dcd52d6f7b74537366448989d58683ca8d1cd6ba8a5199a6917c2b28ff0a28fa2f1fda5280bbb |
memory/3336-308-0x0000000000000000-mapping.dmp
memory/1612-314-0x0000000000000000-mapping.dmp
memory/2252-315-0x0000000000000000-mapping.dmp
memory/3528-340-0x00007FF851770000-0x00007FF851780000-memory.dmp
memory/3528-341-0x00007FF851770000-0x00007FF851780000-memory.dmp
memory/3528-342-0x00007FF851770000-0x00007FF851780000-memory.dmp
memory/3528-343-0x00007FF851770000-0x00007FF851780000-memory.dmp