Analysis Overview
SHA256
eb528449a2251cc848ff621d6763e342c5a74a96ad170ae7d4aa542975c6e4c1
Threat Level: Known bad
The file eb528449a2251cc848ff621d6763e342c5a74a96ad170ae7d4aa542975c6e4c1.xls was found to be: Known bad.
Malicious Activity Summary
Emotet
Process spawned unexpected child process
Suspicious Office macro
Downloads MZ/PE file
Loads dropped DLL
Adds Run key to start application
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-10 10:24
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-10 10:24
Reported
2022-11-10 10:27
Platform
win10-20220901-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\eb528449a2251cc848ff621d6763e342c5a74a96ad170ae7d4aa542975c6e4c1.xls"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.conceptagency.net | udp |
| N/A | 100.99.182.250:443 | www.conceptagency.net | tcp |
| US | 8.8.8.8:53 | bencevendeghaz.hu | udp |
| N/A | 100.111.175.145:443 | bencevendeghaz.hu | tcp |
| SG | 45.32.114.141:80 | 45.32.114.141 | tcp |
| US | 8.8.8.8:53 | ruitaiwz.com | udp |
| N/A | 100.110.205.112:80 | ruitaiwz.com | tcp |
| US | 20.44.10.122:443 | tcp | |
| US | 93.184.221.240:80 | tcp |
Files
memory/5088-120-0x00007FFF4CAC0000-0x00007FFF4CAD0000-memory.dmp
memory/5088-121-0x00007FFF4CAC0000-0x00007FFF4CAD0000-memory.dmp
memory/5088-122-0x00007FFF4CAC0000-0x00007FFF4CAD0000-memory.dmp
memory/5088-123-0x00007FFF4CAC0000-0x00007FFF4CAD0000-memory.dmp
memory/5088-132-0x00007FFF49220000-0x00007FFF49230000-memory.dmp
memory/5088-133-0x00007FFF49220000-0x00007FFF49230000-memory.dmp
memory/4268-256-0x0000000000000000-mapping.dmp
memory/4072-259-0x0000000000000000-mapping.dmp
memory/4000-260-0x0000000000000000-mapping.dmp
memory/3184-261-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-10 10:24
Reported
2022-11-10 10:27
Platform
win10-20220901-en
Max time kernel
148s
Max time network
128s
Command Line
Signatures
Emotet
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XSCHGrCTJuBKWUby.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\NvmvmXOQKssO\\XSCHGrCTJuBKWUby.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dTyjWmWssaz.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\FueKggEFpb\\dTyjWmWssaz.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BoRrNTQx.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\QgUyEB\\BoRrNTQx.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\eb528449a2251cc848ff621d6763e342c5a74a96ad170ae7d4aa542975c6e4c1.xls"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QgUyEB\BoRrNTQx.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NvmvmXOQKssO\XSCHGrCTJuBKWUby.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FueKggEFpb\dTyjWmWssaz.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.conceptagency.net | udp |
| DE | 149.102.137.213:443 | www.conceptagency.net | tcp |
| US | 8.8.8.8:53 | bencevendeghaz.hu | udp |
| HU | 185.6.139.30:443 | bencevendeghaz.hu | tcp |
| SG | 45.32.114.141:80 | tcp | |
| US | 8.8.8.8:53 | ruitaiwz.com | udp |
| HK | 45.207.116.84:80 | ruitaiwz.com | tcp |
| US | 20.42.73.27:443 | tcp | |
| NL | 84.53.175.11:80 | tcp | |
| ID | 115.178.55.22:80 | 115.178.55.22 | tcp |
| ID | 115.178.55.22:80 | 115.178.55.22 | tcp |
| ID | 115.178.55.22:80 | 115.178.55.22 | tcp |
Files
memory/2732-120-0x00007FFC91840000-0x00007FFC91850000-memory.dmp
memory/2732-121-0x00007FFC91840000-0x00007FFC91850000-memory.dmp
memory/2732-122-0x00007FFC91840000-0x00007FFC91850000-memory.dmp
memory/2732-123-0x00007FFC91840000-0x00007FFC91850000-memory.dmp
memory/2732-132-0x00007FFC8E0F0000-0x00007FFC8E100000-memory.dmp
memory/2732-133-0x00007FFC8E0F0000-0x00007FFC8E100000-memory.dmp
memory/4960-256-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv1.ooocccxxx
| MD5 | fcb7fc030074ba06176519bec61a1267 |
| SHA1 | 3f037fef167ff2afeca1084c65b06241f7d02033 |
| SHA256 | 38764360540702e0bd35871ec9788760d9c121358a4cdd94331eb28e573670ad |
| SHA512 | 7db49569c035393cb5827ce7ddac93b9948c0b719aa9b3a5360a45845909d881dd13b4ba6ec9a67247e9861c4c3582a91a3e0ac07ec951d345c49451f5ba0d90 |
\Users\Admin\elv1.ooocccxxx
| MD5 | fcb7fc030074ba06176519bec61a1267 |
| SHA1 | 3f037fef167ff2afeca1084c65b06241f7d02033 |
| SHA256 | 38764360540702e0bd35871ec9788760d9c121358a4cdd94331eb28e573670ad |
| SHA512 | 7db49569c035393cb5827ce7ddac93b9948c0b719aa9b3a5360a45845909d881dd13b4ba6ec9a67247e9861c4c3582a91a3e0ac07ec951d345c49451f5ba0d90 |
memory/4960-259-0x0000000000BC0000-0x0000000000BEE000-memory.dmp
memory/4488-265-0x0000000000000000-mapping.dmp
memory/4612-275-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv2.ooocccxxx
| MD5 | e13fecff6dc982531324cdba4f224d1d |
| SHA1 | 0de9ca7b8770ce588684237d2739d456bc64dade |
| SHA256 | 78b7f834255ee4c7e897393c70172de692415c784bcaeedf1cd304fe1ce401e0 |
| SHA512 | 0e159d00676d286d104631f80a1989e308037fde82ddae495628866a1ad49059705fb9c47d7f612a108bbbb0d3f540695782dec3c4b389a56c4ac91a28a8653b |
\Users\Admin\elv2.ooocccxxx
| MD5 | e13fecff6dc982531324cdba4f224d1d |
| SHA1 | 0de9ca7b8770ce588684237d2739d456bc64dade |
| SHA256 | 78b7f834255ee4c7e897393c70172de692415c784bcaeedf1cd304fe1ce401e0 |
| SHA512 | 0e159d00676d286d104631f80a1989e308037fde82ddae495628866a1ad49059705fb9c47d7f612a108bbbb0d3f540695782dec3c4b389a56c4ac91a28a8653b |
memory/4404-286-0x0000000000000000-mapping.dmp
memory/3088-294-0x0000000000000000-mapping.dmp
memory/4744-295-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv4.ooocccxxx
| MD5 | 92a3f6911635438f39de4bae33cc6fa2 |
| SHA1 | a1d0c269e83f262bd665fadabd9521372c9d86e7 |
| SHA256 | e9a6ea8caed6cf87ba761f830065fbd710ac0a1cc5ca6551e8901e490e3eca00 |
| SHA512 | b79b9b05c72aeb2868a2581eff03beeca4b277eb1ffe9784f873a2426cf39dcd9070e37daef9722b39f53e95fa86bc28ab302252f9b95801c6cf828253120a04 |
\Users\Admin\elv4.ooocccxxx
| MD5 | 92a3f6911635438f39de4bae33cc6fa2 |
| SHA1 | a1d0c269e83f262bd665fadabd9521372c9d86e7 |
| SHA256 | e9a6ea8caed6cf87ba761f830065fbd710ac0a1cc5ca6551e8901e490e3eca00 |
| SHA512 | b79b9b05c72aeb2868a2581eff03beeca4b277eb1ffe9784f873a2426cf39dcd9070e37daef9722b39f53e95fa86bc28ab302252f9b95801c6cf828253120a04 |
memory/1504-303-0x0000000000000000-mapping.dmp