Analysis Overview
SHA256
90ad0d3775eeeaa81b6a26513c7845bbcdd3cae22784e8f8c9e1207ac5015319
Threat Level: Known bad
The file 90ad0d3775eeeaa81b6a26513c7845bbcdd3cae22784e8f8c9e1207ac5015319.xls was found to be: Known bad.
Malicious Activity Summary
Emotet
Process spawned unexpected child process
Suspicious Office macro
Downloads MZ/PE file
Loads dropped DLL
Adds Run key to start application
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-10 10:27
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-10 10:27
Reported
2022-11-10 10:29
Platform
win10-20220901-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\90ad0d3775eeeaa81b6a26513c7845bbcdd3cae22784e8f8c9e1207ac5015319.xls"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.conceptagency.net | udp |
| N/A | 100.73.71.196:443 | www.conceptagency.net | tcp |
| US | 8.8.8.8:53 | bencevendeghaz.hu | udp |
| N/A | 100.98.142.30:443 | bencevendeghaz.hu | tcp |
| SG | 45.32.114.141:80 | 45.32.114.141 | tcp |
| US | 8.8.8.8:53 | ruitaiwz.com | udp |
| N/A | 100.89.233.172:80 | ruitaiwz.com | tcp |
| IE | 20.50.80.210:443 | tcp | |
| NL | 8.248.7.254:80 | tcp |
Files
memory/4832-120-0x00007FF9500F0000-0x00007FF950100000-memory.dmp
memory/4832-121-0x00007FF9500F0000-0x00007FF950100000-memory.dmp
memory/4832-122-0x00007FF9500F0000-0x00007FF950100000-memory.dmp
memory/4832-123-0x00007FF9500F0000-0x00007FF950100000-memory.dmp
memory/4832-132-0x00007FF94CC80000-0x00007FF94CC90000-memory.dmp
memory/4832-133-0x00007FF94CC80000-0x00007FF94CC90000-memory.dmp
memory/5100-256-0x0000000000000000-mapping.dmp
memory/4436-259-0x0000000000000000-mapping.dmp
memory/4200-260-0x0000000000000000-mapping.dmp
memory/4492-261-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-10 10:27
Reported
2022-11-10 10:29
Platform
win10-20220812-en
Max time kernel
101s
Max time network
131s
Command Line
Signatures
Emotet
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MrsqxYkQlUTuMgH.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\JttCGFth\\MrsqxYkQlUTuMgH.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WFYlWDLmqlueMnn.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\GkiPiSUSKwqq\\WFYlWDLmqlueMnn.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yVmqLMEmmQ.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\XIjrxae\\yVmqLMEmmQ.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\90ad0d3775eeeaa81b6a26513c7845bbcdd3cae22784e8f8c9e1207ac5015319.xls"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JttCGFth\MrsqxYkQlUTuMgH.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GkiPiSUSKwqq\WFYlWDLmqlueMnn.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XIjrxae\yVmqLMEmmQ.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.conceptagency.net | udp |
| DE | 149.102.137.213:443 | www.conceptagency.net | tcp |
| US | 8.8.8.8:53 | bencevendeghaz.hu | udp |
| HU | 185.6.139.30:443 | bencevendeghaz.hu | tcp |
| SG | 45.32.114.141:80 | tcp | |
| US | 8.8.8.8:53 | ruitaiwz.com | udp |
| HK | 45.207.116.84:80 | ruitaiwz.com | tcp |
| ID | 115.178.55.22:80 | 115.178.55.22 | tcp |
| US | 20.189.173.1:443 | tcp | |
| ID | 115.178.55.22:80 | 115.178.55.22 | tcp |
| ID | 115.178.55.22:80 | 115.178.55.22 | tcp |
Files
memory/2452-118-0x00007FF7E7C00000-0x00007FF7E7C10000-memory.dmp
memory/2452-119-0x00007FF7E7C00000-0x00007FF7E7C10000-memory.dmp
memory/2452-120-0x00007FF7E7C00000-0x00007FF7E7C10000-memory.dmp
memory/2452-121-0x00007FF7E7C00000-0x00007FF7E7C10000-memory.dmp
memory/2452-130-0x00007FF7E4140000-0x00007FF7E4150000-memory.dmp
memory/2452-131-0x00007FF7E4140000-0x00007FF7E4150000-memory.dmp
memory/4328-254-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv1.ooocccxxx
| MD5 | fcb7fc030074ba06176519bec61a1267 |
| SHA1 | 3f037fef167ff2afeca1084c65b06241f7d02033 |
| SHA256 | 38764360540702e0bd35871ec9788760d9c121358a4cdd94331eb28e573670ad |
| SHA512 | 7db49569c035393cb5827ce7ddac93b9948c0b719aa9b3a5360a45845909d881dd13b4ba6ec9a67247e9861c4c3582a91a3e0ac07ec951d345c49451f5ba0d90 |
\Users\Admin\elv1.ooocccxxx
| MD5 | fcb7fc030074ba06176519bec61a1267 |
| SHA1 | 3f037fef167ff2afeca1084c65b06241f7d02033 |
| SHA256 | 38764360540702e0bd35871ec9788760d9c121358a4cdd94331eb28e573670ad |
| SHA512 | 7db49569c035393cb5827ce7ddac93b9948c0b719aa9b3a5360a45845909d881dd13b4ba6ec9a67247e9861c4c3582a91a3e0ac07ec951d345c49451f5ba0d90 |
memory/4272-262-0x0000000000000000-mapping.dmp
memory/4272-265-0x0000000000920000-0x000000000094E000-memory.dmp
memory/2700-273-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv2.ooocccxxx
| MD5 | e13fecff6dc982531324cdba4f224d1d |
| SHA1 | 0de9ca7b8770ce588684237d2739d456bc64dade |
| SHA256 | 78b7f834255ee4c7e897393c70172de692415c784bcaeedf1cd304fe1ce401e0 |
| SHA512 | 0e159d00676d286d104631f80a1989e308037fde82ddae495628866a1ad49059705fb9c47d7f612a108bbbb0d3f540695782dec3c4b389a56c4ac91a28a8653b |
\Users\Admin\elv2.ooocccxxx
| MD5 | e13fecff6dc982531324cdba4f224d1d |
| SHA1 | 0de9ca7b8770ce588684237d2739d456bc64dade |
| SHA256 | 78b7f834255ee4c7e897393c70172de692415c784bcaeedf1cd304fe1ce401e0 |
| SHA512 | 0e159d00676d286d104631f80a1989e308037fde82ddae495628866a1ad49059705fb9c47d7f612a108bbbb0d3f540695782dec3c4b389a56c4ac91a28a8653b |
memory/4564-284-0x0000000000000000-mapping.dmp
memory/368-292-0x0000000000000000-mapping.dmp
memory/1228-293-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv4.ooocccxxx
| MD5 | 92a3f6911635438f39de4bae33cc6fa2 |
| SHA1 | a1d0c269e83f262bd665fadabd9521372c9d86e7 |
| SHA256 | e9a6ea8caed6cf87ba761f830065fbd710ac0a1cc5ca6551e8901e490e3eca00 |
| SHA512 | b79b9b05c72aeb2868a2581eff03beeca4b277eb1ffe9784f873a2426cf39dcd9070e37daef9722b39f53e95fa86bc28ab302252f9b95801c6cf828253120a04 |
\Users\Admin\elv4.ooocccxxx
| MD5 | 92a3f6911635438f39de4bae33cc6fa2 |
| SHA1 | a1d0c269e83f262bd665fadabd9521372c9d86e7 |
| SHA256 | e9a6ea8caed6cf87ba761f830065fbd710ac0a1cc5ca6551e8901e490e3eca00 |
| SHA512 | b79b9b05c72aeb2868a2581eff03beeca4b277eb1ffe9784f873a2426cf39dcd9070e37daef9722b39f53e95fa86bc28ab302252f9b95801c6cf828253120a04 |
memory/3912-304-0x0000000000000000-mapping.dmp
memory/2452-329-0x00007FF7E7C00000-0x00007FF7E7C10000-memory.dmp
memory/2452-330-0x00007FF7E7C00000-0x00007FF7E7C10000-memory.dmp
memory/2452-331-0x00007FF7E7C00000-0x00007FF7E7C10000-memory.dmp
memory/2452-332-0x00007FF7E7C00000-0x00007FF7E7C10000-memory.dmp