Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
10/11/2022, 10:33
Behavioral task
behavioral1
Sample
0a8ddb6313292d0c7ce3f8c6336d8b960f855bb50b5a1a34619682e0bccc2497.xls
Resource
win10-20220812-en
Behavioral task
behavioral2
Sample
0a8ddb6313292d0c7ce3f8c6336d8b960f855bb50b5a1a34619682e0bccc2497.xls
Resource
win10-20220812-en
General
-
Target
0a8ddb6313292d0c7ce3f8c6336d8b960f855bb50b5a1a34619682e0bccc2497.xls
-
Size
91KB
-
MD5
b834d1385caf6e1927cceaf2bde310ae
-
SHA1
7f9e374f51f36f528f9536cf677d4785923c01bb
-
SHA256
0a8ddb6313292d0c7ce3f8c6336d8b960f855bb50b5a1a34619682e0bccc2497
-
SHA512
bdbd1c504860d14fcb05cb892338cf015aebe4e07a2f4ea61a0923353a322cc32ade97abe12f13cf102704f71f03e3fdf9b6ee5c2562bc21bb1c575f88c1b42f
-
SSDEEP
1536:eKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgqbCXuZH4gb4CEn9J4ZXz3:eKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgu
Malware Config
Extracted
https://www.conceptagency.net/css/b8eaKN/
https://bencevendeghaz.hu/2zjoi/cwfKJOzA/
http://45.32.114.141/xilte/Uqm6Eysf3Hkjwh/
http://ruitaiwz.com/wp-admin/MXlp5IsUKwT1k0DtzT/
Extracted
emotet
Epoch5
202.28.34.99:8080
80.211.107.116:8080
175.126.176.79:8080
218.38.121.17:443
139.196.72.155:8080
103.71.99.57:8080
87.106.97.83:7080
178.62.112.199:8080
64.227.55.231:8080
46.101.98.60:8080
54.37.228.122:443
128.199.217.206:443
190.145.8.4:443
209.239.112.82:8080
85.214.67.203:8080
198.199.70.22:8080
128.199.242.164:8080
178.238.225.252:8080
103.85.95.4:8080
103.126.216.86:443
104.244.79.94:443
36.67.23.59:443
37.44.244.177:8080
160.16.143.191:8080
85.25.120.45:8080
103.56.149.105:8080
210.57.209.142:8080
195.77.239.39:8080
62.171.178.147:8080
118.98.72.86:443
103.224.241.74:8080
185.148.169.10:8080
103.41.204.169:8080
186.250.48.5:443
165.22.254.236:8080
93.104.209.107:8080
139.59.80.108:8080
196.44.98.190:8080
114.79.130.68:443
115.178.55.22:80
103.254.12.236:7080
172.105.115.71:8080
174.138.33.49:7080
51.75.33.122:443
83.229.80.93:8080
78.47.204.80:443
188.165.79.151:443
202.134.4.210:7080
82.98.180.154:7080
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3664 3668 regsvr32.exe 65 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3536 3668 regsvr32.exe 65 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 300 3668 regsvr32.exe 65 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 768 3668 regsvr32.exe 65 -
Downloads MZ/PE file
-
Loads dropped DLL 3 IoCs
pid Process 3664 regsvr32.exe 3536 regsvr32.exe 768 regsvr32.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qWQxStM.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\FzemTQqqW\\qWQxStM.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jGSCkVwt.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\SgWxBJuxRnchHOpo\\jGSCkVwt.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EwLNHjcZ.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\GlBqOEuGi\\EwLNHjcZ.dll\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3668 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 3664 regsvr32.exe 3664 regsvr32.exe 4356 regsvr32.exe 4356 regsvr32.exe 4356 regsvr32.exe 4356 regsvr32.exe 3536 regsvr32.exe 3536 regsvr32.exe 4460 regsvr32.exe 4460 regsvr32.exe 4460 regsvr32.exe 4460 regsvr32.exe 768 regsvr32.exe 768 regsvr32.exe 204 regsvr32.exe 204 regsvr32.exe 204 regsvr32.exe 204 regsvr32.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3668 EXCEL.EXE 3668 EXCEL.EXE 3668 EXCEL.EXE 3668 EXCEL.EXE 3668 EXCEL.EXE 3668 EXCEL.EXE 3668 EXCEL.EXE 3668 EXCEL.EXE 3668 EXCEL.EXE 3668 EXCEL.EXE 3668 EXCEL.EXE 3668 EXCEL.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3668 wrote to memory of 3664 3668 EXCEL.EXE 70 PID 3668 wrote to memory of 3664 3668 EXCEL.EXE 70 PID 3664 wrote to memory of 4356 3664 regsvr32.exe 71 PID 3664 wrote to memory of 4356 3664 regsvr32.exe 71 PID 3668 wrote to memory of 3536 3668 EXCEL.EXE 72 PID 3668 wrote to memory of 3536 3668 EXCEL.EXE 72 PID 3536 wrote to memory of 4460 3536 regsvr32.exe 74 PID 3536 wrote to memory of 4460 3536 regsvr32.exe 74 PID 3668 wrote to memory of 300 3668 EXCEL.EXE 78 PID 3668 wrote to memory of 300 3668 EXCEL.EXE 78 PID 3668 wrote to memory of 768 3668 EXCEL.EXE 79 PID 3668 wrote to memory of 768 3668 EXCEL.EXE 79 PID 768 wrote to memory of 204 768 regsvr32.exe 80 PID 768 wrote to memory of 204 768 regsvr32.exe 80
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\0a8ddb6313292d0c7ce3f8c6336d8b960f855bb50b5a1a34619682e0bccc2497.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\FzemTQqqW\qWQxStM.dll"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4356
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\SgWxBJuxRnchHOpo\jGSCkVwt.dll"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4460
-
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx2⤵
- Process spawned unexpected child process
PID:300
-
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\GlBqOEuGi\EwLNHjcZ.dll"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:204
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
621KB
MD5287abecca3fd35d9f3ed53f4f7377c7e
SHA14d1693f6b31d926633e8a7e349fee96c4e60120b
SHA2566426c9c4829f9e4ec0ce794317153e46cb6b74050b74197c9a588fa7d3de679c
SHA512348f77291ee436dcf5e0de2da792b1d9e6c0daf1fb925122ed06984bf14f21d909b14dd6d3096fc229143c2d2562f1f57ea159db9d4f4ec717602943780ab385
-
Filesize
621KB
MD5e13fecff6dc982531324cdba4f224d1d
SHA10de9ca7b8770ce588684237d2739d456bc64dade
SHA25678b7f834255ee4c7e897393c70172de692415c784bcaeedf1cd304fe1ce401e0
SHA5120e159d00676d286d104631f80a1989e308037fde82ddae495628866a1ad49059705fb9c47d7f612a108bbbb0d3f540695782dec3c4b389a56c4ac91a28a8653b
-
Filesize
621KB
MD5d116dbcd3054af5ebab5374c82d51952
SHA13c84bc88251a196328d46f61051fd78c31db4a1d
SHA256292a2fd7687179531f2c92eb70c3399f1100450689ba338f5be57ab8bee176f8
SHA512d907482458586b1bba5bfe4792dec2d7932a8034eb1bcdc765407beda481a9f50a8aca775222be128cf92eb9ccb3fae5e223876e9d4571fcbcb795ad26df7ace
-
Filesize
621KB
MD5287abecca3fd35d9f3ed53f4f7377c7e
SHA14d1693f6b31d926633e8a7e349fee96c4e60120b
SHA2566426c9c4829f9e4ec0ce794317153e46cb6b74050b74197c9a588fa7d3de679c
SHA512348f77291ee436dcf5e0de2da792b1d9e6c0daf1fb925122ed06984bf14f21d909b14dd6d3096fc229143c2d2562f1f57ea159db9d4f4ec717602943780ab385
-
Filesize
621KB
MD5e13fecff6dc982531324cdba4f224d1d
SHA10de9ca7b8770ce588684237d2739d456bc64dade
SHA25678b7f834255ee4c7e897393c70172de692415c784bcaeedf1cd304fe1ce401e0
SHA5120e159d00676d286d104631f80a1989e308037fde82ddae495628866a1ad49059705fb9c47d7f612a108bbbb0d3f540695782dec3c4b389a56c4ac91a28a8653b
-
Filesize
621KB
MD5d116dbcd3054af5ebab5374c82d51952
SHA13c84bc88251a196328d46f61051fd78c31db4a1d
SHA256292a2fd7687179531f2c92eb70c3399f1100450689ba338f5be57ab8bee176f8
SHA512d907482458586b1bba5bfe4792dec2d7932a8034eb1bcdc765407beda481a9f50a8aca775222be128cf92eb9ccb3fae5e223876e9d4571fcbcb795ad26df7ace