Analysis Overview
SHA256
664823e4206ad72fece86bcdd7aea5902a5be0cd1f587fbe878b52b91a723229
Threat Level: Known bad
The file 664823e4206ad72fece86bcdd7aea5902a5be0cd1f587fbe878b52b91a723229.xls was found to be: Known bad.
Malicious Activity Summary
Emotet
Process spawned unexpected child process
Suspicious Office macro
Downloads MZ/PE file
Loads dropped DLL
Adds Run key to start application
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-10 10:33
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-10 10:33
Reported
2022-11-10 10:36
Platform
win10-20220812-en
Max time kernel
108s
Max time network
148s
Command Line
Signatures
Emotet
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GEomVw.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\DFAnBA\\GEomVw.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LMjtHlGQcxGxjiP.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\HlrUUrPEWs\\LMjtHlGQcxGxjiP.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\664823e4206ad72fece86bcdd7aea5902a5be0cd1f587fbe878b52b91a723229.xls"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\DFAnBA\GEomVw.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\HlrUUrPEWs\LMjtHlGQcxGxjiP.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bosny.com | udp |
| TH | 203.151.59.20:443 | bosny.com | tcp |
| US | 8.8.8.8:53 | navylin.com | udp |
| CN | 47.92.133.65:80 | navylin.com | tcp |
| US | 20.189.173.1:443 | tcp | |
| ID | 115.178.55.22:80 | 115.178.55.22 | tcp |
| US | 8.8.8.8:53 | asrani.garudaputih.com | udp |
| SG | 51.79.133.157:80 | asrani.garudaputih.com | tcp |
| US | 8.8.8.8:53 | db.rikaz.tech | udp |
| DE | 135.125.230.197:80 | db.rikaz.tech | tcp |
| ID | 115.178.55.22:80 | 115.178.55.22 | tcp |
Files
memory/2452-118-0x00007FF7E7C00000-0x00007FF7E7C10000-memory.dmp
memory/2452-119-0x00007FF7E7C00000-0x00007FF7E7C10000-memory.dmp
memory/2452-120-0x00007FF7E7C00000-0x00007FF7E7C10000-memory.dmp
memory/2452-121-0x00007FF7E7C00000-0x00007FF7E7C10000-memory.dmp
memory/2452-130-0x00007FF7E4140000-0x00007FF7E4150000-memory.dmp
memory/2452-131-0x00007FF7E4140000-0x00007FF7E4150000-memory.dmp
memory/2744-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv1.ooocccxxx
| MD5 | 871ea9a8e1604e3cfc16dd15a61294fa |
| SHA1 | 2139e23aa41026d93489d3849a5229dc0cfb1bad |
| SHA256 | 12fefee2092330f9c0d9e6b30141cbb41c44aa39fbbbe8cdfca9b98b3069881d |
| SHA512 | 61b2b91af02dad955630c64ca9200feca20293af14bd25b9d4d7109dd9662aaed0981ea93cf298c93ef5e2c19d393e67f308464c59deaabd7e254d05091b780a |
\Users\Admin\elv1.ooocccxxx
| MD5 | 871ea9a8e1604e3cfc16dd15a61294fa |
| SHA1 | 2139e23aa41026d93489d3849a5229dc0cfb1bad |
| SHA256 | 12fefee2092330f9c0d9e6b30141cbb41c44aa39fbbbe8cdfca9b98b3069881d |
| SHA512 | 61b2b91af02dad955630c64ca9200feca20293af14bd25b9d4d7109dd9662aaed0981ea93cf298c93ef5e2c19d393e67f308464c59deaabd7e254d05091b780a |
memory/4116-157-0x0000000000000000-mapping.dmp
memory/4116-158-0x00000000009E0000-0x0000000000A0E000-memory.dmp
memory/1232-297-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv2.ooocccxxx
| MD5 | 4e8c394222a8ad3a013d41781d24070f |
| SHA1 | 84598e96917e7413baaa8906b4da8310360a41e5 |
| SHA256 | 1a481aa005d82e3ac514e4fd4525615b08285e2d1f52d4b650b0fb540cbd33a6 |
| SHA512 | 59b3e55f375daa7ad7bc0125b675d4dfb57fbf3ad7ab0744f7d54099057d17e0757ecb241fcab6e226e79f914954ca31221798ee75661e9ba738604e8d8cbf32 |
\Users\Admin\elv2.ooocccxxx
| MD5 | 4e8c394222a8ad3a013d41781d24070f |
| SHA1 | 84598e96917e7413baaa8906b4da8310360a41e5 |
| SHA256 | 1a481aa005d82e3ac514e4fd4525615b08285e2d1f52d4b650b0fb540cbd33a6 |
| SHA512 | 59b3e55f375daa7ad7bc0125b675d4dfb57fbf3ad7ab0744f7d54099057d17e0757ecb241fcab6e226e79f914954ca31221798ee75661e9ba738604e8d8cbf32 |
memory/4580-305-0x0000000000000000-mapping.dmp
memory/312-311-0x0000000000000000-mapping.dmp
memory/204-312-0x0000000000000000-mapping.dmp
memory/2452-334-0x00007FF7E7C00000-0x00007FF7E7C10000-memory.dmp
memory/2452-335-0x00007FF7E7C00000-0x00007FF7E7C10000-memory.dmp
memory/2452-336-0x00007FF7E7C00000-0x00007FF7E7C10000-memory.dmp
memory/2452-337-0x00007FF7E7C00000-0x00007FF7E7C10000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-10 10:33
Reported
2022-11-10 10:36
Platform
win10-20220812-en
Max time kernel
128s
Max time network
139s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\664823e4206ad72fece86bcdd7aea5902a5be0cd1f587fbe878b52b91a723229.xls"
Network
| Country | Destination | Domain | Proto |
| US | 20.42.72.131:443 | tcp | |
| US | 8.238.20.254:80 | tcp |
Files
memory/4720-116-0x00007FFA9D370000-0x00007FFA9D380000-memory.dmp
memory/4720-117-0x00007FFA9D370000-0x00007FFA9D380000-memory.dmp
memory/4720-118-0x00007FFA9D370000-0x00007FFA9D380000-memory.dmp
memory/4720-119-0x00007FFA9D370000-0x00007FFA9D380000-memory.dmp
memory/4720-128-0x00007FFA99F90000-0x00007FFA99FA0000-memory.dmp
memory/4720-129-0x00007FFA99F90000-0x00007FFA99FA0000-memory.dmp
memory/4720-305-0x00007FFA9D370000-0x00007FFA9D380000-memory.dmp
memory/4720-304-0x00007FFA9D370000-0x00007FFA9D380000-memory.dmp
memory/4720-306-0x00007FFA9D370000-0x00007FFA9D380000-memory.dmp
memory/4720-303-0x00007FFA9D370000-0x00007FFA9D380000-memory.dmp