Malware Analysis Report

2025-08-05 21:38

Sample ID 221110-mmvszahag4
Target f121a237d7a7ba8a02e7fb76bbc67ac5f09cc0d4621f0b668c72702d9d42c2ea.xls
SHA256 f121a237d7a7ba8a02e7fb76bbc67ac5f09cc0d4621f0b668c72702d9d42c2ea
Tags
macro xlm emotet epoch5 banker persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f121a237d7a7ba8a02e7fb76bbc67ac5f09cc0d4621f0b668c72702d9d42c2ea

Threat Level: Known bad

The file f121a237d7a7ba8a02e7fb76bbc67ac5f09cc0d4621f0b668c72702d9d42c2ea.xls was found to be: Known bad.

Malicious Activity Summary

macro xlm emotet epoch5 banker persistence trojan

Emotet

Process spawned unexpected child process

Downloads MZ/PE file

Suspicious Office macro

Loads dropped DLL

Adds Run key to start application

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-10 10:35

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-10 10:35

Reported

2022-11-10 10:38

Platform

win10-20220812-en

Max time kernel

129s

Max time network

147s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f121a237d7a7ba8a02e7fb76bbc67ac5f09cc0d4621f0b668c72702d9d42c2ea.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f121a237d7a7ba8a02e7fb76bbc67ac5f09cc0d4621f0b668c72702d9d42c2ea.xls"

Network

Country Destination Domain Proto
GB 51.105.71.136:443 tcp

Files

memory/3728-116-0x00007FFCA50A0000-0x00007FFCA50B0000-memory.dmp

memory/3728-117-0x00007FFCA50A0000-0x00007FFCA50B0000-memory.dmp

memory/3728-118-0x00007FFCA50A0000-0x00007FFCA50B0000-memory.dmp

memory/3728-119-0x00007FFCA50A0000-0x00007FFCA50B0000-memory.dmp

memory/3728-128-0x00007FFCA17E0000-0x00007FFCA17F0000-memory.dmp

memory/3728-129-0x00007FFCA17E0000-0x00007FFCA17F0000-memory.dmp

memory/3728-290-0x00007FFCA50A0000-0x00007FFCA50B0000-memory.dmp

memory/3728-291-0x00007FFCA50A0000-0x00007FFCA50B0000-memory.dmp

memory/3728-292-0x00007FFCA50A0000-0x00007FFCA50B0000-memory.dmp

memory/3728-293-0x00007FFCA50A0000-0x00007FFCA50B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-10 10:35

Reported

2022-11-10 10:38

Platform

win10-20220901-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f121a237d7a7ba8a02e7fb76bbc67ac5f09cc0d4621f0b668c72702d9d42c2ea.xls"

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ViJh.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\JNWNzFpeJvLk\\ViJh.dll\"" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SkXEHR.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\UaAsbZ\\SkXEHR.dll\"" C:\Windows\system32\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4528 wrote to memory of 4420 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4528 wrote to memory of 4420 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4420 wrote to memory of 4520 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4420 wrote to memory of 4520 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4528 wrote to memory of 524 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4528 wrote to memory of 524 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 524 wrote to memory of 4588 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 524 wrote to memory of 4588 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4528 wrote to memory of 4760 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4528 wrote to memory of 4760 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4528 wrote to memory of 4780 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4528 wrote to memory of 4780 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f121a237d7a7ba8a02e7fb76bbc67ac5f09cc0d4621f0b668c72702d9d42c2ea.xls"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JNWNzFpeJvLk\ViJh.dll"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UaAsbZ\SkXEHR.dll"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx

Network

Country Destination Domain Proto
US 8.8.8.8:53 bosny.com udp
TH 203.151.59.20:443 bosny.com tcp
IE 20.50.80.210:443 tcp
NL 8.248.7.254:80 tcp
US 8.8.8.8:53 navylin.com udp
CN 47.92.133.65:80 navylin.com tcp
ID 115.178.55.22:80 115.178.55.22 tcp
US 8.8.8.8:53 asrani.garudaputih.com udp
SG 51.79.133.157:80 asrani.garudaputih.com tcp
US 8.8.8.8:53 db.rikaz.tech udp
DE 135.125.230.197:80 db.rikaz.tech tcp
ID 115.178.55.22:80 115.178.55.22 tcp

Files

memory/4528-120-0x00007FF9500F0000-0x00007FF950100000-memory.dmp

memory/4528-121-0x00007FF9500F0000-0x00007FF950100000-memory.dmp

memory/4528-122-0x00007FF9500F0000-0x00007FF950100000-memory.dmp

memory/4528-123-0x00007FF9500F0000-0x00007FF950100000-memory.dmp

memory/4528-132-0x00007FF94CC80000-0x00007FF94CC90000-memory.dmp

memory/4528-133-0x00007FF94CC80000-0x00007FF94CC90000-memory.dmp

memory/4420-261-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv1.ooocccxxx

MD5 871ea9a8e1604e3cfc16dd15a61294fa
SHA1 2139e23aa41026d93489d3849a5229dc0cfb1bad
SHA256 12fefee2092330f9c0d9e6b30141cbb41c44aa39fbbbe8cdfca9b98b3069881d
SHA512 61b2b91af02dad955630c64ca9200feca20293af14bd25b9d4d7109dd9662aaed0981ea93cf298c93ef5e2c19d393e67f308464c59deaabd7e254d05091b780a

\Users\Admin\elv1.ooocccxxx

MD5 871ea9a8e1604e3cfc16dd15a61294fa
SHA1 2139e23aa41026d93489d3849a5229dc0cfb1bad
SHA256 12fefee2092330f9c0d9e6b30141cbb41c44aa39fbbbe8cdfca9b98b3069881d
SHA512 61b2b91af02dad955630c64ca9200feca20293af14bd25b9d4d7109dd9662aaed0981ea93cf298c93ef5e2c19d393e67f308464c59deaabd7e254d05091b780a

memory/4420-264-0x00000000009B0000-0x00000000009DE000-memory.dmp

memory/4520-272-0x0000000000000000-mapping.dmp

memory/524-278-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv2.ooocccxxx

MD5 4e8c394222a8ad3a013d41781d24070f
SHA1 84598e96917e7413baaa8906b4da8310360a41e5
SHA256 1a481aa005d82e3ac514e4fd4525615b08285e2d1f52d4b650b0fb540cbd33a6
SHA512 59b3e55f375daa7ad7bc0125b675d4dfb57fbf3ad7ab0744f7d54099057d17e0757ecb241fcab6e226e79f914954ca31221798ee75661e9ba738604e8d8cbf32

\Users\Admin\elv2.ooocccxxx

MD5 4e8c394222a8ad3a013d41781d24070f
SHA1 84598e96917e7413baaa8906b4da8310360a41e5
SHA256 1a481aa005d82e3ac514e4fd4525615b08285e2d1f52d4b650b0fb540cbd33a6
SHA512 59b3e55f375daa7ad7bc0125b675d4dfb57fbf3ad7ab0744f7d54099057d17e0757ecb241fcab6e226e79f914954ca31221798ee75661e9ba738604e8d8cbf32

memory/4588-286-0x0000000000000000-mapping.dmp

memory/4760-292-0x0000000000000000-mapping.dmp

memory/4780-293-0x0000000000000000-mapping.dmp