Analysis Overview
SHA256
4a7f651f6f9f9eff4a8b87759ebdddaa1a44864529ed091c2abc22f0abbdb27e
Threat Level: Known bad
The file 4a7f651f6f9f9eff4a8b87759ebdddaa1a44864529ed091c2abc22f0abbdb27e.xls was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Emotet
Downloads MZ/PE file
Suspicious Office macro
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-10 10:39
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-10 10:39
Reported
2022-11-10 10:41
Platform
win10-20220901-en
Max time kernel
144s
Max time network
147s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4a7f651f6f9f9eff4a8b87759ebdddaa1a44864529ed091c2abc22f0abbdb27e.xls"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bosny.com | udp |
| N/A | 100.126.100.186:443 | bosny.com | tcp |
| US | 8.8.8.8:53 | navylin.com | udp |
| N/A | 100.86.113.21:80 | navylin.com | tcp |
| US | 8.8.8.8:53 | asrani.garudaputih.com | udp |
| N/A | 100.68.177.59:80 | asrani.garudaputih.com | tcp |
| US | 8.8.8.8:53 | db.rikaz.tech | udp |
| N/A | 100.95.216.19:80 | db.rikaz.tech | tcp |
| US | 20.42.73.27:443 | tcp | |
| US | 209.197.3.8:80 | tcp |
Files
memory/384-120-0x00007FFAA2650000-0x00007FFAA2660000-memory.dmp
memory/384-121-0x00007FFAA2650000-0x00007FFAA2660000-memory.dmp
memory/384-122-0x00007FFAA2650000-0x00007FFAA2660000-memory.dmp
memory/384-123-0x00007FFAA2650000-0x00007FFAA2660000-memory.dmp
memory/384-132-0x00007FFA9F090000-0x00007FFA9F0A0000-memory.dmp
memory/384-133-0x00007FFA9F090000-0x00007FFA9F0A0000-memory.dmp
memory/4568-276-0x0000000000000000-mapping.dmp
memory/4472-277-0x0000000000000000-mapping.dmp
memory/3780-280-0x0000000000000000-mapping.dmp
memory/4196-281-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-10 10:39
Reported
2022-11-10 10:41
Platform
win10-20220812-en
Max time kernel
144s
Max time network
146s
Command Line
Signatures
Emotet
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sYnanoQOEX.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\BteWzCSaZbCWynBDa\\sYnanoQOEX.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YmNBcPnvPuLSZN.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\WnFlZumwELQyw\\YmNBcPnvPuLSZN.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4a7f651f6f9f9eff4a8b87759ebdddaa1a44864529ed091c2abc22f0abbdb27e.xls"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WnFlZumwELQyw\YmNBcPnvPuLSZN.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BteWzCSaZbCWynBDa\sYnanoQOEX.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bosny.com | udp |
| TH | 203.151.59.20:443 | bosny.com | tcp |
| US | 8.8.8.8:53 | navylin.com | udp |
| CN | 47.92.133.65:80 | navylin.com | tcp |
| GB | 51.104.15.252:443 | tcp | |
| ID | 115.178.55.22:80 | 115.178.55.22 | tcp |
| US | 8.8.8.8:53 | asrani.garudaputih.com | udp |
| SG | 51.79.133.157:80 | asrani.garudaputih.com | tcp |
| US | 8.8.8.8:53 | db.rikaz.tech | udp |
| DE | 135.125.230.197:80 | db.rikaz.tech | tcp |
| ID | 115.178.55.22:80 | 115.178.55.22 | tcp |
Files
memory/2408-115-0x00007FF83D030000-0x00007FF83D040000-memory.dmp
memory/2408-116-0x00007FF83D030000-0x00007FF83D040000-memory.dmp
memory/2408-117-0x00007FF83D030000-0x00007FF83D040000-memory.dmp
memory/2408-118-0x00007FF83D030000-0x00007FF83D040000-memory.dmp
memory/2408-127-0x00007FF83A290000-0x00007FF83A2A0000-memory.dmp
memory/2408-128-0x00007FF83A290000-0x00007FF83A2A0000-memory.dmp
memory/3928-262-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv1.ooocccxxx
| MD5 | 871ea9a8e1604e3cfc16dd15a61294fa |
| SHA1 | 2139e23aa41026d93489d3849a5229dc0cfb1bad |
| SHA256 | 12fefee2092330f9c0d9e6b30141cbb41c44aa39fbbbe8cdfca9b98b3069881d |
| SHA512 | 61b2b91af02dad955630c64ca9200feca20293af14bd25b9d4d7109dd9662aaed0981ea93cf298c93ef5e2c19d393e67f308464c59deaabd7e254d05091b780a |
\Users\Admin\elv1.ooocccxxx
| MD5 | 871ea9a8e1604e3cfc16dd15a61294fa |
| SHA1 | 2139e23aa41026d93489d3849a5229dc0cfb1bad |
| SHA256 | 12fefee2092330f9c0d9e6b30141cbb41c44aa39fbbbe8cdfca9b98b3069881d |
| SHA512 | 61b2b91af02dad955630c64ca9200feca20293af14bd25b9d4d7109dd9662aaed0981ea93cf298c93ef5e2c19d393e67f308464c59deaabd7e254d05091b780a |
memory/3928-265-0x0000000000D00000-0x0000000000D2E000-memory.dmp
memory/4892-273-0x0000000000000000-mapping.dmp
memory/3288-281-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv2.ooocccxxx
| MD5 | d8d225350e7e511598ca5e62139ab35b |
| SHA1 | 9840cf8f5a2d06c74ac3986f62c8c951c87c99cc |
| SHA256 | e5d587bc2bffd9e7c7508bc09518aa67ee8c05286ebd09bbbe1323c4fb560966 |
| SHA512 | 751a6bfc41d086e6327b895f2f06bb3fa4653919e1280dc0786fb4ff989304b03baeaee6dc65533870e1653a46979a70e26851893b9e41c146242adf7862307f |
\Users\Admin\elv2.ooocccxxx
| MD5 | d8d225350e7e511598ca5e62139ab35b |
| SHA1 | 9840cf8f5a2d06c74ac3986f62c8c951c87c99cc |
| SHA256 | e5d587bc2bffd9e7c7508bc09518aa67ee8c05286ebd09bbbe1323c4fb560966 |
| SHA512 | 751a6bfc41d086e6327b895f2f06bb3fa4653919e1280dc0786fb4ff989304b03baeaee6dc65533870e1653a46979a70e26851893b9e41c146242adf7862307f |
memory/912-289-0x0000000000000000-mapping.dmp
memory/948-295-0x0000000000000000-mapping.dmp
memory/904-296-0x0000000000000000-mapping.dmp
memory/2408-321-0x00007FF83D030000-0x00007FF83D040000-memory.dmp
memory/2408-322-0x00007FF83D030000-0x00007FF83D040000-memory.dmp
memory/2408-323-0x00007FF83D030000-0x00007FF83D040000-memory.dmp
memory/2408-324-0x00007FF83D030000-0x00007FF83D040000-memory.dmp