Analysis Overview
SHA256
05fee62ac4a368cf906744a1dd50d7edd5606199c027d685f90399478e3df844
Threat Level: Known bad
The file 05fee62ac4a368cf906744a1dd50d7edd5606199c027d685f90399478e3df844.xls was found to be: Known bad.
Malicious Activity Summary
Emotet
Process spawned unexpected child process
Downloads MZ/PE file
Suspicious Office macro
Loads dropped DLL
Adds Run key to start application
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-10 10:40
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-10 10:40
Reported
2022-11-10 10:43
Platform
win10-20220812-en
Max time kernel
141s
Max time network
144s
Command Line
Signatures
Emotet
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SljtMeIJGjZ.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\FhyOSwihxgc\\SljtMeIJGjZ.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SKOhK.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\JpMjjNvFwpwI\\SKOhK.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\05fee62ac4a368cf906744a1dd50d7edd5606199c027d685f90399478e3df844.xls"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FhyOSwihxgc\SljtMeIJGjZ.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JpMjjNvFwpwI\SKOhK.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bosny.com | udp |
| TH | 203.151.59.20:443 | bosny.com | tcp |
| US | 52.168.112.66:443 | tcp | |
| US | 8.8.8.8:53 | navylin.com | udp |
| CN | 47.92.133.65:80 | navylin.com | tcp |
| US | 8.8.8.8:53 | asrani.garudaputih.com | udp |
| SG | 51.79.133.157:80 | asrani.garudaputih.com | tcp |
| US | 8.8.8.8:53 | db.rikaz.tech | udp |
| DE | 135.125.230.197:80 | db.rikaz.tech | tcp |
| ID | 115.178.55.22:80 | 115.178.55.22 | tcp |
| ID | 115.178.55.22:80 | 115.178.55.22 | tcp |
Files
memory/3876-115-0x00007FFDCFBA0000-0x00007FFDCFBB0000-memory.dmp
memory/3876-116-0x00007FFDCFBA0000-0x00007FFDCFBB0000-memory.dmp
memory/3876-117-0x00007FFDCFBA0000-0x00007FFDCFBB0000-memory.dmp
memory/3876-118-0x00007FFDCFBA0000-0x00007FFDCFBB0000-memory.dmp
memory/3876-127-0x00007FFDCC540000-0x00007FFDCC550000-memory.dmp
memory/3876-128-0x00007FFDCC540000-0x00007FFDCC550000-memory.dmp
memory/808-280-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv1.ooocccxxx
| MD5 | d91b16ead21c4a8468e0e411b4104b8b |
| SHA1 | e014b2034b852c53ff4528f7ae80cd2dd7c0e8d7 |
| SHA256 | d96d07555698b46be58865d8f65d0553b6a64bffae36072507291175b23876ca |
| SHA512 | 18c0d7831717f87c300cede2cffffcc002a33ded4b48fb19fc9225c0553c185cadef7eeab2d41248ed6b7b66be95b170f9bb482f1d2720daf982f0ca4790674a |
\Users\Admin\elv1.ooocccxxx
| MD5 | d91b16ead21c4a8468e0e411b4104b8b |
| SHA1 | e014b2034b852c53ff4528f7ae80cd2dd7c0e8d7 |
| SHA256 | d96d07555698b46be58865d8f65d0553b6a64bffae36072507291175b23876ca |
| SHA512 | 18c0d7831717f87c300cede2cffffcc002a33ded4b48fb19fc9225c0553c185cadef7eeab2d41248ed6b7b66be95b170f9bb482f1d2720daf982f0ca4790674a |
memory/808-283-0x00000000021D0000-0x00000000021FE000-memory.dmp
memory/1040-291-0x0000000000000000-mapping.dmp
memory/1244-297-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv2.ooocccxxx
| MD5 | d8d225350e7e511598ca5e62139ab35b |
| SHA1 | 9840cf8f5a2d06c74ac3986f62c8c951c87c99cc |
| SHA256 | e5d587bc2bffd9e7c7508bc09518aa67ee8c05286ebd09bbbe1323c4fb560966 |
| SHA512 | 751a6bfc41d086e6327b895f2f06bb3fa4653919e1280dc0786fb4ff989304b03baeaee6dc65533870e1653a46979a70e26851893b9e41c146242adf7862307f |
\Users\Admin\elv2.ooocccxxx
| MD5 | d8d225350e7e511598ca5e62139ab35b |
| SHA1 | 9840cf8f5a2d06c74ac3986f62c8c951c87c99cc |
| SHA256 | e5d587bc2bffd9e7c7508bc09518aa67ee8c05286ebd09bbbe1323c4fb560966 |
| SHA512 | 751a6bfc41d086e6327b895f2f06bb3fa4653919e1280dc0786fb4ff989304b03baeaee6dc65533870e1653a46979a70e26851893b9e41c146242adf7862307f |
memory/640-305-0x0000000000000000-mapping.dmp
memory/3400-311-0x0000000000000000-mapping.dmp
memory/220-312-0x0000000000000000-mapping.dmp
memory/3876-337-0x00007FFDCFBA0000-0x00007FFDCFBB0000-memory.dmp
memory/3876-338-0x00007FFDCFBA0000-0x00007FFDCFBB0000-memory.dmp
memory/3876-339-0x00007FFDCFBA0000-0x00007FFDCFBB0000-memory.dmp
memory/3876-340-0x00007FFDCFBA0000-0x00007FFDCFBB0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-10 10:40
Reported
2022-11-10 10:43
Platform
win10-20220812-en
Max time kernel
144s
Max time network
147s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\05fee62ac4a368cf906744a1dd50d7edd5606199c027d685f90399478e3df844.xls"
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.14:443 | tcp | |
| US | 209.197.3.8:80 | tcp |
Files
memory/1860-119-0x00007FFF951A0000-0x00007FFF951B0000-memory.dmp
memory/1860-120-0x00007FFF951A0000-0x00007FFF951B0000-memory.dmp
memory/1860-121-0x00007FFF951A0000-0x00007FFF951B0000-memory.dmp
memory/1860-122-0x00007FFF951A0000-0x00007FFF951B0000-memory.dmp
memory/1860-131-0x00007FFF91AB0000-0x00007FFF91AC0000-memory.dmp
memory/1860-132-0x00007FFF91AB0000-0x00007FFF91AC0000-memory.dmp
memory/1860-295-0x00007FFF951A0000-0x00007FFF951B0000-memory.dmp
memory/1860-296-0x00007FFF951A0000-0x00007FFF951B0000-memory.dmp
memory/1860-297-0x00007FFF951A0000-0x00007FFF951B0000-memory.dmp
memory/1860-298-0x00007FFF951A0000-0x00007FFF951B0000-memory.dmp