Malware Analysis Report

2025-08-05 21:38

Sample ID 221110-mt6h2shbe5
Target 5ebf1f048c8d3536da7dbba181ef136bac22b34df22508539f38c764cb2be854.xls
SHA256 5ebf1f048c8d3536da7dbba181ef136bac22b34df22508539f38c764cb2be854
Tags
macro xlm emotet epoch5 banker persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ebf1f048c8d3536da7dbba181ef136bac22b34df22508539f38c764cb2be854

Threat Level: Known bad

The file 5ebf1f048c8d3536da7dbba181ef136bac22b34df22508539f38c764cb2be854.xls was found to be: Known bad.

Malicious Activity Summary

macro xlm emotet epoch5 banker persistence trojan

Emotet

Process spawned unexpected child process

Suspicious Office macro

Downloads MZ/PE file

Loads dropped DLL

Adds Run key to start application

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-10 10:46

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-10 10:46

Reported

2022-11-10 10:49

Platform

win10-20220812-en

Max time kernel

132s

Max time network

136s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\5ebf1f048c8d3536da7dbba181ef136bac22b34df22508539f38c764cb2be854.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\5ebf1f048c8d3536da7dbba181ef136bac22b34df22508539f38c764cb2be854.xls"

Network

Country Destination Domain Proto
FR 2.16.119.157:443 tcp
NL 13.69.116.104:443 tcp

Files

memory/300-116-0x00007FFBDF500000-0x00007FFBDF510000-memory.dmp

memory/300-117-0x00007FFBDF500000-0x00007FFBDF510000-memory.dmp

memory/300-118-0x00007FFBDF500000-0x00007FFBDF510000-memory.dmp

memory/300-119-0x00007FFBDF500000-0x00007FFBDF510000-memory.dmp

memory/300-128-0x00007FFBDC7E0000-0x00007FFBDC7F0000-memory.dmp

memory/300-129-0x00007FFBDC7E0000-0x00007FFBDC7F0000-memory.dmp

memory/300-292-0x00007FFBDF500000-0x00007FFBDF510000-memory.dmp

memory/300-293-0x00007FFBDF500000-0x00007FFBDF510000-memory.dmp

memory/300-294-0x00007FFBDF500000-0x00007FFBDF510000-memory.dmp

memory/300-295-0x00007FFBDF500000-0x00007FFBDF510000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-10 10:46

Reported

2022-11-10 10:48

Platform

win10-20220812-en

Max time kernel

100s

Max time network

128s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\5ebf1f048c8d3536da7dbba181ef136bac22b34df22508539f38c764cb2be854.xls"

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inAKPUnPH.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\CqQOHetFGgjyRJa\\inAKPUnPH.dll\"" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLAcZO.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\MBtpBemChn\\YLAcZO.dll\"" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GbtepNggP.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\RttvatU\\GbtepNggP.dll\"" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2836 wrote to memory of 5084 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 2836 wrote to memory of 5084 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 5084 wrote to memory of 4564 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 5084 wrote to memory of 4564 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2836 wrote to memory of 4556 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 2836 wrote to memory of 4556 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4556 wrote to memory of 800 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4556 wrote to memory of 800 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2836 wrote to memory of 732 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 2836 wrote to memory of 732 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 2836 wrote to memory of 32 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 2836 wrote to memory of 32 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 32 wrote to memory of 2296 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 32 wrote to memory of 2296 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\5ebf1f048c8d3536da7dbba181ef136bac22b34df22508539f38c764cb2be854.xls"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RttvatU\GbtepNggP.dll"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CqQOHetFGgjyRJa\inAKPUnPH.dll"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MBtpBemChn\YLAcZO.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.conceptagency.net udp
DE 149.102.137.213:443 www.conceptagency.net tcp
US 8.8.8.8:53 bencevendeghaz.hu udp
HU 185.6.139.30:443 bencevendeghaz.hu tcp
SG 45.32.114.141:80 tcp
US 8.8.8.8:53 ruitaiwz.com udp
HK 45.207.116.84:80 ruitaiwz.com tcp
US 52.168.117.169:443 tcp
ID 115.178.55.22:80 115.178.55.22 tcp
ID 115.178.55.22:80 115.178.55.22 tcp
US 8.253.208.121:80 tcp
ID 115.178.55.22:80 115.178.55.22 tcp

Files

memory/2836-115-0x00007FFC671D0000-0x00007FFC671E0000-memory.dmp

memory/2836-116-0x00007FFC671D0000-0x00007FFC671E0000-memory.dmp

memory/2836-117-0x00007FFC671D0000-0x00007FFC671E0000-memory.dmp

memory/2836-118-0x00007FFC671D0000-0x00007FFC671E0000-memory.dmp

memory/2836-127-0x00007FFC64580000-0x00007FFC64590000-memory.dmp

memory/2836-128-0x00007FFC64580000-0x00007FFC64590000-memory.dmp

memory/5084-275-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv1.ooocccxxx

MD5 d3939ddb4bc6489d93abbe27357c343a
SHA1 e52999b881200818ea801c44e3c4645f0501f582
SHA256 df774d7b5b0f5e44f6047486ff3641e298208621a1f217027c71e0a874a65313
SHA512 d3d969c163fdfaee7213741cc8a79ab4685522a53241550c92c17d96577c406e59687eabb79b8d9f070bf98f53822fc0f66e60a08779f47a3eb20cb20ffe108a

\Users\Admin\elv1.ooocccxxx

MD5 d3939ddb4bc6489d93abbe27357c343a
SHA1 e52999b881200818ea801c44e3c4645f0501f582
SHA256 df774d7b5b0f5e44f6047486ff3641e298208621a1f217027c71e0a874a65313
SHA512 d3d969c163fdfaee7213741cc8a79ab4685522a53241550c92c17d96577c406e59687eabb79b8d9f070bf98f53822fc0f66e60a08779f47a3eb20cb20ffe108a

memory/5084-278-0x0000000001280000-0x00000000012AE000-memory.dmp

memory/4564-288-0x0000000000000000-mapping.dmp

memory/4556-294-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv2.ooocccxxx

MD5 e13fecff6dc982531324cdba4f224d1d
SHA1 0de9ca7b8770ce588684237d2739d456bc64dade
SHA256 78b7f834255ee4c7e897393c70172de692415c784bcaeedf1cd304fe1ce401e0
SHA512 0e159d00676d286d104631f80a1989e308037fde82ddae495628866a1ad49059705fb9c47d7f612a108bbbb0d3f540695782dec3c4b389a56c4ac91a28a8653b

\Users\Admin\elv2.ooocccxxx

MD5 e13fecff6dc982531324cdba4f224d1d
SHA1 0de9ca7b8770ce588684237d2739d456bc64dade
SHA256 78b7f834255ee4c7e897393c70172de692415c784bcaeedf1cd304fe1ce401e0
SHA512 0e159d00676d286d104631f80a1989e308037fde82ddae495628866a1ad49059705fb9c47d7f612a108bbbb0d3f540695782dec3c4b389a56c4ac91a28a8653b

memory/800-305-0x0000000000000000-mapping.dmp

memory/732-313-0x0000000000000000-mapping.dmp

memory/32-314-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv4.ooocccxxx

MD5 367f5a09ff767c1961c5e32ffb7c3df6
SHA1 209c1fb954f11624895012663d34a01cf330b161
SHA256 8b92d9155e6bb80c94deb9a3d0c623286e3bd4be90b68ac1be3b8d12ad06697a
SHA512 4b2317b0c0bef2b2f948d7eccd36c7adced411437519b00e46de8921d3f720103c5b07d1f97dcb0363572d0d3930ae98bcab60812e8d0e8aa680619241585664

\Users\Admin\elv4.ooocccxxx

MD5 367f5a09ff767c1961c5e32ffb7c3df6
SHA1 209c1fb954f11624895012663d34a01cf330b161
SHA256 8b92d9155e6bb80c94deb9a3d0c623286e3bd4be90b68ac1be3b8d12ad06697a
SHA512 4b2317b0c0bef2b2f948d7eccd36c7adced411437519b00e46de8921d3f720103c5b07d1f97dcb0363572d0d3930ae98bcab60812e8d0e8aa680619241585664

memory/2296-322-0x0000000000000000-mapping.dmp

memory/2836-352-0x00007FFC671D0000-0x00007FFC671E0000-memory.dmp

memory/2836-353-0x00007FFC671D0000-0x00007FFC671E0000-memory.dmp

memory/2836-354-0x00007FFC671D0000-0x00007FFC671E0000-memory.dmp

memory/2836-355-0x00007FFC671D0000-0x00007FFC671E0000-memory.dmp