Analysis Overview
SHA256
5ebf1f048c8d3536da7dbba181ef136bac22b34df22508539f38c764cb2be854
Threat Level: Known bad
The file 5ebf1f048c8d3536da7dbba181ef136bac22b34df22508539f38c764cb2be854.xls was found to be: Known bad.
Malicious Activity Summary
Emotet
Process spawned unexpected child process
Suspicious Office macro
Downloads MZ/PE file
Loads dropped DLL
Adds Run key to start application
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-10 10:46
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-10 10:46
Reported
2022-11-10 10:49
Platform
win10-20220812-en
Max time kernel
132s
Max time network
136s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\5ebf1f048c8d3536da7dbba181ef136bac22b34df22508539f38c764cb2be854.xls"
Network
| Country | Destination | Domain | Proto |
| FR | 2.16.119.157:443 | tcp | |
| NL | 13.69.116.104:443 | tcp |
Files
memory/300-116-0x00007FFBDF500000-0x00007FFBDF510000-memory.dmp
memory/300-117-0x00007FFBDF500000-0x00007FFBDF510000-memory.dmp
memory/300-118-0x00007FFBDF500000-0x00007FFBDF510000-memory.dmp
memory/300-119-0x00007FFBDF500000-0x00007FFBDF510000-memory.dmp
memory/300-128-0x00007FFBDC7E0000-0x00007FFBDC7F0000-memory.dmp
memory/300-129-0x00007FFBDC7E0000-0x00007FFBDC7F0000-memory.dmp
memory/300-292-0x00007FFBDF500000-0x00007FFBDF510000-memory.dmp
memory/300-293-0x00007FFBDF500000-0x00007FFBDF510000-memory.dmp
memory/300-294-0x00007FFBDF500000-0x00007FFBDF510000-memory.dmp
memory/300-295-0x00007FFBDF500000-0x00007FFBDF510000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-10 10:46
Reported
2022-11-10 10:48
Platform
win10-20220812-en
Max time kernel
100s
Max time network
128s
Command Line
Signatures
Emotet
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inAKPUnPH.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\CqQOHetFGgjyRJa\\inAKPUnPH.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLAcZO.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\MBtpBemChn\\YLAcZO.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GbtepNggP.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\RttvatU\\GbtepNggP.dll\"" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\5ebf1f048c8d3536da7dbba181ef136bac22b34df22508539f38c764cb2be854.xls"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RttvatU\GbtepNggP.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CqQOHetFGgjyRJa\inAKPUnPH.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MBtpBemChn\YLAcZO.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.conceptagency.net | udp |
| DE | 149.102.137.213:443 | www.conceptagency.net | tcp |
| US | 8.8.8.8:53 | bencevendeghaz.hu | udp |
| HU | 185.6.139.30:443 | bencevendeghaz.hu | tcp |
| SG | 45.32.114.141:80 | tcp | |
| US | 8.8.8.8:53 | ruitaiwz.com | udp |
| HK | 45.207.116.84:80 | ruitaiwz.com | tcp |
| US | 52.168.117.169:443 | tcp | |
| ID | 115.178.55.22:80 | 115.178.55.22 | tcp |
| ID | 115.178.55.22:80 | 115.178.55.22 | tcp |
| US | 8.253.208.121:80 | tcp | |
| ID | 115.178.55.22:80 | 115.178.55.22 | tcp |
Files
memory/2836-115-0x00007FFC671D0000-0x00007FFC671E0000-memory.dmp
memory/2836-116-0x00007FFC671D0000-0x00007FFC671E0000-memory.dmp
memory/2836-117-0x00007FFC671D0000-0x00007FFC671E0000-memory.dmp
memory/2836-118-0x00007FFC671D0000-0x00007FFC671E0000-memory.dmp
memory/2836-127-0x00007FFC64580000-0x00007FFC64590000-memory.dmp
memory/2836-128-0x00007FFC64580000-0x00007FFC64590000-memory.dmp
memory/5084-275-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv1.ooocccxxx
| MD5 | d3939ddb4bc6489d93abbe27357c343a |
| SHA1 | e52999b881200818ea801c44e3c4645f0501f582 |
| SHA256 | df774d7b5b0f5e44f6047486ff3641e298208621a1f217027c71e0a874a65313 |
| SHA512 | d3d969c163fdfaee7213741cc8a79ab4685522a53241550c92c17d96577c406e59687eabb79b8d9f070bf98f53822fc0f66e60a08779f47a3eb20cb20ffe108a |
\Users\Admin\elv1.ooocccxxx
| MD5 | d3939ddb4bc6489d93abbe27357c343a |
| SHA1 | e52999b881200818ea801c44e3c4645f0501f582 |
| SHA256 | df774d7b5b0f5e44f6047486ff3641e298208621a1f217027c71e0a874a65313 |
| SHA512 | d3d969c163fdfaee7213741cc8a79ab4685522a53241550c92c17d96577c406e59687eabb79b8d9f070bf98f53822fc0f66e60a08779f47a3eb20cb20ffe108a |
memory/5084-278-0x0000000001280000-0x00000000012AE000-memory.dmp
memory/4564-288-0x0000000000000000-mapping.dmp
memory/4556-294-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv2.ooocccxxx
| MD5 | e13fecff6dc982531324cdba4f224d1d |
| SHA1 | 0de9ca7b8770ce588684237d2739d456bc64dade |
| SHA256 | 78b7f834255ee4c7e897393c70172de692415c784bcaeedf1cd304fe1ce401e0 |
| SHA512 | 0e159d00676d286d104631f80a1989e308037fde82ddae495628866a1ad49059705fb9c47d7f612a108bbbb0d3f540695782dec3c4b389a56c4ac91a28a8653b |
\Users\Admin\elv2.ooocccxxx
| MD5 | e13fecff6dc982531324cdba4f224d1d |
| SHA1 | 0de9ca7b8770ce588684237d2739d456bc64dade |
| SHA256 | 78b7f834255ee4c7e897393c70172de692415c784bcaeedf1cd304fe1ce401e0 |
| SHA512 | 0e159d00676d286d104631f80a1989e308037fde82ddae495628866a1ad49059705fb9c47d7f612a108bbbb0d3f540695782dec3c4b389a56c4ac91a28a8653b |
memory/800-305-0x0000000000000000-mapping.dmp
memory/732-313-0x0000000000000000-mapping.dmp
memory/32-314-0x0000000000000000-mapping.dmp
C:\Users\Admin\elv4.ooocccxxx
| MD5 | 367f5a09ff767c1961c5e32ffb7c3df6 |
| SHA1 | 209c1fb954f11624895012663d34a01cf330b161 |
| SHA256 | 8b92d9155e6bb80c94deb9a3d0c623286e3bd4be90b68ac1be3b8d12ad06697a |
| SHA512 | 4b2317b0c0bef2b2f948d7eccd36c7adced411437519b00e46de8921d3f720103c5b07d1f97dcb0363572d0d3930ae98bcab60812e8d0e8aa680619241585664 |
\Users\Admin\elv4.ooocccxxx
| MD5 | 367f5a09ff767c1961c5e32ffb7c3df6 |
| SHA1 | 209c1fb954f11624895012663d34a01cf330b161 |
| SHA256 | 8b92d9155e6bb80c94deb9a3d0c623286e3bd4be90b68ac1be3b8d12ad06697a |
| SHA512 | 4b2317b0c0bef2b2f948d7eccd36c7adced411437519b00e46de8921d3f720103c5b07d1f97dcb0363572d0d3930ae98bcab60812e8d0e8aa680619241585664 |
memory/2296-322-0x0000000000000000-mapping.dmp
memory/2836-352-0x00007FFC671D0000-0x00007FFC671E0000-memory.dmp
memory/2836-353-0x00007FFC671D0000-0x00007FFC671E0000-memory.dmp
memory/2836-354-0x00007FFC671D0000-0x00007FFC671E0000-memory.dmp
memory/2836-355-0x00007FFC671D0000-0x00007FFC671E0000-memory.dmp