Malware Analysis Report

2025-08-05 21:38

Sample ID 221110-mzgrwahca2
Target d516a593ae3def9aa4752da1133b8609b99573a207829611c882944bc895066f.xls
SHA256 d516a593ae3def9aa4752da1133b8609b99573a207829611c882944bc895066f
Tags
macro xlm emotet epoch5 banker persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d516a593ae3def9aa4752da1133b8609b99573a207829611c882944bc895066f

Threat Level: Known bad

The file d516a593ae3def9aa4752da1133b8609b99573a207829611c882944bc895066f.xls was found to be: Known bad.

Malicious Activity Summary

macro xlm emotet epoch5 banker persistence trojan

Emotet

Process spawned unexpected child process

Downloads MZ/PE file

Suspicious Office macro

Loads dropped DLL

Adds Run key to start application

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-10 10:53

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-10 10:53

Reported

2022-11-10 10:56

Platform

win10-20220812-en

Max time kernel

134s

Max time network

152s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d516a593ae3def9aa4752da1133b8609b99573a207829611c882944bc895066f.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d516a593ae3def9aa4752da1133b8609b99573a207829611c882944bc895066f.xls"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx

Network

Country Destination Domain Proto
US 8.8.8.8:53 bosny.com udp
N/A 100.93.119.3:443 bosny.com tcp
US 8.8.8.8:53 navylin.com udp
N/A 100.74.2.18:80 navylin.com tcp
US 8.8.8.8:53 asrani.garudaputih.com udp
N/A 100.88.25.126:80 asrani.garudaputih.com tcp
US 8.8.8.8:53 db.rikaz.tech udp
N/A 100.103.160.72:80 db.rikaz.tech tcp
US 13.89.179.10:443 tcp

Files

memory/4324-116-0x00007FFCDF550000-0x00007FFCDF560000-memory.dmp

memory/4324-117-0x00007FFCDF550000-0x00007FFCDF560000-memory.dmp

memory/4324-118-0x00007FFCDF550000-0x00007FFCDF560000-memory.dmp

memory/4324-119-0x00007FFCDF550000-0x00007FFCDF560000-memory.dmp

memory/4324-128-0x00007FFCDB9E0000-0x00007FFCDB9F0000-memory.dmp

memory/4324-129-0x00007FFCDB9E0000-0x00007FFCDB9F0000-memory.dmp

memory/4564-252-0x0000000000000000-mapping.dmp

memory/3676-253-0x0000000000000000-mapping.dmp

memory/2660-254-0x0000000000000000-mapping.dmp

memory/4932-255-0x0000000000000000-mapping.dmp

memory/4324-294-0x00007FFCDF550000-0x00007FFCDF560000-memory.dmp

memory/4324-295-0x00007FFCDF550000-0x00007FFCDF560000-memory.dmp

memory/4324-296-0x00007FFCDF550000-0x00007FFCDF560000-memory.dmp

memory/4324-297-0x00007FFCDF550000-0x00007FFCDF560000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-10 10:53

Reported

2022-11-10 10:56

Platform

win10-20220812-en

Max time kernel

130s

Max time network

152s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d516a593ae3def9aa4752da1133b8609b99573a207829611c882944bc895066f.xls"

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HzThonv.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\ScQZMNMKxDEHb\\HzThonv.dll\"" C:\Windows\system32\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2692 wrote to memory of 4520 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 2692 wrote to memory of 4520 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4520 wrote to memory of 4504 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4520 wrote to memory of 4504 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d516a593ae3def9aa4752da1133b8609b99573a207829611c882944bc895066f.xls"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ScQZMNMKxDEHb\HzThonv.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bosny.com udp
TH 203.151.59.20:443 bosny.com tcp
US 20.42.65.89:443 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 navylin.com udp
CN 47.92.133.65:80 navylin.com tcp
ID 115.178.55.22:80 115.178.55.22 tcp

Files

memory/2692-115-0x00007FF871D50000-0x00007FF871D60000-memory.dmp

memory/2692-116-0x00007FF871D50000-0x00007FF871D60000-memory.dmp

memory/2692-117-0x00007FF871D50000-0x00007FF871D60000-memory.dmp

memory/2692-118-0x00007FF871D50000-0x00007FF871D60000-memory.dmp

memory/2692-127-0x00007FF86E3D0000-0x00007FF86E3E0000-memory.dmp

memory/2692-128-0x00007FF86E3D0000-0x00007FF86E3E0000-memory.dmp

memory/4520-280-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv1.ooocccxxx

MD5 83b59fb810300c2dbddf3f7d739d25a4
SHA1 aa67e33414d97d297a3b86871dd6a9275fdb71d1
SHA256 6b2be1e6753c8b1d69abec430562268775c00784b0a2f4cf2c5e499f98a7bfdf
SHA512 c32ee574b86086d986b7177bbc011da11ad647ca8e3edbb76a6901a92fbc197d987f63b45c923aa273023ff070548caf712578e26a84f85c2eeea781ca55661a

\Users\Admin\elv1.ooocccxxx

MD5 83b59fb810300c2dbddf3f7d739d25a4
SHA1 aa67e33414d97d297a3b86871dd6a9275fdb71d1
SHA256 6b2be1e6753c8b1d69abec430562268775c00784b0a2f4cf2c5e499f98a7bfdf
SHA512 c32ee574b86086d986b7177bbc011da11ad647ca8e3edbb76a6901a92fbc197d987f63b45c923aa273023ff070548caf712578e26a84f85c2eeea781ca55661a

memory/4520-283-0x0000000000E40000-0x0000000000E6E000-memory.dmp

memory/4504-288-0x0000000000000000-mapping.dmp