Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 17:36
Behavioral task
behavioral1
Sample
f29002bbf4f3da19b6173627c53d90ac653a44c0614aaa46e264a6bb2e3539a7.xls
Resource
win7-20240903-en
General
-
Target
f29002bbf4f3da19b6173627c53d90ac653a44c0614aaa46e264a6bb2e3539a7.xls
-
Size
40KB
-
MD5
43404c9ff5a00c28704e25a7b8d2de3e
-
SHA1
f82b66098bf91ef2e63f500480d1c8ebf5db7d28
-
SHA256
f29002bbf4f3da19b6173627c53d90ac653a44c0614aaa46e264a6bb2e3539a7
-
SHA512
2d90e0fb7bd4ebc69efd3763e2e9b38e9d7d7108f8f820d8afcfbe9fd8303b8bc620a1c95efb4c30882e6c8c25179561a5f4523b1df4001c487fe636153a7b8d
-
SSDEEP
768:pkZKpb8rGYrMPe3q7Q0XV5xtezEs/68/dgAdCBn9kC+xbqc6q+otrvEVLcAI:p+Kpb8rGYrMPe3q7Q0XV5xtezEsi8/d5
Malware Config
Extracted
https://www.itesmeitic.com/term/IFjx5ElE0ldr8wDDHjub/
https://www.ingonherbal.com/application/PhEbceg4Tx/
Extracted
emotet
Epoch4
131.100.24.231:80
103.132.242.26:8080
167.172.253.162:8080
149.56.131.28:8080
209.126.98.206:8080
188.44.20.25:443
212.237.17.99:8080
129.232.188.93:443
160.16.142.56:8080
46.55.222.11:443
1.234.2.232:8080
45.235.8.30:8080
185.157.82.211:8080
158.69.222.101:443
185.4.135.165:8080
27.54.89.58:8080
197.242.150.244:8080
153.126.146.25:7080
183.111.227.137:8080
103.75.201.2:443
45.118.115.99:8080
79.137.35.198:8080
172.104.251.154:8080
159.65.88.10:8080
203.114.109.124:443
101.50.0.91:8080
51.254.140.238:7080
206.189.28.199:8080
72.15.201.15:8080
150.95.66.124:8080
201.94.166.162:443
209.97.163.214:443
103.70.28.102:8080
185.8.212.130:7080
216.158.226.206:443
209.250.246.206:443
23.239.0.12:443
164.68.99.3:8080
102.222.215.74:443
134.122.66.193:8080
82.165.152.127:8080
51.91.76.89:8080
189.126.111.200:7080
146.59.226.45:443
163.44.196.120:8080
51.91.7.5:8080
58.227.42.236:80
167.99.115.35:8080
196.218.30.83:443
107.182.225.142:8080
151.106.112.196:8080
91.207.28.33:8080
94.23.45.86:4143
103.43.46.182:443
45.176.232.124:443
5.9.116.246:8080
173.212.193.249:8080
1.234.21.73:7080
212.24.98.99:8080
213.241.20.155:443
110.232.117.186:8080
77.81.247.144:8080
119.193.124.41:7080
Signatures
-
Emotet family
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4972 3948 regsvr32.exe 82 -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
pid Process 4972 regsvr32.exe 4620 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3948 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4620 regsvr32.exe 4620 regsvr32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3948 EXCEL.EXE 3948 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3948 EXCEL.EXE 3948 EXCEL.EXE 3948 EXCEL.EXE 3948 EXCEL.EXE 3948 EXCEL.EXE 3948 EXCEL.EXE 3948 EXCEL.EXE 3948 EXCEL.EXE 3948 EXCEL.EXE 3948 EXCEL.EXE 3948 EXCEL.EXE 3948 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3948 wrote to memory of 4972 3948 EXCEL.EXE 94 PID 3948 wrote to memory of 4972 3948 EXCEL.EXE 94 PID 4972 wrote to memory of 4620 4972 regsvr32.exe 95 PID 4972 wrote to memory of 4620 4972 regsvr32.exe 95
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f29002bbf4f3da19b6173627c53d90ac653a44c0614aaa46e264a6bb2e3539a7.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe ..\wurod.ocx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\QpJlucBwVtTIC\ZWYLdGpw.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4620
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD5befe9ea0d49ba6e663aff1f3446c55c4
SHA1c0e817038dc3ba8e9ea16f34f8120a5c97c90f7e
SHA256ce557f2d8862984faa1c0c1c112944f969b009d74c2c90be145d8ca512878e79
SHA51288ad2b326ccea6c4dbfa08d7becdcb65fc4f5aa0cc2d90ee16d66478f5245160e3ce8bd931d37ddb89b6d9f90fb49f37da29189440b5c004c4eb4ada0d7dfbaf
-
Filesize
532KB
MD5477ae271369180cbbb395906dd62cc99
SHA171286680dd8b667ea88fcd8424cb4fd9b33816d4
SHA256d8d1c87acea954ae4167c6d3524063f44e40019b0995fecbb1ac22b49b404db6
SHA51295b610e74cb77938e640c60dfe066c472aac0d78dfb501f03151cccaf22ac23de399e20f29ea1a3d073a40e4624fb741fddb19007f0fdf726252e8ec2022e80a