Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 21:35
Behavioral task
behavioral1
Sample
c911d0ce249b8f215c7b5a8fc5b8e5d02bdf4c5566a2d1727a40bc23fca46c5a.xls
Resource
win7-20240903-en
General
-
Target
c911d0ce249b8f215c7b5a8fc5b8e5d02bdf4c5566a2d1727a40bc23fca46c5a.xls
-
Size
40KB
-
MD5
b5bda83d748d7e6a1f44b3a18a51fdfe
-
SHA1
658c6abda0b3730c50e1e2298b5954193ff8a983
-
SHA256
c911d0ce249b8f215c7b5a8fc5b8e5d02bdf4c5566a2d1727a40bc23fca46c5a
-
SHA512
fbd9196360afae95de5bc5df1aca5ed434f372d219fb495e51bf1c11cf331c7e0e68cdc9ba3445f03b5745c2ccd94b921cfba5b6d1d3378db829ce173e67e635
-
SSDEEP
768:pkZKpb8rGYrMPe3q7Q0XV5xtezEs/68/dgAdCBn9kC+xbqc6q+otrvEVLcAA:p+Kpb8rGYrMPe3q7Q0XV5xtezEsi8/d5
Malware Config
Extracted
https://www.itesmeitic.com/term/IFjx5ElE0ldr8wDDHjub/
https://www.ingonherbal.com/application/PhEbceg4Tx/
Extracted
emotet
Epoch4
131.100.24.231:80
103.132.242.26:8080
167.172.253.162:8080
149.56.131.28:8080
209.126.98.206:8080
188.44.20.25:443
212.237.17.99:8080
129.232.188.93:443
160.16.142.56:8080
46.55.222.11:443
1.234.2.232:8080
45.235.8.30:8080
185.157.82.211:8080
158.69.222.101:443
185.4.135.165:8080
27.54.89.58:8080
197.242.150.244:8080
153.126.146.25:7080
183.111.227.137:8080
103.75.201.2:443
45.118.115.99:8080
79.137.35.198:8080
172.104.251.154:8080
159.65.88.10:8080
203.114.109.124:443
101.50.0.91:8080
51.254.140.238:7080
206.189.28.199:8080
72.15.201.15:8080
150.95.66.124:8080
201.94.166.162:443
209.97.163.214:443
103.70.28.102:8080
185.8.212.130:7080
216.158.226.206:443
209.250.246.206:443
23.239.0.12:443
164.68.99.3:8080
102.222.215.74:443
134.122.66.193:8080
82.165.152.127:8080
51.91.76.89:8080
189.126.111.200:7080
146.59.226.45:443
163.44.196.120:8080
51.91.7.5:8080
58.227.42.236:80
167.99.115.35:8080
196.218.30.83:443
107.182.225.142:8080
151.106.112.196:8080
91.207.28.33:8080
94.23.45.86:4143
103.43.46.182:443
45.176.232.124:443
5.9.116.246:8080
173.212.193.249:8080
1.234.21.73:7080
212.24.98.99:8080
213.241.20.155:443
110.232.117.186:8080
77.81.247.144:8080
119.193.124.41:7080
Signatures
-
Emotet family
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4964 4500 regsvr32.exe 82 -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
pid Process 4964 regsvr32.exe 4316 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4500 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4316 regsvr32.exe 4316 regsvr32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4500 EXCEL.EXE 4500 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4500 EXCEL.EXE 4500 EXCEL.EXE 4500 EXCEL.EXE 4500 EXCEL.EXE 4500 EXCEL.EXE 4500 EXCEL.EXE 4500 EXCEL.EXE 4500 EXCEL.EXE 4500 EXCEL.EXE 4500 EXCEL.EXE 4500 EXCEL.EXE 4500 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4500 wrote to memory of 4964 4500 EXCEL.EXE 99 PID 4500 wrote to memory of 4964 4500 EXCEL.EXE 99 PID 4964 wrote to memory of 4316 4964 regsvr32.exe 100 PID 4964 wrote to memory of 4316 4964 regsvr32.exe 100
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\c911d0ce249b8f215c7b5a8fc5b8e5d02bdf4c5566a2d1727a40bc23fca46c5a.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe ..\wurod.ocx2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\PwBdCkHvbXI\ZaLHUtZ.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4316
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
532KB
MD5477ae271369180cbbb395906dd62cc99
SHA171286680dd8b667ea88fcd8424cb4fd9b33816d4
SHA256d8d1c87acea954ae4167c6d3524063f44e40019b0995fecbb1ac22b49b404db6
SHA51295b610e74cb77938e640c60dfe066c472aac0d78dfb501f03151cccaf22ac23de399e20f29ea1a3d073a40e4624fb741fddb19007f0fdf726252e8ec2022e80a