Edit tour
Windows
Analysis Report
allegati_23052022.xls
Overview
General Information
Detection
Hidden Macro 4.0, Emotet
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for domain / URL
Office process drops PE file
Found Excel 4.0 Macro with suspicious formulas
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Found inlined nop instructions (likely shell or obfuscated code)
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Drops PE files to the user directory
Found large amount of non-executed APIs
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w7x64
- EXCEL.EXE (PID: 2292 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) - regsvr32.exe (PID: 2372 cmdline:
C:\Windows \System32\ regsvr32.e xe /S ..\c usoa1.ocx MD5: 59BCE9F07985F8A4204F4D6554CFF708) - regsvr32.exe (PID: 1200 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\TURzt\ TXqeznNbFa nh.dll" MD5: 59BCE9F07985F8A4204F4D6554CFF708) - regsvr32.exe (PID: 1472 cmdline:
C:\Windows \System32\ regsvr32.e xe /S ..\c usoa2.ocx MD5: 59BCE9F07985F8A4204F4D6554CFF708) - regsvr32.exe (PID: 1464 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\KIMRaX PqDerXJoZF \aRgQEkQ.d ll" MD5: 59BCE9F07985F8A4204F4D6554CFF708) - regsvr32.exe (PID: 2428 cmdline:
C:\Windows \System32\ regsvr32.e xe /S ..\c usoa3.ocx MD5: 59BCE9F07985F8A4204F4D6554CFF708) - regsvr32.exe (PID: 1112 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\IyXmTo N\lzIgCVr. dll" MD5: 59BCE9F07985F8A4204F4D6554CFF708) - regsvr32.exe (PID: 2608 cmdline:
C:\Windows \System32\ regsvr32.e xe /S ..\c usoa4.ocx MD5: 59BCE9F07985F8A4204F4D6554CFF708) - regsvr32.exe (PID: 2836 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\TlAadb HyBMqq\YRF xrLtktkh.d ll" MD5: 59BCE9F07985F8A4204F4D6554CFF708)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Excel4Macro_AutoOpen | Detects Excel4 macro use with auto open / close | John Lambert @JohnLaTwC |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Excel4Macro_AutoOpen | Detects Excel4 macro use with auto open / close | John Lambert @JohnLaTwC |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
Click to see the 11 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
Click to see the 11 entries |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Code function: | 3_2_1003036C | |
Source: | Code function: | 3_2_10030FE0 | |
Source: | Code function: | 4_2_1003036C | |
Source: | Code function: | 4_2_10030FE0 | |
Source: | Code function: | 4_2_000000018000BEF0 | |
Source: | Code function: | 6_2_000000018000BEF0 | |
Source: | Code function: | 8_2_000000018000BEF0 | |
Source: | Code function: | 10_2_000000018000BEF0 |
Software Vulnerabilities |
---|
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | Process created: |
Source: | Section loaded: | Jump to behavior |
Source: | DNS query: |
Source: | Code function: | 3_2_10002200 | |
Source: | Code function: | 3_2_1004F04C | |
Source: | Code function: | 3_2_1004F08C | |
Source: | Code function: | 3_2_1004F0C4 | |
Source: | Code function: | 3_2_1004F10C | |
Source: | Code function: | 3_2_1004F1B1 | |
Source: | Code function: | 3_2_10047500 | |
Source: | Code function: | 3_2_1003D560 | |
Source: | Code function: | 3_2_1004F8A0 | |
Source: | Code function: | 3_2_100398D0 | |
Source: | Code function: | 3_2_10048AF0 | |
Source: | Code function: | 3_2_10001B20 | |
Source: | Code function: | 3_2_1004EBF0 | |
Source: | Code function: | 3_2_1004ECE8 | |
Source: | Code function: | 3_2_1004ED79 | |
Source: | Code function: | 3_2_10039DD0 | |
Source: | Code function: | 3_2_1004EE1D | |
Source: | Code function: | 3_2_1004EE78 | |
Source: | Code function: | 3_2_1004DE90 | |
Source: | Code function: | 3_2_1004DE90 | |
Source: | Code function: | 3_2_1004DE90 | |
Source: | Code function: | 3_2_1004DE90 | |
Source: | Code function: | 3_2_1004EF1E | |
Source: | Code function: | 3_2_1004EFB9 | |
Source: | Code function: | 3_2_1004EFDE | |
Source: | Code function: | 4_2_10002200 | |
Source: | Code function: | 4_2_1004F04C | |
Source: | Code function: | 4_2_1004F08C | |
Source: | Code function: | 4_2_1004F0C4 | |
Source: | Code function: | 4_2_1004F10C | |
Source: | Code function: | 4_2_1004F1B1 | |
Source: | Code function: | 4_2_10047500 | |
Source: | Code function: | 4_2_1003D560 | |
Source: | Code function: | 4_2_1004F8A0 | |
Source: | Code function: | 4_2_100398D0 | |
Source: | Code function: | 4_2_10048AF0 | |
Source: | Code function: | 4_2_10001B20 | |
Source: | Code function: | 4_2_1004EBF0 | |
Source: | Code function: | 4_2_1004ECE8 | |
Source: | Code function: | 4_2_1004ED79 | |
Source: | Code function: | 4_2_10039DD0 | |
Source: | Code function: | 4_2_1004EE1D | |
Source: | Code function: | 4_2_1004EE78 | |
Source: | Code function: | 4_2_1004DE90 | |
Source: | Code function: | 4_2_1004DE90 | |
Source: | Code function: | 4_2_1004DE90 | |
Source: | Code function: | 4_2_1004DE90 | |
Source: | Code function: | 4_2_1004EF1E | |
Source: | Code function: | 4_2_1004EFB9 | |
Source: | Code function: | 4_2_1004EFDE |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking |
---|
Source: | Network Connect: | Jump to behavior |
Source: | JA3 fingerprint: |
Source: | IP Address: |
Source: | HTTP traffic detected: |