Edit tour
Windows
Analysis Report
Message-0203.xlsm
Overview
General Information
| Sample Name: | Message-0203.xlsm |
| Analysis ID: | 581629 |
| MD5: | 5ae705ad4a1aefe4bb12645c3dc13735 |
| SHA1: | 443dff52ae1209eb566bc8576a89606cbbb79684 |
| SHA256: | d0a4f5b02f1690554ff4a8231ec1307111c1e993a1fe8dcf0ea648b622ca1f0c |
| Tags: | xlsm |
| Infos: |   |
 | |
Detection
Hidden Macro 4.0 Emotet
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for domain / URL
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Network Activity
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Regsvr32 Command Line Without DLL
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Sigma detected: Excel Network Connections
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Yara detected Xls With Macro 4.0
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Drops PE files to the user directory
Excel documents contains an embedded macro which executes code when the document is opened
Found large amount of non-executed APIs
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w7x64
EXCEL.EXE (PID: 2564 cmdline: "C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) 
regsvr32.exe (PID: 2596 cmdline: C:\Windows \SysWow64\ regsvr32.e xe /s ..\s ei.ocx MD5: 432BE6CF7311062633459EEF6B242FB5) - regsvr32.exe (PID: 804 cmdline:
C:\Windows \SysWOW64\ regsvr32.e xe /s "C:\ Windows\Sy sWOW64\Lja ldgjdjgipu \aeawxmwvt hipuci.vct " MD5: 432BE6CF7311062633459EEF6B242FB5) - regsvr32.exe (PID: 2992 cmdline:
C:\Windows \SysWOW64\ regsvr32.e xe /s "C:\ Windows\Sy sWOW64\Czn slowso\cal qvpiewvvwy .dbx" MD5: 432BE6CF7311062633459EEF6B242FB5) - regsvr32.exe (PID: 1268 cmdline:
C:\Windows \SysWOW64\ regsvr32.e xe /s "C:\ Windows\Sy sWOW64\Xjw krordlwfjj rsq\denp.h wt" MD5: 432BE6CF7311062633459EEF6B242FB5) - regsvr32.exe (PID: 2028 cmdline:
C:\Windows \SysWOW64\ regsvr32.e xe /s "C:\ Windows\Sy sWOW64\Nfx ijadzkwrk\ iqblag.pfc " MD5: 432BE6CF7311062633459EEF6B242FB5) - regsvr32.exe (PID: 1976 cmdline:
C:\Windows \SysWOW64\ regsvr32.e xe /s "C:\ Windows\Sy sWOW64\Gmr nxjonhyj\b hgjeaop.sn b" MD5: 432BE6CF7311062633459EEF6B242FB5) - regsvr32.exe (PID: 2916 cmdline:
C:\Windows \SysWOW64\ regsvr32.e xe /s "C:\ Windows\Sy sWOW64\Cqt akgiqnl\md xf.dnq" MD5: 432BE6CF7311062633459EEF6B242FB5) - regsvr32.exe (PID: 1408 cmdline:
C:\Windows \SysWOW64\ regsvr32.e xe /s "C:\ Windows\Sy sWOW64\Ywu ykrqed\hnk cahocjxiu. ihv" MD5: 432BE6CF7311062633459EEF6B242FB5) - regsvr32.exe (PID: 3056 cmdline:
C:\Windows \SysWOW64\ regsvr32.e xe /s "C:\ Windows\Sy sWOW64\Kud uduzb\uupz .vzi" MD5: 432BE6CF7311062633459EEF6B242FB5) - regsvr32.exe (PID: 2364 cmdline:
C:\Windows \SysWOW64\ regsvr32.e xe /s "C:\ Windows\Sy sWOW64\Jau oyqukniawf r\zjzeofbf oblfhab.px z" MD5: 432BE6CF7311062633459EEF6B242FB5) - regsvr32.exe (PID: 2680 cmdline:
C:\Windows \SysWOW64\ regsvr32.e xe /s "C:\ Windows\Sy sWOW64\Qsk julizjyehb hfo\sevyys bu.jkg" MD5: 432BE6CF7311062633459EEF6B242FB5)
- svchost.exe (PID: 1016 cmdline:
C:\Windows \System32\ svchost.ex e -k WerSv cGroup MD5: C78655BC80301D76ED4FEF1C1EA40A7D)
- cleanup
{"C2 list": ["168.119.39.118:443", "185.168.130.138:443", "168.197.250.14:80", "195.77.239.39:8080", "68.183.93.250:443", "185.184.25.78:8080", "118.98.72.86:443", "78.47.204.80:443", "159.69.237.188:443", "61.7.231.226:443", "103.41.204.169:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "191.252.103.16:80", "93.104.209.107:8080", "194.9.172.107:8080", "66.42.57.149:443", "59.148.253.194:443", "62.171.178.147:8080", "139.196.72.155:8080", "198.199.98.78:8080", "185.148.168.15:8080", "195.154.146.35:443", "104.131.62.48:8080", "37.44.244.177:8080", "217.182.143.207:443", "54.38.242.185:443", "185.148.168.220:8080", "203.153.216.46:443", "87.106.97.83:7080", "78.46.73.125:443", "54.37.106.167:8080", "37.59.209.141:8080", "54.37.228.122:443", "61.7.231.229:443", "45.71.195.104:8080", "116.124.128.206:8080", "128.199.192.135:8080", "210.57.209.142:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_XlsWithMacro4 | Yara detected Xls With Macro 4.0 | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Click to see the 17 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| Click to see the 28 entries | ||||
System Summary |   |
|---|
| Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: | ||
| Source: | Author: Dmitriy Lifanov, oscd.community: | ||
| Source: | Author: Florian Roth: | ||
| Source: | Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0": | ||
| Source: | Author: frack113: | ||
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 4_2_1002992A | |
Software Vulnerabilities | |
|---|
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | DNS query: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
Networking | |
|---|
| Source: | Network Connect: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | IPs: | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | HTTP traffic detected: | ||