Analysis

  • max time kernel
    4294210s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    15-03-2022 00:15

General

  • Target

    100995087022771591994.xlsm

  • Size

    48KB

  • MD5

    1655267f2eef17c7bea81ee6cf65fbf9

  • SHA1

    dd062a715bd8eee2b8b4d30e6786e5b108b63c1a

  • SHA256

    8e586a928eecac9fa5b4dd6980915389f0092c6ec968ffe90dc4ccf3504ae578

  • SHA512

    3b0f05743a81756ef75e8da15e393f40365c71d7e986141bfb467acd8a232581cc5bd01953ed61b6129652ebd9517b1282f01fbbe2e808aa70dc3c906bbb726d

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://www.arkpp.com/ARIS-BSU/9K1/

Extracted

Family

emotet

Botnet

Epoch4

C2

217.182.143.248:8080

185.4.135.27:8080

192.99.251.50:443

146.59.226.45:443

162.214.118.104:8080

195.154.133.20:443

103.75.201.2:443

5.9.116.246:8080

177.87.70.10:8080

31.24.158.56:8080

103.75.201.4:443

158.69.222.101:443

185.157.82.211:8080

185.8.212.130:7080

186.250.48.117:7080

110.232.117.186:8080

46.55.222.11:443

196.218.30.83:443

51.91.7.5:8080

176.56.128.118:443

eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\100995087022771591994.xlsm
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\SysWow64\regsvr32.exe
      C:\Windows\SysWow64\regsvr32.exe -s ..\fbd.dll
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Mqbagvsjrsk\umkavawuizq.cpx"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1388

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\fbd.dll
    MD5

    4012125d310517ab80092b2e57be9adf

    SHA1

    4ce026cff287d6fc837b7d4b91708977b428d2be

    SHA256

    b3a8cd8951e1570f5ef1dd064628ae618848ee262ec69d0d1664138a34a8635d

    SHA512

    2c58f266aec3bda265abd363e94dd07db192c1bb57c736da499f9b1df2fdd90885c0036694e76469461ffefe478a20dee2c73f987ee5bce32b7a1c3445d7c29a

  • \Users\Admin\fbd.dll
    MD5

    4012125d310517ab80092b2e57be9adf

    SHA1

    4ce026cff287d6fc837b7d4b91708977b428d2be

    SHA256

    b3a8cd8951e1570f5ef1dd064628ae618848ee262ec69d0d1664138a34a8635d

    SHA512

    2c58f266aec3bda265abd363e94dd07db192c1bb57c736da499f9b1df2fdd90885c0036694e76469461ffefe478a20dee2c73f987ee5bce32b7a1c3445d7c29a

  • memory/1728-58-0x0000000075271000-0x0000000075273000-memory.dmp
    Filesize

    8KB

  • memory/1728-61-0x0000000010000000-0x0000000010028000-memory.dmp
    Filesize

    160KB

  • memory/2016-54-0x000000002F7E1000-0x000000002F7E4000-memory.dmp
    Filesize

    12KB

  • memory/2016-55-0x0000000070F01000-0x0000000070F03000-memory.dmp
    Filesize

    8KB

  • memory/2016-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

  • memory/2016-57-0x0000000071EED000-0x0000000071EF8000-memory.dmp
    Filesize

    44KB