Overview

overview

10

Static

static

8

NOTICE_74572.xls

windows7_x64

10

NOTICE_74572.xls

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    17-05-2022 06:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NOTICE_74572.xls

  • Size

    73KB

  • MD5

    c64292e4b093228141d3531fc50d3faf

  • SHA1

    eacc3c8c7cbdc3ec385615c7485ada4c5cc09af4

  • SHA256

    db606ab69b263ca51c4b5148f7bd8388278a4954234bd1dbe70bfb358e77420a

  • SHA512

    c50c3c29125051d481d723ab7a7eb6dd717ae9e3694dbf09b65b43a974895e17d682331d8b00b9b340f7bc2b0f0b7795af2c83c90a6c6e4c321722ebfece86b7

Score
10/10
emotetepoch5bankertrojan

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://ilriparatutto.eu/tmp/0K1NupyKPeX/

Extracted

Family

emotet

Botnet

Epoch5

C2

93.104.209.107:8080

195.154.146.35:443

202.134.4.210:7080

17.20.148.183:8907

185.148.168.220:8080

68.183.93.250:443

175.126.176.79:8080

77.31.27.120:26351

203.153.216.46:443

202.28.34.99:8080

210.57.209.142:8080

18.229.236.50:18850

36.67.23.59:443

159.69.237.188:443

107.22.159.198:7774

207.148.81.119:8080

54.38.143.246:7080

45.71.195.104:8080

108.159.107.249:48268

45.230.140.156:22366
eck1.plain
eck1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Loads dropped DLL 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\NOTICE_74572.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4256
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe ..\vhdxw.ocx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4076
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IrOSF\EULR.dll"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:3528

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\vhdxw.ocx
    Filesize

    364KB

    MD5

    686ab43a0256d0ead904632d5ad3af7c

    SHA1

    491b48e625c3f3828cd197695a6c571fce97811e

    SHA256

    80d754e43df27c9fc6fc6525ddbd6b96e66459200a966b93c2be80936b8e5e37

    SHA512

    9a7cda29794aa07ca61501368f3607fc8c1ecb461725ff98f38a8ea4d38172f64bc4a20d7aeb2046c53d98690d2fcf25050dfadfe5ddfa4f0ed7c2211ac3400c

    Download Submit

  • C:\Users\Admin\vhdxw.ocx
    Filesize

    364KB

    MD5

    686ab43a0256d0ead904632d5ad3af7c

    SHA1

    491b48e625c3f3828cd197695a6c571fce97811e

    SHA256

    80d754e43df27c9fc6fc6525ddbd6b96e66459200a966b93c2be80936b8e5e37

    SHA512

    9a7cda29794aa07ca61501368f3607fc8c1ecb461725ff98f38a8ea4d38172f64bc4a20d7aeb2046c53d98690d2fcf25050dfadfe5ddfa4f0ed7c2211ac3400c

    Download Submit

  • C:\Windows\System32\IrOSF\EULR.dll
    Filesize

    364KB

    MD5

    686ab43a0256d0ead904632d5ad3af7c

    SHA1

    491b48e625c3f3828cd197695a6c571fce97811e

    SHA256

    80d754e43df27c9fc6fc6525ddbd6b96e66459200a966b93c2be80936b8e5e37

    SHA512

    9a7cda29794aa07ca61501368f3607fc8c1ecb461725ff98f38a8ea4d38172f64bc4a20d7aeb2046c53d98690d2fcf25050dfadfe5ddfa4f0ed7c2211ac3400c

    Download Submit

  • memory/4076-140-0x0000000180000000-0x0000000180032000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4256-133-0x00007FFA6B6D0000-0x00007FFA6B6E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4256-136-0x00007FFA68DC0000-0x00007FFA68DD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4256-135-0x00007FFA68DC0000-0x00007FFA68DD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4256-134-0x00007FFA6B6D0000-0x00007FFA6B6E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4256-130-0x00007FFA6B6D0000-0x00007FFA6B6E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4256-132-0x00007FFA6B6D0000-0x00007FFA6B6E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4256-131-0x00007FFA6B6D0000-0x00007FFA6B6E0000-memory.dmp

    Filesize

    64KB

    Download