88ee09c8848b1775e3e470d64fbe64f877e9edfc172a21318acbe0f2f99ac9df.xls
40KB
21-05-2022 13:01
behavioral2
35cef72c5abdb47cc705de2459f6bf16
2639ec69b35fa5633b0555bc61e4feda7ae23994
88ee09c8848b1775e3e470d64fbe64f877e9edfc172a21318acbe0f2f99ac9df
27c0c534eb18e19a6598b737787a4ce1fa70732d5ca6720070232fc4567b606bce4c2069cd2f15ac341e28af7095b13eb930d099b796d33be4a2b2ccab3ce043
Extracted
Language | xlm4.0 |
Source |
|
URLs |
xlm40.dropper
http://jimlowry.com/9tag/Mv2ZYY61NBOf8/ xlm40.dropperhttp://stainedglassexpress.com/classes/veV/ |
Extracted
Family | emotet |
Botnet | Epoch4 |
C2 |
131.100.24.231:80 103.132.242.26:8080 167.172.253.162:8080 149.56.131.28:8080 209.126.98.206:8080 188.44.20.25:443 212.237.17.99:8080 129.232.188.93:443 160.16.142.56:8080 46.55.222.11:443 1.234.2.232:8080 45.235.8.30:8080 185.157.82.211:8080 158.69.222.101:443 185.4.135.165:8080 27.54.89.58:8080 197.242.150.244:8080 153.126.146.25:7080 183.111.227.137:8080 103.75.201.2:443 45.118.115.99:8080 79.137.35.198:8080 172.104.251.154:8080 159.65.88.10:8080 203.114.109.124:443 101.50.0.91:8080 51.254.140.238:7080 206.189.28.199:8080 72.15.201.15:8080 150.95.66.124:8080 201.94.166.162:443 209.97.163.214:443 103.70.28.102:8080 185.8.212.130:7080 216.158.226.206:443 209.250.246.206:443 23.239.0.12:443 164.68.99.3:8080 102.222.215.74:443 134.122.66.193:8080 82.165.152.127:8080 51.91.76.89:8080 189.126.111.200:7080 146.59.226.45:443 163.44.196.120:8080 51.91.7.5:8080 58.227.42.236:80 167.99.115.35:8080 196.218.30.83:443 107.182.225.142:8080 |
eck1.plain |
|
eck1.plain |
|
Filter: none
-
Emotet
Description
Emotet is a trojan that is primarily spread through spam emails.
Tags
-
Process spawned unexpected child processregsvr32.exe
Description
This typically indicates the parent process was compromised via an exploit or macro.
Reported IOCs
description pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 5032 920 regsvr32.exe EXCEL.EXE -
suricata: ET MALWARE W32/Emotet CnC Beacon 3
Description
suricata: ET MALWARE W32/Emotet CnC Beacon 3
Tags
-
Downloads MZ/PE file
-
Loads dropped DLLregsvr32.exe
Reported IOCs
pid process 5032 regsvr32.exe -
Checks processor information in registryEXCEL.EXE
Description
Processor information is often read in order to detect sandboxing environments.
TTPs
Reported IOCs
description ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registryEXCEL.EXE
TTPs
Reported IOCs
description ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListenerEXCEL.EXE
Reported IOCs
pid process 920 EXCEL.EXE -
Suspicious behavior: EnumeratesProcessesregsvr32.exe
Reported IOCs
pid process 3916 regsvr32.exe 3916 regsvr32.exe -
Suspicious use of SetWindowsHookExEXCEL.EXE
Reported IOCs
pid process 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE -
Suspicious use of WriteProcessMemoryEXCEL.EXEregsvr32.exe
Reported IOCs
description pid process target process PID 920 wrote to memory of 5032 920 EXCEL.EXE regsvr32.exe PID 920 wrote to memory of 5032 920 EXCEL.EXE regsvr32.exe PID 5032 wrote to memory of 3916 5032 regsvr32.exe regsvr32.exe PID 5032 wrote to memory of 3916 5032 regsvr32.exe regsvr32.exe
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\88ee09c8848b1775e3e470d64fbe64f877e9edfc172a21318acbe0f2f99ac9df.xls"Checks processor information in registryEnumerates system info in registrySuspicious behavior: AddClipboardFormatListenerSuspicious use of SetWindowsHookExSuspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe ..\wurod.ocxProcess spawned unexpected child processLoads dropped DLLSuspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\PBfrpSLKbfrJRPfi\OremM.dll"Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\wurod.ocx
MD5da62d4579c6b23dbe17bba881b46270c
SHA14eaf998fedc5f3d0d1059ca2887d9a9c2033e87a
SHA256e73f8bf7bef8ec4200fe4b989dd8d19d64486cf2461f6adc867f0199c556065a
SHA5120ecf5682e1817e5b9063930ea4d81621e6c125ad0578df39bfc611ac6f604c63ffdd01bbb251cfc8960a3d16a11ed4bb07accb47d0fa34dd046917d85a50020c
-
\Users\Admin\wurod.ocx
MD5da62d4579c6b23dbe17bba881b46270c
SHA14eaf998fedc5f3d0d1059ca2887d9a9c2033e87a
SHA256e73f8bf7bef8ec4200fe4b989dd8d19d64486cf2461f6adc867f0199c556065a
SHA5120ecf5682e1817e5b9063930ea4d81621e6c125ad0578df39bfc611ac6f604c63ffdd01bbb251cfc8960a3d16a11ed4bb07accb47d0fa34dd046917d85a50020c
-
memory/920-118-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmp
-
memory/920-121-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmp
-
memory/920-130-0x00007FFE768A0000-0x00007FFE768B0000-memory.dmp
-
memory/920-131-0x00007FFE768A0000-0x00007FFE768B0000-memory.dmp
-
memory/920-119-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmp
-
memory/920-120-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmp
-
memory/3916-277-0x0000000000000000-mapping.dmp
-
memory/5032-268-0x0000000000000000-mapping.dmp
-
memory/5032-271-0x0000000180000000-0x0000000180030000-memory.dmp