General
Target

88ee09c8848b1775e3e470d64fbe64f877e9edfc172a21318acbe0f2f99ac9df.xls

Filesize

40KB

Completed

21-05-2022 13:01

Task

behavioral2

Score
10/10
MD5

35cef72c5abdb47cc705de2459f6bf16

SHA1

2639ec69b35fa5633b0555bc61e4feda7ae23994

SHA256

88ee09c8848b1775e3e470d64fbe64f877e9edfc172a21318acbe0f2f99ac9df

SHA256

27c0c534eb18e19a6598b737787a4ce1fa70732d5ca6720070232fc4567b606bce4c2069cd2f15ac341e28af7095b13eb930d099b796d33be4a2b2ccab3ce043

Malware Config

Extracted

Language xlm4.0
Source
URLs
xlm40.dropper

http://jimlowry.com/9tag/Mv2ZYY61NBOf8/

xlm40.dropper

http://stainedglassexpress.com/classes/veV/

Extracted

Family

emotet

Botnet

Epoch4

C2

131.100.24.231:80

103.132.242.26:8080

167.172.253.162:8080

149.56.131.28:8080

209.126.98.206:8080

188.44.20.25:443

212.237.17.99:8080

129.232.188.93:443

160.16.142.56:8080

46.55.222.11:443

1.234.2.232:8080

45.235.8.30:8080

185.157.82.211:8080

158.69.222.101:443

185.4.135.165:8080

27.54.89.58:8080

197.242.150.244:8080

153.126.146.25:7080

183.111.227.137:8080

103.75.201.2:443

45.118.115.99:8080

79.137.35.198:8080

172.104.251.154:8080

159.65.88.10:8080

203.114.109.124:443

101.50.0.91:8080

51.254.140.238:7080

206.189.28.199:8080

72.15.201.15:8080

150.95.66.124:8080

201.94.166.162:443

209.97.163.214:443

103.70.28.102:8080

185.8.212.130:7080

216.158.226.206:443

209.250.246.206:443

23.239.0.12:443

164.68.99.3:8080

102.222.215.74:443

134.122.66.193:8080

82.165.152.127:8080

51.91.76.89:8080

189.126.111.200:7080

146.59.226.45:443

163.44.196.120:8080

51.91.7.5:8080

58.227.42.236:80

167.99.115.35:8080

196.218.30.83:443

107.182.225.142:8080

eck1.plain
eck1.plain
Signatures 11

Filter: none

Discovery
  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process
    regsvr32.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process5032920regsvr32.exeEXCEL.EXE
  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Description

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Tags

  • Downloads MZ/PE file
  • Loads dropped DLL
    regsvr32.exe

    Reported IOCs

    pidprocess
    5032regsvr32.exe
  • Checks processor information in registry
    EXCEL.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    920EXCEL.EXE
  • Suspicious behavior: EnumeratesProcesses
    regsvr32.exe

    Reported IOCs

    pidprocess
    3916regsvr32.exe
    3916regsvr32.exe
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    920EXCEL.EXE
    920EXCEL.EXE
    920EXCEL.EXE
    920EXCEL.EXE
    920EXCEL.EXE
    920EXCEL.EXE
    920EXCEL.EXE
    920EXCEL.EXE
    920EXCEL.EXE
    920EXCEL.EXE
    920EXCEL.EXE
    920EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXEregsvr32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 920 wrote to memory of 5032920EXCEL.EXEregsvr32.exe
    PID 920 wrote to memory of 5032920EXCEL.EXEregsvr32.exe
    PID 5032 wrote to memory of 39165032regsvr32.exeregsvr32.exe
    PID 5032 wrote to memory of 39165032regsvr32.exeregsvr32.exe
Processes 3
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\88ee09c8848b1775e3e470d64fbe64f877e9edfc172a21318acbe0f2f99ac9df.xls"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:920
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe ..\wurod.ocx
      Process spawned unexpected child process
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PBfrpSLKbfrJRPfi\OremM.dll"
        Suspicious behavior: EnumeratesProcesses
        PID:3916
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\wurod.ocx

                          MD5

                          da62d4579c6b23dbe17bba881b46270c

                          SHA1

                          4eaf998fedc5f3d0d1059ca2887d9a9c2033e87a

                          SHA256

                          e73f8bf7bef8ec4200fe4b989dd8d19d64486cf2461f6adc867f0199c556065a

                          SHA512

                          0ecf5682e1817e5b9063930ea4d81621e6c125ad0578df39bfc611ac6f604c63ffdd01bbb251cfc8960a3d16a11ed4bb07accb47d0fa34dd046917d85a50020c

                        • \Users\Admin\wurod.ocx

                          MD5

                          da62d4579c6b23dbe17bba881b46270c

                          SHA1

                          4eaf998fedc5f3d0d1059ca2887d9a9c2033e87a

                          SHA256

                          e73f8bf7bef8ec4200fe4b989dd8d19d64486cf2461f6adc867f0199c556065a

                          SHA512

                          0ecf5682e1817e5b9063930ea4d81621e6c125ad0578df39bfc611ac6f604c63ffdd01bbb251cfc8960a3d16a11ed4bb07accb47d0fa34dd046917d85a50020c

                        • memory/920-118-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmp

                        • memory/920-121-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmp

                        • memory/920-130-0x00007FFE768A0000-0x00007FFE768B0000-memory.dmp

                        • memory/920-131-0x00007FFE768A0000-0x00007FFE768B0000-memory.dmp

                        • memory/920-119-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmp

                        • memory/920-120-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmp

                        • memory/3916-277-0x0000000000000000-mapping.dmp

                        • memory/5032-268-0x0000000000000000-mapping.dmp

                        • memory/5032-271-0x0000000180000000-0x0000000180030000-memory.dmp