Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
21-05-2022 12:58
Behavioral task
behavioral1
Sample
88ee09c8848b1775e3e470d64fbe64f877e9edfc172a21318acbe0f2f99ac9df.xls
Resource
win10-20220414-en
General
-
Target
88ee09c8848b1775e3e470d64fbe64f877e9edfc172a21318acbe0f2f99ac9df.xls
-
Size
40KB
-
MD5
35cef72c5abdb47cc705de2459f6bf16
-
SHA1
2639ec69b35fa5633b0555bc61e4feda7ae23994
-
SHA256
88ee09c8848b1775e3e470d64fbe64f877e9edfc172a21318acbe0f2f99ac9df
-
SHA512
27c0c534eb18e19a6598b737787a4ce1fa70732d5ca6720070232fc4567b606bce4c2069cd2f15ac341e28af7095b13eb930d099b796d33be4a2b2ccab3ce043
Malware Config
Extracted
Language | xlm4.0 |
Source |
|
URLs |
xlm40.dropper
http://jimlowry.com/9tag/Mv2ZYY61NBOf8/
xlm40.dropper
http://stainedglassexpress.com/classes/veV/ |
Extracted
Family |
emotet |
Botnet |
Epoch4 |
C2 |
131.100.24.231:80 103.132.242.26:8080 167.172.253.162:8080 149.56.131.28:8080 209.126.98.206:8080 188.44.20.25:443 212.237.17.99:8080 129.232.188.93:443 160.16.142.56:8080 46.55.222.11:443 1.234.2.232:8080 45.235.8.30:8080 185.157.82.211:8080 158.69.222.101:443 185.4.135.165:8080 27.54.89.58:8080 197.242.150.244:8080 153.126.146.25:7080 183.111.227.137:8080 103.75.201.2:443 45.118.115.99:8080 79.137.35.198:8080 172.104.251.154:8080 159.65.88.10:8080 203.114.109.124:443 101.50.0.91:8080 51.254.140.238:7080 206.189.28.199:8080 72.15.201.15:8080 150.95.66.124:8080 201.94.166.162:443 209.97.163.214:443 103.70.28.102:8080 185.8.212.130:7080 216.158.226.206:443 209.250.246.206:443 23.239.0.12:443 164.68.99.3:8080 102.222.215.74:443 134.122.66.193:8080 82.165.152.127:8080 51.91.76.89:8080 189.126.111.200:7080 146.59.226.45:443 163.44.196.120:8080 51.91.7.5:8080 58.227.42.236:80 167.99.115.35:8080 196.218.30.83:443 107.182.225.142:8080 151.106.112.196:8080 91.207.28.33:8080 94.23.45.86:4143 103.43.46.182:443 45.176.232.124:443 5.9.116.246:8080 173.212.193.249:8080 1.234.21.73:7080 212.24.98.99:8080 213.241.20.155:443 110.232.117.186:8080 77.81.247.144:8080 119.193.124.41:7080 |
eck1.plain |
|
eck1.plain |
|
Signatures
-
Process spawned unexpected child process ⋅ 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 5032 920 regsvr32.exe EXCEL.EXE -
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
-
Downloads MZ/PE file
-
Loads dropped DLL ⋅ 1 IoCs
Processes:
regsvr32.exepid process 5032 regsvr32.exe -
Checks processor information in registry ⋅ 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry ⋅ 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener ⋅ 1 IoCs
Processes:
EXCEL.EXEpid process 920 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs
Processes:
regsvr32.exepid process 3916 regsvr32.exe 3916 regsvr32.exe -
Suspicious use of SetWindowsHookEx ⋅ 12 IoCs
Processes:
EXCEL.EXEpid process 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE 920 EXCEL.EXE -
Suspicious use of WriteProcessMemory ⋅ 4 IoCs
Processes:
EXCEL.EXEregsvr32.exedescription pid process target process PID 920 wrote to memory of 5032 920 EXCEL.EXE regsvr32.exe PID 920 wrote to memory of 5032 920 EXCEL.EXE regsvr32.exe PID 5032 wrote to memory of 3916 5032 regsvr32.exe regsvr32.exe PID 5032 wrote to memory of 3916 5032 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\88ee09c8848b1775e3e470d64fbe64f877e9edfc172a21318acbe0f2f99ac9df.xls"Checks processor information in registryEnumerates system info in registrySuspicious behavior: AddClipboardFormatListenerSuspicious use of SetWindowsHookExSuspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe ..\wurod.ocxProcess spawned unexpected child processLoads dropped DLLSuspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\PBfrpSLKbfrJRPfi\OremM.dll"Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
Downloads
-
C:\Users\Admin\wurod.ocxMD5
da62d4579c6b23dbe17bba881b46270c
SHA14eaf998fedc5f3d0d1059ca2887d9a9c2033e87a
SHA256e73f8bf7bef8ec4200fe4b989dd8d19d64486cf2461f6adc867f0199c556065a
SHA5120ecf5682e1817e5b9063930ea4d81621e6c125ad0578df39bfc611ac6f604c63ffdd01bbb251cfc8960a3d16a11ed4bb07accb47d0fa34dd046917d85a50020c
-
\Users\Admin\wurod.ocxMD5
da62d4579c6b23dbe17bba881b46270c
SHA14eaf998fedc5f3d0d1059ca2887d9a9c2033e87a
SHA256e73f8bf7bef8ec4200fe4b989dd8d19d64486cf2461f6adc867f0199c556065a
SHA5120ecf5682e1817e5b9063930ea4d81621e6c125ad0578df39bfc611ac6f604c63ffdd01bbb251cfc8960a3d16a11ed4bb07accb47d0fa34dd046917d85a50020c
-
memory/920-118-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmp
-
memory/920-119-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmp
-
memory/920-120-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmp
-
memory/920-121-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmp
-
memory/920-130-0x00007FFE768A0000-0x00007FFE768B0000-memory.dmp
-
memory/920-131-0x00007FFE768A0000-0x00007FFE768B0000-memory.dmp
-
memory/3916-277-0x0000000000000000-mapping.dmp
-
memory/5032-268-0x0000000000000000-mapping.dmp
-
memory/5032-271-0x0000000180000000-0x0000000180030000-memory.dmp