Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    21-05-2022 12:58

General

  • Target

    88ee09c8848b1775e3e470d64fbe64f877e9edfc172a21318acbe0f2f99ac9df.xls

  • Size

    40KB

  • MD5

    35cef72c5abdb47cc705de2459f6bf16

  • SHA1

    2639ec69b35fa5633b0555bc61e4feda7ae23994

  • SHA256

    88ee09c8848b1775e3e470d64fbe64f877e9edfc172a21318acbe0f2f99ac9df

  • SHA512

    27c0c534eb18e19a6598b737787a4ce1fa70732d5ca6720070232fc4567b606bce4c2069cd2f15ac341e28af7095b13eb930d099b796d33be4a2b2ccab3ce043

Malware Config

Extracted

Language xlm4.0
Source
URLs
xlm40.dropper

http://jimlowry.com/9tag/Mv2ZYY61NBOf8/

xlm40.dropper

http://stainedglassexpress.com/classes/veV/

Extracted

Family

emotet

Botnet

Epoch4

C2

131.100.24.231:80

103.132.242.26:8080

167.172.253.162:8080

149.56.131.28:8080

209.126.98.206:8080

188.44.20.25:443

212.237.17.99:8080

129.232.188.93:443

160.16.142.56:8080

46.55.222.11:443

1.234.2.232:8080

45.235.8.30:8080

185.157.82.211:8080

158.69.222.101:443

185.4.135.165:8080

27.54.89.58:8080

197.242.150.244:8080

153.126.146.25:7080

183.111.227.137:8080

103.75.201.2:443

eck1.plain
eck1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process ⋅ 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

  • Downloads MZ/PE file
  • Loads dropped DLL ⋅ 1 IoCs
  • Checks processor information in registry ⋅ 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry ⋅ 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener ⋅ 1 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs
  • Suspicious use of SetWindowsHookEx ⋅ 12 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\88ee09c8848b1775e3e470d64fbe64f877e9edfc172a21318acbe0f2f99ac9df.xls"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:920
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe ..\wurod.ocx
      Process spawned unexpected child process
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PBfrpSLKbfrJRPfi\OremM.dll"
        Suspicious behavior: EnumeratesProcesses
        PID:3916

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                      Privilege Escalation

                        Replay Monitor

                        00:00 00:00

                        Downloads

                        • C:\Users\Admin\wurod.ocx
                          MD5

                          da62d4579c6b23dbe17bba881b46270c

                          SHA1

                          4eaf998fedc5f3d0d1059ca2887d9a9c2033e87a

                          SHA256

                          e73f8bf7bef8ec4200fe4b989dd8d19d64486cf2461f6adc867f0199c556065a

                          SHA512

                          0ecf5682e1817e5b9063930ea4d81621e6c125ad0578df39bfc611ac6f604c63ffdd01bbb251cfc8960a3d16a11ed4bb07accb47d0fa34dd046917d85a50020c

                        • \Users\Admin\wurod.ocx
                          MD5

                          da62d4579c6b23dbe17bba881b46270c

                          SHA1

                          4eaf998fedc5f3d0d1059ca2887d9a9c2033e87a

                          SHA256

                          e73f8bf7bef8ec4200fe4b989dd8d19d64486cf2461f6adc867f0199c556065a

                          SHA512

                          0ecf5682e1817e5b9063930ea4d81621e6c125ad0578df39bfc611ac6f604c63ffdd01bbb251cfc8960a3d16a11ed4bb07accb47d0fa34dd046917d85a50020c

                        • memory/920-118-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmp
                        • memory/920-119-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmp
                        • memory/920-120-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmp
                        • memory/920-121-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmp
                        • memory/920-130-0x00007FFE768A0000-0x00007FFE768B0000-memory.dmp
                        • memory/920-131-0x00007FFE768A0000-0x00007FFE768B0000-memory.dmp
                        • memory/3916-277-0x0000000000000000-mapping.dmp
                        • memory/5032-268-0x0000000000000000-mapping.dmp
                        • memory/5032-271-0x0000000180000000-0x0000000180030000-memory.dmp