General
Target

2414403ef30664ec26da4da73b06b3144014d5264058f021028a23b6934610c7.xls

Filesize

70KB

Completed

21-05-2022 17:01

Task

behavioral2

Score
10/10
MD5

7e566d44be516beae7dda38c3920a41b

SHA1

9dec14d45c8b4af209238c0796a6232da103e1a5

SHA256

2414403ef30664ec26da4da73b06b3144014d5264058f021028a23b6934610c7

SHA256

ece463aae972e7a165326b3f60c0d559be3a1a41720bf1a42cd277394e76de1d38f70d6340b09e2bbd0b92f88fdb11e244df17cfd936ec8993c46b5704b00b80

Malware Config

Extracted

Language xlm4.0
Source
URLs
xlm40.dropper

http://farschid.de/verkaufsberater_service/OZRw36a2y1CH2clUzY/

xlm40.dropper

http://77homolog.com.br/dev-jealves/GP55wbYNXnp6/

xlm40.dropper

http://geowf.ge/templates/pJRea3Iu3wG/

Extracted

Family

emotet

Botnet

Epoch4

C2

176.31.73.90:443

45.76.159.214:8080

138.197.147.101:443

104.168.154.79:8080

149.56.131.28:8080

5.9.116.246:8080

77.81.247.144:8080

172.104.251.154:8080

50.30.40.196:8080

173.212.193.249:8080

51.91.76.89:8080

197.242.150.244:8080

103.75.201.2:443

51.254.140.238:7080

79.137.35.198:8080

72.15.201.15:8080

27.54.89.58:8080

189.126.111.200:7080

196.218.30.83:443

82.165.152.127:8080

164.68.99.3:8080

183.111.227.137:8080

167.172.253.162:8080

153.126.146.25:7080

129.232.188.93:443

151.106.112.196:8080

188.44.20.25:443

167.99.115.35:8080

134.122.66.193:8080

185.4.135.165:8080

212.24.98.99:8080

51.91.7.5:8080

146.59.226.45:443

131.100.24.231:80

212.237.17.99:8080

201.94.166.162:443

45.176.232.124:443

159.65.88.10:8080

160.16.142.56:8080

216.158.226.206:443

203.114.109.124:443

103.43.46.182:443

46.55.222.11:443

209.126.98.206:8080

91.207.28.33:8080

1.234.2.232:8080

45.118.115.99:8080

206.189.28.199:8080

94.23.45.86:4143

158.69.222.101:443

eck1.plain
ecs1.plain
Signatures 12

Filter: none

Discovery
  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process
    regsvr32.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process48162656regsvr32.exeEXCEL.EXE
  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Description

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Tags

  • Downloads MZ/PE file
  • Loads dropped DLL
    regsvr32.exe

    Reported IOCs

    pidprocess
    4816regsvr32.exe
  • Drops file in System32 directory
    regsvr32.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\system32\Siyzcvhe\hrgdkyt.suxregsvr32.exe
  • Checks processor information in registry
    EXCEL.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    2656EXCEL.EXE
  • Suspicious behavior: EnumeratesProcesses
    regsvr32.exe

    Reported IOCs

    pidprocess
    4540regsvr32.exe
    4540regsvr32.exe
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    2656EXCEL.EXE
    2656EXCEL.EXE
    2656EXCEL.EXE
    2656EXCEL.EXE
    2656EXCEL.EXE
    2656EXCEL.EXE
    2656EXCEL.EXE
    2656EXCEL.EXE
    2656EXCEL.EXE
    2656EXCEL.EXE
    2656EXCEL.EXE
    2656EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXEregsvr32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2656 wrote to memory of 48162656EXCEL.EXEregsvr32.exe
    PID 2656 wrote to memory of 48162656EXCEL.EXEregsvr32.exe
    PID 4816 wrote to memory of 45404816regsvr32.exeregsvr32.exe
    PID 4816 wrote to memory of 45404816regsvr32.exeregsvr32.exe
Processes 3
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\2414403ef30664ec26da4da73b06b3144014d5264058f021028a23b6934610c7.xls"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe ..\xdwno.ocx
      Process spawned unexpected child process
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4816
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\Siyzcvhe\hrgdkyt.sux"
        Suspicious behavior: EnumeratesProcesses
        PID:4540
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\xdwno.ocx

                          MD5

                          0a339089210feb211b398e69d78f515e

                          SHA1

                          d840d9215c9343e2c96a4621008e3d258c4983c0

                          SHA256

                          6f940b3ce9692475698569cda498f77736f12697183bc6dd1b839aea3cd573c3

                          SHA512

                          09c80205a4495659b28448540578362f0c2ff4624e40d857a8c63d0e8d02f909edab50af556d834dd4c648858174fb2961fa7acaac730c50b02993b4c74d85be

                        • \Users\Admin\xdwno.ocx

                          MD5

                          0a339089210feb211b398e69d78f515e

                          SHA1

                          d840d9215c9343e2c96a4621008e3d258c4983c0

                          SHA256

                          6f940b3ce9692475698569cda498f77736f12697183bc6dd1b839aea3cd573c3

                          SHA512

                          09c80205a4495659b28448540578362f0c2ff4624e40d857a8c63d0e8d02f909edab50af556d834dd4c648858174fb2961fa7acaac730c50b02993b4c74d85be

                        • memory/2656-118-0x00007FF997EE0000-0x00007FF997EF0000-memory.dmp

                        • memory/2656-121-0x00007FF997EE0000-0x00007FF997EF0000-memory.dmp

                        • memory/2656-130-0x00007FF994370000-0x00007FF994380000-memory.dmp

                        • memory/2656-131-0x00007FF994370000-0x00007FF994380000-memory.dmp

                        • memory/2656-119-0x00007FF997EE0000-0x00007FF997EF0000-memory.dmp

                        • memory/2656-120-0x00007FF997EE0000-0x00007FF997EF0000-memory.dmp

                        • memory/4540-278-0x0000000000000000-mapping.dmp

                        • memory/4816-267-0x0000000000000000-mapping.dmp

                        • memory/4816-270-0x0000000180000000-0x000000018002B000-memory.dmp