General
Target

0d75c0d596711a82fce15125c0e964cf57e3735f0e67540e6e274f45826a53d0.xls

Filesize

78KB

Completed

21-05-2022 18:09

Task

behavioral2

Score
10/10
MD5

42ec184c4712f82f4f1133be7127e053

SHA1

2059499dae78ef3a3919b23603053feb611800f2

SHA256

0d75c0d596711a82fce15125c0e964cf57e3735f0e67540e6e274f45826a53d0

SHA256

eacb85d8f94078dc6504fb9bd6f3913938b5658694fa004d6cf161ed8ce0f0861cffa39cbf5c365924c7f57822ab8112f476206c8b73a9127b9429af22e87733

Malware Config

Extracted

Language xlm4.0
Source
URLs
xlm40.dropper

https://hostal-alfonso12.com/clases/SKtPvv/

xlm40.dropper

http://howesitgoing.com/images/HyaDnlbl6K7tbh2Lugys/

Extracted

Family

emotet

Botnet

Epoch4

C2

131.100.24.231:80

103.132.242.26:8080

167.172.253.162:8080

149.56.131.28:8080

209.126.98.206:8080

188.44.20.25:443

212.237.17.99:8080

129.232.188.93:443

160.16.142.56:8080

46.55.222.11:443

1.234.2.232:8080

45.235.8.30:8080

185.157.82.211:8080

158.69.222.101:443

185.4.135.165:8080

27.54.89.58:8080

197.242.150.244:8080

153.126.146.25:7080

183.111.227.137:8080

103.75.201.2:443

45.118.115.99:8080

79.137.35.198:8080

172.104.251.154:8080

159.65.88.10:8080

203.114.109.124:443

101.50.0.91:8080

51.254.140.238:7080

206.189.28.199:8080

72.15.201.15:8080

150.95.66.124:8080

201.94.166.162:443

209.97.163.214:443

103.70.28.102:8080

185.8.212.130:7080

216.158.226.206:443

209.250.246.206:443

23.239.0.12:443

164.68.99.3:8080

102.222.215.74:443

134.122.66.193:8080

82.165.152.127:8080

51.91.76.89:8080

189.126.111.200:7080

146.59.226.45:443

163.44.196.120:8080

51.91.7.5:8080

58.227.42.236:80

167.99.115.35:8080

196.218.30.83:443

107.182.225.142:8080

eck1.plain
eck1.plain
Signatures 12

Filter: none

Discovery
  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process
    regsvr32.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process13963832regsvr32.exeEXCEL.EXE
  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Description

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Tags

  • Downloads MZ/PE file
  • Loads dropped DLL
    regsvr32.exe

    Reported IOCs

    pidprocess
    1396regsvr32.exe
  • Checks processor information in registry
    EXCEL.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    3832EXCEL.EXE
  • Suspicious behavior: EnumeratesProcesses
    regsvr32.exe

    Reported IOCs

    pidprocess
    4076regsvr32.exe
    4076regsvr32.exe
  • Suspicious use of FindShellTrayWindow
    EXCEL.EXE

    Reported IOCs

    pidprocess
    3832EXCEL.EXE
    3832EXCEL.EXE
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    3832EXCEL.EXE
    3832EXCEL.EXE
    3832EXCEL.EXE
    3832EXCEL.EXE
    3832EXCEL.EXE
    3832EXCEL.EXE
    3832EXCEL.EXE
    3832EXCEL.EXE
    3832EXCEL.EXE
    3832EXCEL.EXE
    3832EXCEL.EXE
    3832EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXEregsvr32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3832 wrote to memory of 13963832EXCEL.EXEregsvr32.exe
    PID 3832 wrote to memory of 13963832EXCEL.EXEregsvr32.exe
    PID 1396 wrote to memory of 40761396regsvr32.exeregsvr32.exe
    PID 1396 wrote to memory of 40761396regsvr32.exeregsvr32.exe
Processes 3
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\0d75c0d596711a82fce15125c0e964cf57e3735f0e67540e6e274f45826a53d0.xls"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:3832
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe ..\wurod.ocx
      Process spawned unexpected child process
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1396
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\DFLRPjPCOPe\gyZHCBOdMBrR.dll"
        Suspicious behavior: EnumeratesProcesses
        PID:4076
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\wurod.ocx

                          MD5

                          ce0df9b58979a3d476082fc2122226de

                          SHA1

                          03487b179efc56057663f40511f449d4d4f041ff

                          SHA256

                          71fad31e7b696dca9380a03d54b93bd63d8b49e2c113e38821ba1a27d612315e

                          SHA512

                          c44111591573496261698b6b1236b91c86b7764f76aa46ad138157a7746bf48b4d6990ecd58bf3fd0771c14eb8d87a5883c90647b86362dfef6e1f26fe8eab05

                        • \Users\Admin\wurod.ocx

                          MD5

                          ce0df9b58979a3d476082fc2122226de

                          SHA1

                          03487b179efc56057663f40511f449d4d4f041ff

                          SHA256

                          71fad31e7b696dca9380a03d54b93bd63d8b49e2c113e38821ba1a27d612315e

                          SHA512

                          c44111591573496261698b6b1236b91c86b7764f76aa46ad138157a7746bf48b4d6990ecd58bf3fd0771c14eb8d87a5883c90647b86362dfef6e1f26fe8eab05

                        • memory/1396-273-0x0000000000000000-mapping.dmp

                        • memory/1396-276-0x0000000180000000-0x0000000180030000-memory.dmp

                        • memory/3832-130-0x00007FFC87320000-0x00007FFC87330000-memory.dmp

                        • memory/3832-131-0x00007FFC87320000-0x00007FFC87330000-memory.dmp

                        • memory/3832-118-0x00007FFC8AAA0000-0x00007FFC8AAB0000-memory.dmp

                        • memory/3832-119-0x00007FFC8AAA0000-0x00007FFC8AAB0000-memory.dmp

                        • memory/3832-120-0x00007FFC8AAA0000-0x00007FFC8AAB0000-memory.dmp

                        • memory/3832-121-0x00007FFC8AAA0000-0x00007FFC8AAB0000-memory.dmp

                        • memory/4076-286-0x0000000000000000-mapping.dmp