General
Target

c6c763124b9f501480270732b135c5bc445a7e0b74c4b4d14603f8df8186e3c8.xls

Filesize

73KB

Completed

21-05-2022 18:15

Task

behavioral2

Score
10/10
MD5

40d72d3f670414dd1674d1a7fe3a18a0

SHA1

b48ca999e422c42954a315487920d4cbeb71afde

SHA256

c6c763124b9f501480270732b135c5bc445a7e0b74c4b4d14603f8df8186e3c8

SHA256

f97688624d3261ca567e07ed38ee0e63e6ce189c79f07cdee4828ad5e9757caf3a5a8fb2fbdab270d6f4d0ddac9e7886d5d4c08b14224edc1d8e65e02a7e908b

Malware Config

Extracted

Language xlm4.0
Source
URLs
xlm40.dropper

http://hullsite.com/0a61/nm6lxocqt/

xlm40.dropper

https://bencevendeghaz.hu/wp-includes/cLrqBIwf8C/

Extracted

Family

emotet

Botnet

Epoch4

C2

51.254.140.238:7080

103.70.28.102:8080

5.9.116.246:8080

1.234.2.232:8080

209.250.246.206:443

58.227.42.236:80

72.15.201.15:8080

159.65.88.10:8080

189.126.111.200:7080

173.212.193.249:8080

188.44.20.25:443

134.122.66.193:8080

172.104.251.154:8080

103.75.201.2:443

150.95.66.124:8080

153.126.146.25:7080

103.43.75.120:443

203.114.109.124:443

27.54.89.58:8080

1.234.21.73:7080

146.59.226.45:443

185.8.212.130:7080

159.65.140.115:443

167.172.253.162:8080

45.235.8.30:8080

213.241.20.155:443

163.44.196.120:8080

45.118.115.99:8080

102.222.215.74:443

209.126.98.206:8080

77.81.247.144:8080

46.55.222.11:443

110.232.117.186:8080

212.237.17.99:8080

45.176.232.124:443

183.111.227.137:8080

101.50.0.91:8080

173.239.37.178:8080

206.189.28.199:8080

103.132.242.26:8080

201.94.166.162:443

158.69.222.101:443

82.165.152.127:8080

164.68.99.3:8080

209.97.163.214:443

172.105.70.96:443

185.4.135.165:8080

212.24.98.99:8080

149.56.131.28:8080

129.232.188.93:443

eck1.plain
eck1.plain
Signatures 11

Filter: none

Discovery
  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process
    regsvr32.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process38123576regsvr32.exeEXCEL.EXE
  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Description

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Tags

  • Loads dropped DLL
    regsvr32.exe

    Reported IOCs

    pidprocess
    3812regsvr32.exe
  • Checks processor information in registry
    EXCEL.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    3576EXCEL.EXE
  • Suspicious behavior: EnumeratesProcesses
    regsvr32.exe

    Reported IOCs

    pidprocess
    1076regsvr32.exe
    1076regsvr32.exe
  • Suspicious use of FindShellTrayWindow
    EXCEL.EXE

    Reported IOCs

    pidprocess
    3576EXCEL.EXE
    3576EXCEL.EXE
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    3576EXCEL.EXE
    3576EXCEL.EXE
    3576EXCEL.EXE
    3576EXCEL.EXE
    3576EXCEL.EXE
    3576EXCEL.EXE
    3576EXCEL.EXE
    3576EXCEL.EXE
    3576EXCEL.EXE
    3576EXCEL.EXE
    3576EXCEL.EXE
    3576EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXEregsvr32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3576 wrote to memory of 38123576EXCEL.EXEregsvr32.exe
    PID 3576 wrote to memory of 38123576EXCEL.EXEregsvr32.exe
    PID 3812 wrote to memory of 10763812regsvr32.exeregsvr32.exe
    PID 3812 wrote to memory of 10763812regsvr32.exeregsvr32.exe
Processes 3
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\c6c763124b9f501480270732b135c5bc445a7e0b74c4b4d14603f8df8186e3c8.xls"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:3576
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe ..\vhdxw.ocx
      Process spawned unexpected child process
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3812
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YnBhUhcTjoia\pVRBnMjB.dll"
        Suspicious behavior: EnumeratesProcesses
        PID:1076
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\vhdxw.ocx

                          MD5

                          030d640b07c97f3d7fb5573e7f63a4db

                          SHA1

                          2fa1f8b5a9aab9169922c95af23e87b57f79d1da

                          SHA256

                          2c579ddf1b850c0b72e9468731dbaa202b17dd6e8fd0cf56e754acd460957a57

                          SHA512

                          6ffce06a7b78f613a93fff09d3afb5202bcd74f0b382a3e7915d7814dbbe3aa43b62928856a9f3ad517389c7812fcdee20de85013eb545d1199cfc7a766c45b0

                        • \Users\Admin\vhdxw.ocx

                          MD5

                          030d640b07c97f3d7fb5573e7f63a4db

                          SHA1

                          2fa1f8b5a9aab9169922c95af23e87b57f79d1da

                          SHA256

                          2c579ddf1b850c0b72e9468731dbaa202b17dd6e8fd0cf56e754acd460957a57

                          SHA512

                          6ffce06a7b78f613a93fff09d3afb5202bcd74f0b382a3e7915d7814dbbe3aa43b62928856a9f3ad517389c7812fcdee20de85013eb545d1199cfc7a766c45b0

                        • memory/1076-288-0x0000000000000000-mapping.dmp

                        • memory/3576-118-0x00007FFB10F20000-0x00007FFB10F30000-memory.dmp

                        • memory/3576-121-0x00007FFB10F20000-0x00007FFB10F30000-memory.dmp

                        • memory/3576-131-0x00007FFB0D3B0000-0x00007FFB0D3C0000-memory.dmp

                        • memory/3576-119-0x00007FFB10F20000-0x00007FFB10F30000-memory.dmp

                        • memory/3576-120-0x00007FFB10F20000-0x00007FFB10F30000-memory.dmp

                        • memory/3576-130-0x00007FFB0D3B0000-0x00007FFB0D3C0000-memory.dmp

                        • memory/3812-270-0x0000000000000000-mapping.dmp

                        • memory/3812-273-0x0000000180000000-0x000000018002F000-memory.dmp