Analysis

  • max time kernel
    152s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2022, 21:29

General

  • Target

    7888.xls

  • Size

    91KB

  • MD5

    dc8030748a00443a85ae4746c87f36dd

  • SHA1

    5bb6cc85bff4d6a13b28b9475cb591e9acaefa1a

  • SHA256

    ba511dcd0bab4020d5b041377a136718208a965c7e5ffd4313c90b2910dbde0c

  • SHA512

    0cba16412ef7cf52d8075b025ed78a449256758adc143edffe2422c7513f2218fcf6fa3e8ede6ae32bf99ffeaab9627aa726d9cd73e264237590a5c57b747f94

  • SSDEEP

    1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgMbCXuZH4gb4CEn9J4ZCX3O:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgW

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://encuadernacionesartis.com/Vk2Z1Na/IZpyySkbU/

xlm40.dropper

http://eznetb.synology.me/@eaDir/E36Y/

xlm40.dropper

http://bytesendesign.nl/cgi-bin/LolX/

xlm40.dropper

http://choltice.eu/mwc/syl3Y/

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain
eck1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Loads dropped DLL 6 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\7888.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      PID:364
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1536
      • C:\Windows\system32\regsvr32.exe
        /S ..\elv2.ooocccxxx
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1240
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MlykQqCp\qaOuV.dll"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1620
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Windows\system32\regsvr32.exe
        /S ..\elv3.ooocccxxx
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1784
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZaYvYtcLFWXIhRvJ\SVMWcXyscVEnYvyD.dll"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:568
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:816
      • C:\Windows\system32\regsvr32.exe
        /S ..\elv4.ooocccxxx
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1524
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WxvKiCfcunZq\nuoAm.dll"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1724

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\elv2.ooocccxxx

          Filesize

          591KB

          MD5

          fc42d4274889d24061da931439218815

          SHA1

          87825a784269b0829af7285ecd1a50a4642f77b4

          SHA256

          942125f9a34fdedbbaf65e98e25ad82b819d69418ae79fcd6bcbc00393436538

          SHA512

          ac8e03ae85bb2a4d407f4394835e124b8b3beb415197b4660bf52f8594e988279819ee5580e9a88eb564358b4fc37d83145e9cbfff90e783b6147eeeaeb68b5d

        • C:\Users\Admin\elv3.ooocccxxx

          Filesize

          591KB

          MD5

          4c606ed4fcf79b57fe150dd6f079e484

          SHA1

          eca371209d3f1144d0e6b829a8054ec275789128

          SHA256

          5c55df77060b90ea6063a21ae0cf631c9a2bc0a80511042a358c691e338b22e3

          SHA512

          5a6c9c090f5e9f63efa4dd4a26ee6c9d1feeedde024cb7ae8429c99f6c18d78acfb1b30f77fc1677d09bd385116a36d3f7ad66863d92efc4397b72f299900bbd

        • C:\Users\Admin\elv4.ooocccxxx

          Filesize

          591KB

          MD5

          65f2a034695fa56099c6f4ef61f41970

          SHA1

          21ff15d869810727177a036f23c58f99a67f0c61

          SHA256

          de9286b0404b08dc867b514cced98af9c20c01f4123305e9388c783f00a49969

          SHA512

          4942c7cd563d55ae56ad3904e39b19e0dbf17019d281c5cd97e3763a45d1dada26a6e9ffbf6bf46a6fb53a5f137f514c82d7f22865ef3d1e84bcdcd3fd1f94cb

        • \Users\Admin\elv2.ooocccxxx

          Filesize

          591KB

          MD5

          fc42d4274889d24061da931439218815

          SHA1

          87825a784269b0829af7285ecd1a50a4642f77b4

          SHA256

          942125f9a34fdedbbaf65e98e25ad82b819d69418ae79fcd6bcbc00393436538

          SHA512

          ac8e03ae85bb2a4d407f4394835e124b8b3beb415197b4660bf52f8594e988279819ee5580e9a88eb564358b4fc37d83145e9cbfff90e783b6147eeeaeb68b5d

        • \Users\Admin\elv2.ooocccxxx

          Filesize

          591KB

          MD5

          fc42d4274889d24061da931439218815

          SHA1

          87825a784269b0829af7285ecd1a50a4642f77b4

          SHA256

          942125f9a34fdedbbaf65e98e25ad82b819d69418ae79fcd6bcbc00393436538

          SHA512

          ac8e03ae85bb2a4d407f4394835e124b8b3beb415197b4660bf52f8594e988279819ee5580e9a88eb564358b4fc37d83145e9cbfff90e783b6147eeeaeb68b5d

        • \Users\Admin\elv3.ooocccxxx

          Filesize

          591KB

          MD5

          4c606ed4fcf79b57fe150dd6f079e484

          SHA1

          eca371209d3f1144d0e6b829a8054ec275789128

          SHA256

          5c55df77060b90ea6063a21ae0cf631c9a2bc0a80511042a358c691e338b22e3

          SHA512

          5a6c9c090f5e9f63efa4dd4a26ee6c9d1feeedde024cb7ae8429c99f6c18d78acfb1b30f77fc1677d09bd385116a36d3f7ad66863d92efc4397b72f299900bbd

        • \Users\Admin\elv3.ooocccxxx

          Filesize

          591KB

          MD5

          4c606ed4fcf79b57fe150dd6f079e484

          SHA1

          eca371209d3f1144d0e6b829a8054ec275789128

          SHA256

          5c55df77060b90ea6063a21ae0cf631c9a2bc0a80511042a358c691e338b22e3

          SHA512

          5a6c9c090f5e9f63efa4dd4a26ee6c9d1feeedde024cb7ae8429c99f6c18d78acfb1b30f77fc1677d09bd385116a36d3f7ad66863d92efc4397b72f299900bbd

        • \Users\Admin\elv4.ooocccxxx

          Filesize

          591KB

          MD5

          65f2a034695fa56099c6f4ef61f41970

          SHA1

          21ff15d869810727177a036f23c58f99a67f0c61

          SHA256

          de9286b0404b08dc867b514cced98af9c20c01f4123305e9388c783f00a49969

          SHA512

          4942c7cd563d55ae56ad3904e39b19e0dbf17019d281c5cd97e3763a45d1dada26a6e9ffbf6bf46a6fb53a5f137f514c82d7f22865ef3d1e84bcdcd3fd1f94cb

        • \Users\Admin\elv4.ooocccxxx

          Filesize

          591KB

          MD5

          65f2a034695fa56099c6f4ef61f41970

          SHA1

          21ff15d869810727177a036f23c58f99a67f0c61

          SHA256

          de9286b0404b08dc867b514cced98af9c20c01f4123305e9388c783f00a49969

          SHA512

          4942c7cd563d55ae56ad3904e39b19e0dbf17019d281c5cd97e3763a45d1dada26a6e9ffbf6bf46a6fb53a5f137f514c82d7f22865ef3d1e84bcdcd3fd1f94cb

        • memory/1240-67-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

          Filesize

          8KB

        • memory/1240-69-0x0000000001E80000-0x0000000001EB0000-memory.dmp

          Filesize

          192KB

        • memory/1708-57-0x000000007246D000-0x0000000072478000-memory.dmp

          Filesize

          44KB

        • memory/1708-58-0x0000000075451000-0x0000000075453000-memory.dmp

          Filesize

          8KB

        • memory/1708-59-0x000000007246D000-0x0000000072478000-memory.dmp

          Filesize

          44KB

        • memory/1708-54-0x000000002F861000-0x000000002F864000-memory.dmp

          Filesize

          12KB

        • memory/1708-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

        • memory/1708-55-0x0000000071481000-0x0000000071483000-memory.dmp

          Filesize

          8KB