Analysis

  • max time kernel
    145s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2022, 21:29

General

  • Target

    7888.xls

  • Size

    91KB

  • MD5

    dc8030748a00443a85ae4746c87f36dd

  • SHA1

    5bb6cc85bff4d6a13b28b9475cb591e9acaefa1a

  • SHA256

    ba511dcd0bab4020d5b041377a136718208a965c7e5ffd4313c90b2910dbde0c

  • SHA512

    0cba16412ef7cf52d8075b025ed78a449256758adc143edffe2422c7513f2218fcf6fa3e8ede6ae32bf99ffeaab9627aa726d9cd73e264237590a5c57b747f94

  • SSDEEP

    1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgMbCXuZH4gb4CEn9J4ZCX3O:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgW

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://encuadernacionesartis.com/Vk2Z1Na/IZpyySkbU/

xlm40.dropper

http://eznetb.synology.me/@eaDir/E36Y/

xlm40.dropper

http://bytesendesign.nl/cgi-bin/LolX/

xlm40.dropper

http://choltice.eu/mwc/syl3Y/

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain
eck1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7888.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4512
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3668
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LTwGaZCPRxZEdzpGX\IyaDgT.dll"
        3⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        PID:1604
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4044
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TGaGKcCQzQVqrawKI\nMwVEaRxLrlLh.dll"
        3⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        PID:1656
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2996
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JSDeOOzjMQ\qnTnlDmG.dll"
        3⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        PID:1752
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4656
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BDclGxwuz\xEFiaaNEM.dll"
        3⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        PID:1836

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\elv1.ooocccxxx

          Filesize

          434KB

          MD5

          c945578afa8a8f3501c8214b9adeb9cb

          SHA1

          2fdf8b0daf9b712e28e52fc4ca8393a64b05a41f

          SHA256

          cc17d461235f9854c511fbf1d8490e94708cf809eb65bd27f7a504ec4839291b

          SHA512

          80e90a46fb164565e8bf20108d3697bbaaa33b78e198a4df2b3c18e3c3f894b0ce3f26500678133b152a4065fac46ac908b5850c39f697f7763a428e0155e903

        • C:\Users\Admin\elv1.ooocccxxx

          Filesize

          434KB

          MD5

          c945578afa8a8f3501c8214b9adeb9cb

          SHA1

          2fdf8b0daf9b712e28e52fc4ca8393a64b05a41f

          SHA256

          cc17d461235f9854c511fbf1d8490e94708cf809eb65bd27f7a504ec4839291b

          SHA512

          80e90a46fb164565e8bf20108d3697bbaaa33b78e198a4df2b3c18e3c3f894b0ce3f26500678133b152a4065fac46ac908b5850c39f697f7763a428e0155e903

        • C:\Users\Admin\elv2.ooocccxxx

          Filesize

          591KB

          MD5

          fc42d4274889d24061da931439218815

          SHA1

          87825a784269b0829af7285ecd1a50a4642f77b4

          SHA256

          942125f9a34fdedbbaf65e98e25ad82b819d69418ae79fcd6bcbc00393436538

          SHA512

          ac8e03ae85bb2a4d407f4394835e124b8b3beb415197b4660bf52f8594e988279819ee5580e9a88eb564358b4fc37d83145e9cbfff90e783b6147eeeaeb68b5d

        • C:\Users\Admin\elv2.ooocccxxx

          Filesize

          591KB

          MD5

          fc42d4274889d24061da931439218815

          SHA1

          87825a784269b0829af7285ecd1a50a4642f77b4

          SHA256

          942125f9a34fdedbbaf65e98e25ad82b819d69418ae79fcd6bcbc00393436538

          SHA512

          ac8e03ae85bb2a4d407f4394835e124b8b3beb415197b4660bf52f8594e988279819ee5580e9a88eb564358b4fc37d83145e9cbfff90e783b6147eeeaeb68b5d

        • C:\Users\Admin\elv3.ooocccxxx

          Filesize

          591KB

          MD5

          4c606ed4fcf79b57fe150dd6f079e484

          SHA1

          eca371209d3f1144d0e6b829a8054ec275789128

          SHA256

          5c55df77060b90ea6063a21ae0cf631c9a2bc0a80511042a358c691e338b22e3

          SHA512

          5a6c9c090f5e9f63efa4dd4a26ee6c9d1feeedde024cb7ae8429c99f6c18d78acfb1b30f77fc1677d09bd385116a36d3f7ad66863d92efc4397b72f299900bbd

        • C:\Users\Admin\elv3.ooocccxxx

          Filesize

          591KB

          MD5

          4c606ed4fcf79b57fe150dd6f079e484

          SHA1

          eca371209d3f1144d0e6b829a8054ec275789128

          SHA256

          5c55df77060b90ea6063a21ae0cf631c9a2bc0a80511042a358c691e338b22e3

          SHA512

          5a6c9c090f5e9f63efa4dd4a26ee6c9d1feeedde024cb7ae8429c99f6c18d78acfb1b30f77fc1677d09bd385116a36d3f7ad66863d92efc4397b72f299900bbd

        • C:\Users\Admin\elv4.ooocccxxx

          Filesize

          591KB

          MD5

          65f2a034695fa56099c6f4ef61f41970

          SHA1

          21ff15d869810727177a036f23c58f99a67f0c61

          SHA256

          de9286b0404b08dc867b514cced98af9c20c01f4123305e9388c783f00a49969

          SHA512

          4942c7cd563d55ae56ad3904e39b19e0dbf17019d281c5cd97e3763a45d1dada26a6e9ffbf6bf46a6fb53a5f137f514c82d7f22865ef3d1e84bcdcd3fd1f94cb

        • C:\Users\Admin\elv4.ooocccxxx

          Filesize

          591KB

          MD5

          65f2a034695fa56099c6f4ef61f41970

          SHA1

          21ff15d869810727177a036f23c58f99a67f0c61

          SHA256

          de9286b0404b08dc867b514cced98af9c20c01f4123305e9388c783f00a49969

          SHA512

          4942c7cd563d55ae56ad3904e39b19e0dbf17019d281c5cd97e3763a45d1dada26a6e9ffbf6bf46a6fb53a5f137f514c82d7f22865ef3d1e84bcdcd3fd1f94cb

        • C:\Windows\System32\BDclGxwuz\xEFiaaNEM.dll

          Filesize

          591KB

          MD5

          65f2a034695fa56099c6f4ef61f41970

          SHA1

          21ff15d869810727177a036f23c58f99a67f0c61

          SHA256

          de9286b0404b08dc867b514cced98af9c20c01f4123305e9388c783f00a49969

          SHA512

          4942c7cd563d55ae56ad3904e39b19e0dbf17019d281c5cd97e3763a45d1dada26a6e9ffbf6bf46a6fb53a5f137f514c82d7f22865ef3d1e84bcdcd3fd1f94cb

        • C:\Windows\System32\JSDeOOzjMQ\qnTnlDmG.dll

          Filesize

          591KB

          MD5

          4c606ed4fcf79b57fe150dd6f079e484

          SHA1

          eca371209d3f1144d0e6b829a8054ec275789128

          SHA256

          5c55df77060b90ea6063a21ae0cf631c9a2bc0a80511042a358c691e338b22e3

          SHA512

          5a6c9c090f5e9f63efa4dd4a26ee6c9d1feeedde024cb7ae8429c99f6c18d78acfb1b30f77fc1677d09bd385116a36d3f7ad66863d92efc4397b72f299900bbd

        • C:\Windows\System32\LTwGaZCPRxZEdzpGX\IyaDgT.dll

          Filesize

          434KB

          MD5

          c945578afa8a8f3501c8214b9adeb9cb

          SHA1

          2fdf8b0daf9b712e28e52fc4ca8393a64b05a41f

          SHA256

          cc17d461235f9854c511fbf1d8490e94708cf809eb65bd27f7a504ec4839291b

          SHA512

          80e90a46fb164565e8bf20108d3697bbaaa33b78e198a4df2b3c18e3c3f894b0ce3f26500678133b152a4065fac46ac908b5850c39f697f7763a428e0155e903

        • C:\Windows\System32\TGaGKcCQzQVqrawKI\nMwVEaRxLrlLh.dll

          Filesize

          591KB

          MD5

          fc42d4274889d24061da931439218815

          SHA1

          87825a784269b0829af7285ecd1a50a4642f77b4

          SHA256

          942125f9a34fdedbbaf65e98e25ad82b819d69418ae79fcd6bcbc00393436538

          SHA512

          ac8e03ae85bb2a4d407f4394835e124b8b3beb415197b4660bf52f8594e988279819ee5580e9a88eb564358b4fc37d83145e9cbfff90e783b6147eeeaeb68b5d

        • memory/3668-142-0x0000000180000000-0x0000000180030000-memory.dmp

          Filesize

          192KB

        • memory/4512-132-0x00007FFDF6EB0000-0x00007FFDF6EC0000-memory.dmp

          Filesize

          64KB

        • memory/4512-137-0x00007FFDF4E50000-0x00007FFDF4E60000-memory.dmp

          Filesize

          64KB

        • memory/4512-136-0x00007FFDF6EB0000-0x00007FFDF6EC0000-memory.dmp

          Filesize

          64KB

        • memory/4512-135-0x00007FFDF6EB0000-0x00007FFDF6EC0000-memory.dmp

          Filesize

          64KB

        • memory/4512-134-0x00007FFDF6EB0000-0x00007FFDF6EC0000-memory.dmp

          Filesize

          64KB

        • memory/4512-138-0x00007FFDF4E50000-0x00007FFDF4E60000-memory.dmp

          Filesize

          64KB

        • memory/4512-133-0x00007FFDF6EB0000-0x00007FFDF6EC0000-memory.dmp

          Filesize

          64KB