Analysis

  • max time kernel
    151s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2022, 22:33

General

  • Target

    10112022.xls

  • Size

    91KB

  • MD5

    5cdc9928185d3c019b1093e980037a1c

  • SHA1

    6ac9ea81dbdbef10f8a733d7038fb3997dfce404

  • SHA256

    82d3e0feb4e9fb53a00a23700f936021aba598ffc08e1d8b8c5f33e327d09912

  • SHA512

    e2ed78f9e765cbcf6fb332f3b535981390d28e6bc356da27f3e82aca13b19d9724bb623789f150a891026800595910aca46b0371743291ee0ecd7b13d8b8c250

  • SSDEEP

    1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgIbCXuZH4gb4CEn9J4ZJlQvj:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgZ

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://fixoutlet.com/logs/OGlRuU/

xlm40.dropper

http://www.cesasin.com.ar/administrator/viA95RR/

xlm40.dropper

http://blacktequila.com.br/2fb62HWWoKi5nfEq2D/XB5VOAXZkhVhSKveYUV/

xlm40.dropper

http://case.co.il/_js/dooigYa/

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain
eck1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Loads dropped DLL 8 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\10112022.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1816
      • C:\Windows\system32\regsvr32.exe
        /S ..\elv1.ooocccxxx
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OOAbqHA\rYvMcX.dll"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1048
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\system32\regsvr32.exe
        /S ..\elv2.ooocccxxx
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1568
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VwDfiYQY\DvBpgFdgdXv.dll"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:932
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1080
      • C:\Windows\system32\regsvr32.exe
        /S ..\elv3.ooocccxxx
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1372
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\EBFMWhOuBcMBu\seFApwfgfAklQ.dll"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:972
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      PID:428
      • C:\Windows\system32\regsvr32.exe
        /S ..\elv4.ooocccxxx
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:1652
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KDGytCdoYytPhl\csKQbZblblADu.dll"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1068

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\elv1.ooocccxxx

          Filesize

          591KB

          MD5

          7e8fee77132c086dee1d35b3883093c0

          SHA1

          cb76cf15cc4b8a9716234ddad4dacf31310fff22

          SHA256

          c92ff622c42f6ec9de3fda948add268884f3f490514d539e6bff37af5321ac86

          SHA512

          b3aa4869b58962fff26d487a8fd9de48bc957fe31d9d99870e9318ce2d48d04e1de445966c0e2d5e87590848c981db08e497874f535b45e0b689bb9edfdb2448

        • C:\Users\Admin\elv2.ooocccxxx

          Filesize

          591KB

          MD5

          4e7d14eb59c3e63be0ce4d1b1af6a551

          SHA1

          594d9dceb37b5a61d1e9cf4ed1a6be2808ee730f

          SHA256

          89b29bad84ce0fa4d806b481a996c180a95e47e370d573ff590094261cfe4e91

          SHA512

          c1f1b192db14e315fc3dc7230eb6e2dfa9612d938b5170d4da920146dfd6ebea3279e6a1402757d3f203fe985cd5d37be231e9389bbae04461b25f61814483ac

        • C:\Users\Admin\elv3.ooocccxxx

          Filesize

          591KB

          MD5

          6867f2d861160fbfeed5b7c6d0208a8c

          SHA1

          ef8d76eeb4a1bf3500f2b0a75ecf8db9ec7755d8

          SHA256

          957505bbcf458e5b668d2c9ad930e7268f1edc16028c6e8547044963754d3d6d

          SHA512

          b86f9ce88fd416c34c858712349f6b857052f6e6b4c631c3637d8a611c299337d2de5d214dc4775ed9fe5b3e4f6de2715470e57b1d8d8022f37cb94faca958fb

        • C:\Users\Admin\elv4.ooocccxxx

          Filesize

          591KB

          MD5

          3995fa09a20398b02e68d778b8f24f60

          SHA1

          1780771df76d11a5bb023ad2cb41728004743769

          SHA256

          134baf345332ba4de3b080a1fb3b72758c52e72c9896937921b0e92cc9fa3f34

          SHA512

          37f3ea200b7380e8f9426fbe8dbf29b6d94042e9a795b22ebd459e9da57e3b0b4462f94f00a6d43ebeb5cd2746a50631da7953071563f65023b6d790b528388a

        • \Users\Admin\elv1.ooocccxxx

          Filesize

          591KB

          MD5

          7e8fee77132c086dee1d35b3883093c0

          SHA1

          cb76cf15cc4b8a9716234ddad4dacf31310fff22

          SHA256

          c92ff622c42f6ec9de3fda948add268884f3f490514d539e6bff37af5321ac86

          SHA512

          b3aa4869b58962fff26d487a8fd9de48bc957fe31d9d99870e9318ce2d48d04e1de445966c0e2d5e87590848c981db08e497874f535b45e0b689bb9edfdb2448

        • \Users\Admin\elv1.ooocccxxx

          Filesize

          591KB

          MD5

          7e8fee77132c086dee1d35b3883093c0

          SHA1

          cb76cf15cc4b8a9716234ddad4dacf31310fff22

          SHA256

          c92ff622c42f6ec9de3fda948add268884f3f490514d539e6bff37af5321ac86

          SHA512

          b3aa4869b58962fff26d487a8fd9de48bc957fe31d9d99870e9318ce2d48d04e1de445966c0e2d5e87590848c981db08e497874f535b45e0b689bb9edfdb2448

        • \Users\Admin\elv2.ooocccxxx

          Filesize

          591KB

          MD5

          4e7d14eb59c3e63be0ce4d1b1af6a551

          SHA1

          594d9dceb37b5a61d1e9cf4ed1a6be2808ee730f

          SHA256

          89b29bad84ce0fa4d806b481a996c180a95e47e370d573ff590094261cfe4e91

          SHA512

          c1f1b192db14e315fc3dc7230eb6e2dfa9612d938b5170d4da920146dfd6ebea3279e6a1402757d3f203fe985cd5d37be231e9389bbae04461b25f61814483ac

        • \Users\Admin\elv2.ooocccxxx

          Filesize

          591KB

          MD5

          4e7d14eb59c3e63be0ce4d1b1af6a551

          SHA1

          594d9dceb37b5a61d1e9cf4ed1a6be2808ee730f

          SHA256

          89b29bad84ce0fa4d806b481a996c180a95e47e370d573ff590094261cfe4e91

          SHA512

          c1f1b192db14e315fc3dc7230eb6e2dfa9612d938b5170d4da920146dfd6ebea3279e6a1402757d3f203fe985cd5d37be231e9389bbae04461b25f61814483ac

        • \Users\Admin\elv3.ooocccxxx

          Filesize

          591KB

          MD5

          6867f2d861160fbfeed5b7c6d0208a8c

          SHA1

          ef8d76eeb4a1bf3500f2b0a75ecf8db9ec7755d8

          SHA256

          957505bbcf458e5b668d2c9ad930e7268f1edc16028c6e8547044963754d3d6d

          SHA512

          b86f9ce88fd416c34c858712349f6b857052f6e6b4c631c3637d8a611c299337d2de5d214dc4775ed9fe5b3e4f6de2715470e57b1d8d8022f37cb94faca958fb

        • \Users\Admin\elv3.ooocccxxx

          Filesize

          591KB

          MD5

          6867f2d861160fbfeed5b7c6d0208a8c

          SHA1

          ef8d76eeb4a1bf3500f2b0a75ecf8db9ec7755d8

          SHA256

          957505bbcf458e5b668d2c9ad930e7268f1edc16028c6e8547044963754d3d6d

          SHA512

          b86f9ce88fd416c34c858712349f6b857052f6e6b4c631c3637d8a611c299337d2de5d214dc4775ed9fe5b3e4f6de2715470e57b1d8d8022f37cb94faca958fb

        • \Users\Admin\elv4.ooocccxxx

          Filesize

          591KB

          MD5

          3995fa09a20398b02e68d778b8f24f60

          SHA1

          1780771df76d11a5bb023ad2cb41728004743769

          SHA256

          134baf345332ba4de3b080a1fb3b72758c52e72c9896937921b0e92cc9fa3f34

          SHA512

          37f3ea200b7380e8f9426fbe8dbf29b6d94042e9a795b22ebd459e9da57e3b0b4462f94f00a6d43ebeb5cd2746a50631da7953071563f65023b6d790b528388a

        • \Users\Admin\elv4.ooocccxxx

          Filesize

          591KB

          MD5

          3995fa09a20398b02e68d778b8f24f60

          SHA1

          1780771df76d11a5bb023ad2cb41728004743769

          SHA256

          134baf345332ba4de3b080a1fb3b72758c52e72c9896937921b0e92cc9fa3f34

          SHA512

          37f3ea200b7380e8f9426fbe8dbf29b6d94042e9a795b22ebd459e9da57e3b0b4462f94f00a6d43ebeb5cd2746a50631da7953071563f65023b6d790b528388a

        • memory/1184-54-0x000000002FB01000-0x000000002FB04000-memory.dmp

          Filesize

          12KB

        • memory/1184-55-0x0000000070FC1000-0x0000000070FC3000-memory.dmp

          Filesize

          8KB

        • memory/1184-58-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

          Filesize

          8KB

        • memory/1184-57-0x0000000071FAD000-0x0000000071FB8000-memory.dmp

          Filesize

          44KB

        • memory/1184-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

        • memory/1184-59-0x0000000071FAD000-0x0000000071FB8000-memory.dmp

          Filesize

          44KB

        • memory/2036-67-0x00000000001F0000-0x0000000000220000-memory.dmp

          Filesize

          192KB

        • memory/2036-65-0x000007FEFB7D1000-0x000007FEFB7D3000-memory.dmp

          Filesize

          8KB