Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2022, 18:28

General

  • Target

    0911.xls

  • Size

    91KB

  • MD5

    28b328ed05705fced2f6a2c1ed779132

  • SHA1

    782a0b2fe5a2ec702bff78212454a9df935ba562

  • SHA256

    4d5add3ef145266bbe7120ac4d62f6bfc9c24f69c7fd65fffb880d02fed6c296

  • SHA512

    49764890461c8893249532198928e3f92241ac0c402b2da0a11c9259cb082a222ec6a8c8df74f39ba094d96f6bf1a6f79c1cbc0ec4b85c9f79b7ac2dd6b5ce51

  • SSDEEP

    1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgEbCXuZH4gb4CEn9J4ZsEM:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgl

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://www.muyehuayi.com/cmp/8asA99KPsyA/v6lUsWbLen/

xlm40.dropper

http://concivilpa.com.py/wp-admin/i3CQu9dzDrMW/

xlm40.dropper

https://wijsneusmedia.nl/cgi-bin/kFB/

xlm40.dropper

http://www.angloextrema.com.br/assets/oEt1yYckHKlnNIq/

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain
eck1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Loads dropped DLL 4 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\0911.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1452
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1820
      • C:\Windows\system32\regsvr32.exe
        /S ..\elv1.ooocccxxx
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1308
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TBHdhaK\mOxeQmUHCHLIrz.dll"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1720
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      PID:1556
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      PID:1512
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Windows\system32\regsvr32.exe
        /S ..\elv4.ooocccxxx
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1748
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZGUCrfEPHSHmQb\vvhCuE.dll"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1060

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\elv1.ooocccxxx

          Filesize

          434KB

          MD5

          8975ba618cf5f9961015ecda31b94ca2

          SHA1

          5b619cec25a0fcb4bd9844eaebd7992391df4db6

          SHA256

          79452b430f0dbb4ce367b709e0c1e050df555388496c9bbd3f4eaa22bea34d59

          SHA512

          d8ea79cdf8dac0b117c9b3c934e22063704080f350f8b8b624abffc92c52c7bce75c3116b0df8cf230df7e59555c4d4d293fc4da2012f3bba20c4215d8275615

        • C:\Users\Admin\elv4.ooocccxxx

          Filesize

          434KB

          MD5

          3086c906fe299d2d1ae9b581d17070e2

          SHA1

          b084d5e96799b2d7a357533489b484f2c67deb46

          SHA256

          e1d28941383e1c6464337e4d65bb3479f7fe6917bb6db82f1542578e154ab9a4

          SHA512

          e8b752df819626d56c0a9caaf9721fde4b90f99e7afe3353bae35a1b7c4281697f17582735df33099385f8a20d7f3af10d5383fee432ea1276f2d6f8fc25c353

        • \Users\Admin\elv1.ooocccxxx

          Filesize

          434KB

          MD5

          8975ba618cf5f9961015ecda31b94ca2

          SHA1

          5b619cec25a0fcb4bd9844eaebd7992391df4db6

          SHA256

          79452b430f0dbb4ce367b709e0c1e050df555388496c9bbd3f4eaa22bea34d59

          SHA512

          d8ea79cdf8dac0b117c9b3c934e22063704080f350f8b8b624abffc92c52c7bce75c3116b0df8cf230df7e59555c4d4d293fc4da2012f3bba20c4215d8275615

        • \Users\Admin\elv1.ooocccxxx

          Filesize

          434KB

          MD5

          8975ba618cf5f9961015ecda31b94ca2

          SHA1

          5b619cec25a0fcb4bd9844eaebd7992391df4db6

          SHA256

          79452b430f0dbb4ce367b709e0c1e050df555388496c9bbd3f4eaa22bea34d59

          SHA512

          d8ea79cdf8dac0b117c9b3c934e22063704080f350f8b8b624abffc92c52c7bce75c3116b0df8cf230df7e59555c4d4d293fc4da2012f3bba20c4215d8275615

        • \Users\Admin\elv4.ooocccxxx

          Filesize

          434KB

          MD5

          3086c906fe299d2d1ae9b581d17070e2

          SHA1

          b084d5e96799b2d7a357533489b484f2c67deb46

          SHA256

          e1d28941383e1c6464337e4d65bb3479f7fe6917bb6db82f1542578e154ab9a4

          SHA512

          e8b752df819626d56c0a9caaf9721fde4b90f99e7afe3353bae35a1b7c4281697f17582735df33099385f8a20d7f3af10d5383fee432ea1276f2d6f8fc25c353

        • \Users\Admin\elv4.ooocccxxx

          Filesize

          434KB

          MD5

          3086c906fe299d2d1ae9b581d17070e2

          SHA1

          b084d5e96799b2d7a357533489b484f2c67deb46

          SHA256

          e1d28941383e1c6464337e4d65bb3479f7fe6917bb6db82f1542578e154ab9a4

          SHA512

          e8b752df819626d56c0a9caaf9721fde4b90f99e7afe3353bae35a1b7c4281697f17582735df33099385f8a20d7f3af10d5383fee432ea1276f2d6f8fc25c353

        • memory/1308-65-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

          Filesize

          8KB

        • memory/1308-67-0x0000000180000000-0x0000000180030000-memory.dmp

          Filesize

          192KB

        • memory/1452-59-0x00000000724ED000-0x00000000724F8000-memory.dmp

          Filesize

          44KB

        • memory/1452-54-0x000000002FCE1000-0x000000002FCE4000-memory.dmp

          Filesize

          12KB

        • memory/1452-58-0x0000000075041000-0x0000000075043000-memory.dmp

          Filesize

          8KB

        • memory/1452-57-0x00000000724ED000-0x00000000724F8000-memory.dmp

          Filesize

          44KB

        • memory/1452-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

        • memory/1452-55-0x0000000071501000-0x0000000071503000-memory.dmp

          Filesize

          8KB