Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2022, 19:33

General

  • Target

    doc_0911.xls

  • Size

    91KB

  • MD5

    a134f958b8f28081d5857abc32dab8d3

  • SHA1

    cc4e5f5f8b9988c175b7c578c2ab225522956101

  • SHA256

    afe3d78330690e536178b7ccb888360b5ebeaf73223319978ca2c84af0175a51

  • SHA512

    d1928bdc459144d4fe9155bba6dcdf88787233ac83a1f1e18749526fc1117acdc743bce880877d862d8f43ca4d3cc16346bb1c3a2fc2700e4f687faee77f9c46

  • SSDEEP

    1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgEbCXuZH4gb4CEn9J4ZwEM:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgJ

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://www.muyehuayi.com/cmp/8asA99KPsyA/v6lUsWbLen/

xlm40.dropper

http://concivilpa.com.py/wp-admin/i3CQu9dzDrMW/

xlm40.dropper

https://wijsneusmedia.nl/cgi-bin/kFB/

xlm40.dropper

http://www.angloextrema.com.br/assets/oEt1yYckHKlnNIq/

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain
eck1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Loads dropped DLL 4 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\doc_0911.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:896
      • C:\Windows\system32\regsvr32.exe
        /S ..\elv1.ooocccxxx
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1180
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IwXLyxdyKVVUKT\RHXcYkARsS.dll"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2036
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      PID:1644
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      PID:1280
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Windows\system32\regsvr32.exe
        /S ..\elv4.ooocccxxx
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:976
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FBaJM\szex.dll"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1800

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\elv1.ooocccxxx

          Filesize

          434KB

          MD5

          4fc1845e54fbc75f4b0a2645fd9bf221

          SHA1

          8d2112a5c8c43d8496e4ef7616e5fb5e9c12556b

          SHA256

          1af9aa5847d05c9776936eb3a713695f83594fe40b2b6d5f74f6e8e1ceee5ce2

          SHA512

          514afd912dcc4a469b241454ca59a8b2d43095c18d47d74cf1e3b28bd5e62f40352468992e0ae60dcd71938dfda4c780cb421f6f9cb4adf1fd377717c4661be9

        • C:\Users\Admin\elv4.ooocccxxx

          Filesize

          434KB

          MD5

          3ffb82ac4a06e23faf1161fc51dc43ea

          SHA1

          ab941789c42d74e417fe4ab38f6e33a630fee0b9

          SHA256

          99a68189c09949e55dac51fdd6f101c089df91f419ab144da00f31fbd4f7e970

          SHA512

          7d196e9a23e5b2aebffde1812172d4281dd03b6aff9594f9bbe9c8763bab9d39b9bf12a5d28fca5d2550fb0314d8b1b43d6ea28c477067391c9c24c7c1b82fd0

        • \Users\Admin\elv1.ooocccxxx

          Filesize

          434KB

          MD5

          4fc1845e54fbc75f4b0a2645fd9bf221

          SHA1

          8d2112a5c8c43d8496e4ef7616e5fb5e9c12556b

          SHA256

          1af9aa5847d05c9776936eb3a713695f83594fe40b2b6d5f74f6e8e1ceee5ce2

          SHA512

          514afd912dcc4a469b241454ca59a8b2d43095c18d47d74cf1e3b28bd5e62f40352468992e0ae60dcd71938dfda4c780cb421f6f9cb4adf1fd377717c4661be9

        • \Users\Admin\elv1.ooocccxxx

          Filesize

          434KB

          MD5

          4fc1845e54fbc75f4b0a2645fd9bf221

          SHA1

          8d2112a5c8c43d8496e4ef7616e5fb5e9c12556b

          SHA256

          1af9aa5847d05c9776936eb3a713695f83594fe40b2b6d5f74f6e8e1ceee5ce2

          SHA512

          514afd912dcc4a469b241454ca59a8b2d43095c18d47d74cf1e3b28bd5e62f40352468992e0ae60dcd71938dfda4c780cb421f6f9cb4adf1fd377717c4661be9

        • \Users\Admin\elv4.ooocccxxx

          Filesize

          434KB

          MD5

          3ffb82ac4a06e23faf1161fc51dc43ea

          SHA1

          ab941789c42d74e417fe4ab38f6e33a630fee0b9

          SHA256

          99a68189c09949e55dac51fdd6f101c089df91f419ab144da00f31fbd4f7e970

          SHA512

          7d196e9a23e5b2aebffde1812172d4281dd03b6aff9594f9bbe9c8763bab9d39b9bf12a5d28fca5d2550fb0314d8b1b43d6ea28c477067391c9c24c7c1b82fd0

        • \Users\Admin\elv4.ooocccxxx

          Filesize

          434KB

          MD5

          3ffb82ac4a06e23faf1161fc51dc43ea

          SHA1

          ab941789c42d74e417fe4ab38f6e33a630fee0b9

          SHA256

          99a68189c09949e55dac51fdd6f101c089df91f419ab144da00f31fbd4f7e970

          SHA512

          7d196e9a23e5b2aebffde1812172d4281dd03b6aff9594f9bbe9c8763bab9d39b9bf12a5d28fca5d2550fb0314d8b1b43d6ea28c477067391c9c24c7c1b82fd0

        • memory/1180-64-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

          Filesize

          8KB

        • memory/1180-66-0x0000000180000000-0x0000000180030000-memory.dmp

          Filesize

          192KB

        • memory/1444-58-0x0000000075D71000-0x0000000075D73000-memory.dmp

          Filesize

          8KB

        • memory/1444-74-0x000000007251D000-0x0000000072528000-memory.dmp

          Filesize

          44KB

        • memory/1444-57-0x000000007251D000-0x0000000072528000-memory.dmp

          Filesize

          44KB

        • memory/1444-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

        • memory/1444-54-0x000000002FED1000-0x000000002FED4000-memory.dmp

          Filesize

          12KB

        • memory/1444-55-0x0000000071531000-0x0000000071533000-memory.dmp

          Filesize

          8KB