Analysis

  • max time kernel
    152s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2022, 19:51

General

  • Target

    0911.xls

  • Size

    91KB

  • MD5

    d686700342ca2e512f2c0db4f2c091fe

  • SHA1

    7311c4dda1d12ec68e491ab8b62b7500c78cb778

  • SHA256

    699b70644f54d0a8b1bd3127ef6770c6c19f0de82087ad76108a0d68055c2ba1

  • SHA512

    34b30785dc117b4a1b2230f2b5af1b745c0f5ce736fc31ca84e1bcc9b24191dbbe72662196d2b328cb533e161c9a435d42a3ff469b9a125c291a97eaf1c727ee

  • SSDEEP

    1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgEbCXuZH4gb4CEn9J4ZwEM:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgJ

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://www.muyehuayi.com/cmp/8asA99KPsyA/v6lUsWbLen/

xlm40.dropper

http://concivilpa.com.py/wp-admin/i3CQu9dzDrMW/

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain
eck1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Loads dropped DLL 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\0911.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4584
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1840
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YxwFFfAoZ\xpkWf.dll"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:2616

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\elv1.ooocccxxx

          Filesize

          434KB

          MD5

          de7cd2d114263b25ae1c8a5a3329d052

          SHA1

          579265b7f8f8efc7e2bf2dc86529bd700a972e67

          SHA256

          852095de883291fc3f0368c5540e49c1d25fb12d678a1a14a5c576169870a33b

          SHA512

          37ce20fb163fe3d10d9dadc7e315907363a963cb9277e51e9c7ffb4686195df18a64af66199572fd8272bea5ae8c6380ab4d16f0bdfb3a378bca88adce6159f4

        • C:\Users\Admin\elv1.ooocccxxx

          Filesize

          434KB

          MD5

          de7cd2d114263b25ae1c8a5a3329d052

          SHA1

          579265b7f8f8efc7e2bf2dc86529bd700a972e67

          SHA256

          852095de883291fc3f0368c5540e49c1d25fb12d678a1a14a5c576169870a33b

          SHA512

          37ce20fb163fe3d10d9dadc7e315907363a963cb9277e51e9c7ffb4686195df18a64af66199572fd8272bea5ae8c6380ab4d16f0bdfb3a378bca88adce6159f4

        • C:\Windows\System32\YxwFFfAoZ\xpkWf.dll

          Filesize

          434KB

          MD5

          de7cd2d114263b25ae1c8a5a3329d052

          SHA1

          579265b7f8f8efc7e2bf2dc86529bd700a972e67

          SHA256

          852095de883291fc3f0368c5540e49c1d25fb12d678a1a14a5c576169870a33b

          SHA512

          37ce20fb163fe3d10d9dadc7e315907363a963cb9277e51e9c7ffb4686195df18a64af66199572fd8272bea5ae8c6380ab4d16f0bdfb3a378bca88adce6159f4

        • memory/1840-142-0x0000000180000000-0x0000000180030000-memory.dmp

          Filesize

          192KB

        • memory/4584-135-0x00007FF7F2C90000-0x00007FF7F2CA0000-memory.dmp

          Filesize

          64KB

        • memory/4584-138-0x00007FF7F0330000-0x00007FF7F0340000-memory.dmp

          Filesize

          64KB

        • memory/4584-137-0x00007FF7F0330000-0x00007FF7F0340000-memory.dmp

          Filesize

          64KB

        • memory/4584-136-0x00007FF7F2C90000-0x00007FF7F2CA0000-memory.dmp

          Filesize

          64KB

        • memory/4584-132-0x00007FF7F2C90000-0x00007FF7F2CA0000-memory.dmp

          Filesize

          64KB

        • memory/4584-134-0x00007FF7F2C90000-0x00007FF7F2CA0000-memory.dmp

          Filesize

          64KB

        • memory/4584-133-0x00007FF7F2C90000-0x00007FF7F2CA0000-memory.dmp

          Filesize

          64KB