Analysis

  • max time kernel
    151s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2022, 21:11

General

  • Target

    8780e38ceea5e9c1fdb8b950b3a2b722b4127b59b1bcd59c5fb0c38973c8fc63.xls

  • Size

    91KB

  • MD5

    c923d2a2d9c4193171d80a850babe90a

  • SHA1

    8e729e6fe2491b6566a3f41973c8891423c5ac3b

  • SHA256

    8780e38ceea5e9c1fdb8b950b3a2b722b4127b59b1bcd59c5fb0c38973c8fc63

  • SHA512

    4058f7dc49889aa04e8168f7e2471c327014842a5cfffe605d1cb74a9dfd5588a6ae9fdfebbbc2d43a8087698bd415439485502423319519a53f85512c00ca19

  • SSDEEP

    1536:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgsbCXuZH4gb4CEn9J4Z3ip:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgL

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://cubicegg.asia/assets/hQlJfFO/

xlm40.dropper

http://darwinistic.com/icon/pvxwXfuOXowTDDg/

xlm40.dropper

http://devinagallagher.com/NSA/BVks/

xlm40.dropper

http://brittknight.com/PHP/qy6/

Extracted

Family

emotet

Botnet

Epoch4

C2

45.235.8.30:8080

94.23.45.86:4143

119.59.103.152:8080

169.60.181.70:8080

164.68.99.3:8080

172.105.226.75:8080

107.170.39.149:8080

206.189.28.199:8080

1.234.2.232:8080

188.44.20.25:443

186.194.240.217:443

103.43.75.120:443

149.28.143.92:443

159.89.202.34:443

209.97.163.214:443

183.111.227.137:8080

129.232.188.93:443

139.59.126.41:443

110.232.117.186:8080

139.59.56.73:8080

eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8780e38ceea5e9c1fdb8b950b3a2b722b4127b59b1bcd59c5fb0c38973c8fc63.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1440
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\Srohl\HEYFPyP.dll"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:1660
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LipmV\sjCsxfMPtvHd.dll"
        3⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        PID:4972
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3856
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FLdtVVYrZQYHDn\gSXNoh.dll"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:4176
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      PID:2936

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\elv1.ooocccxxx

          Filesize

          855KB

          MD5

          e4d4ddbb48b7c5d8d04e64bcfd241162

          SHA1

          841cb873109728065ff3907e0a19af8d4b363b6b

          SHA256

          220d0bf5b02e2405afdb47c3569ca1bbc5770d7226a5479a01742ac26619e928

          SHA512

          8133893139c8e680416adbe5ae7e8dd789508cf5bc5d68ad36afcb7e43f43460e5c2947b4ec8605043d4290c5f0caffd745533ea55b788396cb45e3f0919448d

        • C:\Users\Admin\elv1.ooocccxxx

          Filesize

          855KB

          MD5

          e4d4ddbb48b7c5d8d04e64bcfd241162

          SHA1

          841cb873109728065ff3907e0a19af8d4b363b6b

          SHA256

          220d0bf5b02e2405afdb47c3569ca1bbc5770d7226a5479a01742ac26619e928

          SHA512

          8133893139c8e680416adbe5ae7e8dd789508cf5bc5d68ad36afcb7e43f43460e5c2947b4ec8605043d4290c5f0caffd745533ea55b788396cb45e3f0919448d

        • C:\Users\Admin\elv2.ooocccxxx

          Filesize

          855KB

          MD5

          1209ebba5bb4117ee10b719ddba8b7c4

          SHA1

          7454dbf8268ce69d0d256d103808bd7e5c744662

          SHA256

          75fecc5c2b56359a9743030058046081f3011a518a3900de442181c6d0f81c7e

          SHA512

          f2c27d530232ddb9b9c258cfbbb10a36cd4c26b9b9a2b51f6d30ba0b177ee972b811c267bf25b88783faffc31b7139147b1cf4114e7ea73bc3ee6b7365a5ff28

        • C:\Users\Admin\elv2.ooocccxxx

          Filesize

          855KB

          MD5

          1209ebba5bb4117ee10b719ddba8b7c4

          SHA1

          7454dbf8268ce69d0d256d103808bd7e5c744662

          SHA256

          75fecc5c2b56359a9743030058046081f3011a518a3900de442181c6d0f81c7e

          SHA512

          f2c27d530232ddb9b9c258cfbbb10a36cd4c26b9b9a2b51f6d30ba0b177ee972b811c267bf25b88783faffc31b7139147b1cf4114e7ea73bc3ee6b7365a5ff28

        • C:\Users\Admin\elv3.ooocccxxx

          Filesize

          573KB

          MD5

          9b3be6dd84a212ea83fb3a7c184dbb07

          SHA1

          fb60c9c114bac54c83cccc2e0ddc6f85e3eeae13

          SHA256

          4e1c2fcbd27ebf54e55c0c69c855a32110bc86196de3dc03253ad4241eda6e03

          SHA512

          f136dd003d092102c38eb6e0a9a8a917866d27a7b5d5062778712cd55ba9f9b1e64bed4b1dd67aa39dcef8c639b96e7760e0cf21fbc516f5b4dd779ecc5c6427

        • C:\Users\Admin\elv3.ooocccxxx

          Filesize

          573KB

          MD5

          9b3be6dd84a212ea83fb3a7c184dbb07

          SHA1

          fb60c9c114bac54c83cccc2e0ddc6f85e3eeae13

          SHA256

          4e1c2fcbd27ebf54e55c0c69c855a32110bc86196de3dc03253ad4241eda6e03

          SHA512

          f136dd003d092102c38eb6e0a9a8a917866d27a7b5d5062778712cd55ba9f9b1e64bed4b1dd67aa39dcef8c639b96e7760e0cf21fbc516f5b4dd779ecc5c6427

        • C:\Windows\System32\FLdtVVYrZQYHDn\gSXNoh.dll

          Filesize

          573KB

          MD5

          9b3be6dd84a212ea83fb3a7c184dbb07

          SHA1

          fb60c9c114bac54c83cccc2e0ddc6f85e3eeae13

          SHA256

          4e1c2fcbd27ebf54e55c0c69c855a32110bc86196de3dc03253ad4241eda6e03

          SHA512

          f136dd003d092102c38eb6e0a9a8a917866d27a7b5d5062778712cd55ba9f9b1e64bed4b1dd67aa39dcef8c639b96e7760e0cf21fbc516f5b4dd779ecc5c6427

        • C:\Windows\System32\LipmV\sjCsxfMPtvHd.dll

          Filesize

          855KB

          MD5

          1209ebba5bb4117ee10b719ddba8b7c4

          SHA1

          7454dbf8268ce69d0d256d103808bd7e5c744662

          SHA256

          75fecc5c2b56359a9743030058046081f3011a518a3900de442181c6d0f81c7e

          SHA512

          f2c27d530232ddb9b9c258cfbbb10a36cd4c26b9b9a2b51f6d30ba0b177ee972b811c267bf25b88783faffc31b7139147b1cf4114e7ea73bc3ee6b7365a5ff28

        • C:\Windows\System32\Srohl\HEYFPyP.dll

          Filesize

          855KB

          MD5

          e4d4ddbb48b7c5d8d04e64bcfd241162

          SHA1

          841cb873109728065ff3907e0a19af8d4b363b6b

          SHA256

          220d0bf5b02e2405afdb47c3569ca1bbc5770d7226a5479a01742ac26619e928

          SHA512

          8133893139c8e680416adbe5ae7e8dd789508cf5bc5d68ad36afcb7e43f43460e5c2947b4ec8605043d4290c5f0caffd745533ea55b788396cb45e3f0919448d

        • memory/1440-142-0x0000000180000000-0x000000018002F000-memory.dmp

          Filesize

          188KB

        • memory/2412-138-0x00007FFD188D0000-0x00007FFD188E0000-memory.dmp

          Filesize

          64KB

        • memory/2412-132-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmp

          Filesize

          64KB

        • memory/2412-137-0x00007FFD188D0000-0x00007FFD188E0000-memory.dmp

          Filesize

          64KB

        • memory/2412-136-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmp

          Filesize

          64KB

        • memory/2412-135-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmp

          Filesize

          64KB

        • memory/2412-134-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmp

          Filesize

          64KB

        • memory/2412-133-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmp

          Filesize

          64KB