Overview

overview

10

Static

static

8

1211.xls

windows7-x64

10

1211.xls

windows10-1703-x64

1

Analysis

  • max time kernel
    299s
  • max time network
    304s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2022 03:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1211.xls

  • Size

    96KB

  • MD5

    61702e522745bf911053f505bd144d2e

  • SHA1

    e0a4a67d3dae7af500c457117bcc97fc9e452efc

  • SHA256

    4bbdeba86763e0ef1ef5a037b6a97a03fb37a44394773a5c8d6c126f12babc63

  • SHA512

    5c3d7db6b0235a8698513e93d1f09384bc4d4483d5530e9a9262dacb73bd66179f29d666ae36f975004daa511229f49586cfddc09fa6821a68768cf7ff647cc0

  • SSDEEP

    3072:PKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgnOmH4wbH5M:PKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgnw

Score
10/10
emotetepoch5bankertrojan

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://fromthetrenchesworldreport.com/analytics/ZY5ntk/
xlm40.dropper

http://d4842.cp.irishdomains.com/issa/images/kbwwxkgV1akI2jW8ZKs/
xlm40.dropper

http://erkaradyator.com.tr/Areas/Ar2lgC3yhtxBY/
xlm40.dropper

http://forgione.com.ar/genealogia/dRBVyl/

Extracted

Family

emotet

Botnet

Epoch5

C2

202.28.34.99:8080

80.211.107.116:8080

175.126.176.79:8080

218.38.121.17:443

139.196.72.155:8080

103.71.99.57:8080

87.106.97.83:7080

178.62.112.199:8080

64.227.55.231:8080

46.101.98.60:8080

54.37.228.122:443

128.199.217.206:443

190.145.8.4:443

209.239.112.82:8080

85.214.67.203:8080

198.199.70.22:8080

128.199.242.164:8080

178.238.225.252:8080

103.85.95.4:8080

103.126.216.86:443
eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Loads dropped DLL 6 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\1211.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\scud1.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1408
      • C:\Windows\system32\regsvr32.exe
        /S ..\scud1.ooocccxxx
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1580
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PNoneBI\pAnZeeSXEch.dll"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2020
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\scud2.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\system32\regsvr32.exe
        /S ..\scud2.ooocccxxx
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1972
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PboSRGmxepGfVHBlp\swDSUYyVVPTzqQi.dll"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1568
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\scud3.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Windows\system32\regsvr32.exe
        /S ..\scud3.ooocccxxx
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1436
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OZUdeqeMFvooc\PeMhB.dll"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1356
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\scud4.ooocccxxx
      2⤵
      • Process spawned unexpected child process
      PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\scud1.ooocccxxx
    Filesize

    516KB

    MD5

    2a2b05bf1934553c30901366c0a6c08a

    SHA1

    584bc27aa77fb97096dddbbb2eb061adac49551c

    SHA256

    b0d44c099dc9dcd8d5e54dd190017b09cc7c52155dcdcea98b66aa627c221d76

    SHA512

    165e9d3210c820b9d2a5c95ba92a051e71a63d3e2e270452b0ed818fe0ac2d4882777434da5556fb0af7292b783769aa690e8cab9bdb13bd37e618f402d0277e

    Download Submit
  • C:\Users\Admin\scud2.ooocccxxx
    Filesize

    516KB

    MD5

    378a50f0877aef30ff163ea235b67423

    SHA1

    b3de2fc7d451d3d7ab9bd14ff4ecd759e3623094

    SHA256

    395344cc68f391ab834e2479eb5a68c7071c848f96535c3f251925e5e32cf139

    SHA512

    c42d9f1e2c419c65a711e137d57e8cba6560ca6e2a602c235945b0798e2ffda3d917b7089b817eb9c1eea6de2084087472e8dac7d7a60fcd65cdfcc5ba0cce2f

    Download Submit
  • C:\Users\Admin\scud3.ooocccxxx
    Filesize

    516KB

    MD5

    00dcec234bb316293dd4b753c0af7f96

    SHA1

    0480882d53d8be95288927c8b1b06c3707b7d1ec

    SHA256

    1393ea8eab35a00ce13a541d29fbab55db5b90cd32a1bcf8f137c5b9c06a2069

    SHA512

    fbf60676263224d6c178acca49d9ebd110f0122bf764581873c5c5a8eba5a44d5cf04ba02939bc8747d1089c216f93c6de627fab857247c2201f93c0d768f7ab

    Download Submit
  • \Users\Admin\scud1.ooocccxxx
    Filesize

    516KB

    MD5

    2a2b05bf1934553c30901366c0a6c08a

    SHA1

    584bc27aa77fb97096dddbbb2eb061adac49551c

    SHA256

    b0d44c099dc9dcd8d5e54dd190017b09cc7c52155dcdcea98b66aa627c221d76

    SHA512

    165e9d3210c820b9d2a5c95ba92a051e71a63d3e2e270452b0ed818fe0ac2d4882777434da5556fb0af7292b783769aa690e8cab9bdb13bd37e618f402d0277e

    Download Submit
  • \Users\Admin\scud1.ooocccxxx
    Filesize

    516KB

    MD5

    2a2b05bf1934553c30901366c0a6c08a

    SHA1

    584bc27aa77fb97096dddbbb2eb061adac49551c

    SHA256

    b0d44c099dc9dcd8d5e54dd190017b09cc7c52155dcdcea98b66aa627c221d76

    SHA512

    165e9d3210c820b9d2a5c95ba92a051e71a63d3e2e270452b0ed818fe0ac2d4882777434da5556fb0af7292b783769aa690e8cab9bdb13bd37e618f402d0277e

    Download Submit
  • \Users\Admin\scud2.ooocccxxx
    Filesize

    516KB

    MD5

    378a50f0877aef30ff163ea235b67423

    SHA1

    b3de2fc7d451d3d7ab9bd14ff4ecd759e3623094

    SHA256

    395344cc68f391ab834e2479eb5a68c7071c848f96535c3f251925e5e32cf139

    SHA512

    c42d9f1e2c419c65a711e137d57e8cba6560ca6e2a602c235945b0798e2ffda3d917b7089b817eb9c1eea6de2084087472e8dac7d7a60fcd65cdfcc5ba0cce2f

    Download Submit
  • \Users\Admin\scud2.ooocccxxx
    Filesize

    516KB

    MD5

    378a50f0877aef30ff163ea235b67423

    SHA1

    b3de2fc7d451d3d7ab9bd14ff4ecd759e3623094

    SHA256

    395344cc68f391ab834e2479eb5a68c7071c848f96535c3f251925e5e32cf139

    SHA512

    c42d9f1e2c419c65a711e137d57e8cba6560ca6e2a602c235945b0798e2ffda3d917b7089b817eb9c1eea6de2084087472e8dac7d7a60fcd65cdfcc5ba0cce2f

    Download Submit
  • \Users\Admin\scud3.ooocccxxx
    Filesize

    516KB

    MD5

    00dcec234bb316293dd4b753c0af7f96

    SHA1

    0480882d53d8be95288927c8b1b06c3707b7d1ec

    SHA256

    1393ea8eab35a00ce13a541d29fbab55db5b90cd32a1bcf8f137c5b9c06a2069

    SHA512

    fbf60676263224d6c178acca49d9ebd110f0122bf764581873c5c5a8eba5a44d5cf04ba02939bc8747d1089c216f93c6de627fab857247c2201f93c0d768f7ab

    Download Submit
  • \Users\Admin\scud3.ooocccxxx
    Filesize

    516KB

    MD5

    00dcec234bb316293dd4b753c0af7f96

    SHA1

    0480882d53d8be95288927c8b1b06c3707b7d1ec

    SHA256

    1393ea8eab35a00ce13a541d29fbab55db5b90cd32a1bcf8f137c5b9c06a2069

    SHA512

    fbf60676263224d6c178acca49d9ebd110f0122bf764581873c5c5a8eba5a44d5cf04ba02939bc8747d1089c216f93c6de627fab857247c2201f93c0d768f7ab

    Download Submit
  • memory/1204-69-0x0000000071F1D000-0x0000000071F28000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1204-58-0x0000000074DE1000-0x0000000074DE3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1204-57-0x0000000071F1D000-0x0000000071F28000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1204-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1204-55-0x0000000070F31000-0x0000000070F33000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1204-54-0x000000002F0A1000-0x000000002F0A4000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1356-100-0x0000000000000000-mapping.dmp
    Download
  • memory/1408-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1420-90-0x0000000000000000-mapping.dmp
    Download
  • memory/1436-94-0x0000000000000000-mapping.dmp
    Download
  • memory/1568-85-0x0000000000000000-mapping.dmp
    Download
  • memory/1580-64-0x000007FEFB741000-0x000007FEFB743000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1580-63-0x0000000000000000-mapping.dmp
    Download
  • memory/1580-66-0x0000000180000000-0x000000018002E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1636-105-0x0000000000000000-mapping.dmp
    Download
  • memory/1972-79-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-75-0x0000000000000000-mapping.dmp
    Download
  • memory/2020-70-0x0000000000000000-mapping.dmp
    Download