Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    48s
  • max time network
    144s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21/03/2023, 23:29

General

  • Target

    c482bddf2e6bcfa06f30bd8080f527aa1afa34397d489c417ec374bde2eea841.doc

  • Size

    245KB

  • MD5

    742bd4ba74940549338dc1715192d99c

  • SHA1

    793e2a75e17c37ab42ac46fb1683a01b23b60315

  • SHA256

    c482bddf2e6bcfa06f30bd8080f527aa1afa34397d489c417ec374bde2eea841

  • SHA512

    a2235e0c6679076ab2be7bc834fa6ed8c7b0f22db1e821f14fe7cc4e4731848371d9e6b8e27dae1b204b762e97059bda3fcc1c63c6af647953604bfffdc8957d

  • SSDEEP

    3072:zORzi7NJxZv/H11khtBO8E1CcQZKwKUHblp+akplFapqZU5OVbjnow:SRG7LL3HutFaCcy7XblEagFakZU5O

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

C2

213.239.212.5:443

129.232.188.93:443

103.43.75.120:443

197.242.150.244:8080

1.234.2.232:8080

110.232.117.186:8080

95.217.221.146:8080

159.89.202.34:443

159.65.88.10:8080

82.223.21.224:8080

169.57.156.166:8080

45.176.232.124:443

45.235.8.30:8080

173.212.193.249:8080

107.170.39.149:8080

119.59.103.152:8080

167.172.199.165:8080

91.207.28.33:8080

185.4.135.165:8080

104.168.155.143:8080

eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c482bddf2e6bcfa06f30bd8080f527aa1afa34397d489c417ec374bde2eea841.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\002953.tmp"
      2⤵
      • Process spawned unexpected child process
      PID:3308
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VONkDoiQUMPIDeQG\FHrxmpqtV.dll"
        3⤵
          PID:924

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\002953.tmp

      Filesize

      455.1MB

      MD5

      f6cb1cfe0d32ef30d459017eb25fe2dd

      SHA1

      f70dc1cf95f6b47885a786359c9c28bb9bad7da7

      SHA256

      5b98fdf4d3a535141bc645a892fa6f13b9c80fadea74d596dd8254cbf53ea373

      SHA512

      706bdf22ea700f131fed29bcc4c5e2dacaf7262d51a6ea0c2a6a9748bef121da27ec9cc6f7b2e47ea30fcbc9f666eef14b26f4dc6b4f09d36d87711a175adaa4

    • C:\Users\Admin\AppData\Local\Temp\003015.zip

      Filesize

      984KB

      MD5

      ffec2c48d1641a54d5e6d4d34566b304

      SHA1

      492f6885bcd96b54caec9d4f700ab6d4674fc989

      SHA256

      71e5b8bcc439d7c28ce77eedbb8416f8934ad7565c1631ec8208a0b2bfc174ea

      SHA512

      22d1640dce811e4fe937cf74d808bd3f0a9d4b1f2061c4ee17e726dd78d1c8203645e6958e6f9ac0386010c2ecc716eed77535547ad601cca7f482e1cda36243

    • \Users\Admin\AppData\Local\Temp\002953.tmp

      Filesize

      454.8MB

      MD5

      175f28b0dfe6389bf511f1acecbf25f9

      SHA1

      62c04d11280fd2471d81ae03e83649bbada5592c

      SHA256

      3c5d0a0e330c24ccac99cd6d119696f3abebeca74f38cddcc065f926026414d6

      SHA512

      48c2c5b207e075b0e52f763182e2c93bee1fe4a20e7ab5618b245495ede7f34c7c9e4648ed2583b520e3ab7673f9b37b6333491d04bcef5db7abdf87345a885a

    • memory/2264-124-0x00007FFD49660000-0x00007FFD49670000-memory.dmp

      Filesize

      64KB

    • memory/2264-127-0x00007FFD46520000-0x00007FFD46530000-memory.dmp

      Filesize

      64KB

    • memory/2264-129-0x00007FFD46520000-0x00007FFD46530000-memory.dmp

      Filesize

      64KB

    • memory/2264-121-0x00007FFD49660000-0x00007FFD49670000-memory.dmp

      Filesize

      64KB

    • memory/2264-123-0x00007FFD49660000-0x00007FFD49670000-memory.dmp

      Filesize

      64KB

    • memory/2264-122-0x00007FFD49660000-0x00007FFD49670000-memory.dmp

      Filesize

      64KB

    • memory/2264-438-0x00007FFD49660000-0x00007FFD49670000-memory.dmp

      Filesize

      64KB

    • memory/2264-439-0x00007FFD49660000-0x00007FFD49670000-memory.dmp

      Filesize

      64KB

    • memory/2264-441-0x00007FFD49660000-0x00007FFD49670000-memory.dmp

      Filesize

      64KB

    • memory/2264-440-0x00007FFD49660000-0x00007FFD49670000-memory.dmp

      Filesize

      64KB

    • memory/3308-329-0x0000000002960000-0x00000000029BA000-memory.dmp

      Filesize

      360KB

    • memory/3308-344-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

      Filesize

      4KB