Overview

overview

10

Static

static

8

emotet_v6

windows10_x64

10

emotet_doc

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    09-12-2021 02:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d93a4f12d6e52dd86f8194dc522bdf7b6c4724898e929e12943c15cef4f3aa9.xlsm

  • Size

    102KB

  • MD5

    e01658f40196c8810a4b654d10212ade

  • SHA1

    caed09b776174509351dfe57e87325cacee7c69d

  • SHA256

    0d93a4f12d6e52dd86f8194dc522bdf7b6c4724898e929e12943c15cef4f3aa9

  • SHA512

    5e502a8d00aa91155e4725323b9f7b073537565a1b185e8a8cce12259b6c7300aebabd8ef776280cecb85b451999742a5bde4ad1a460f12fec0d9c7e7158a666

Score
10/10
emotetepoch4bankertrojan

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://singsamut.ac.th/00-----26phj/ws1iGhQ/ws1iGhQ/

Extracted

Family

emotet

Botnet

Epoch4

C2

172.104.227.98:443

31.207.89.74:8080

46.55.222.11:443

41.76.108.46:8080

103.8.26.103:8080

185.184.25.237:8080

103.8.26.102:8080

203.114.109.124:443

45.118.115.99:8080

178.79.147.66:8080

58.227.42.236:80

45.118.135.203:7080

103.75.201.2:443

195.154.133.20:443

192.254.71.210:443

45.142.114.231:8080

212.237.5.209:443

207.38.84.195:8080

104.251.214.46:8080

212.237.17.99:8080
eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\0d93a4f12d6e52dd86f8194dc522bdf7b6c4724898e929e12943c15cef4f3aa9.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3700
    • C:\Windows\SysWow64\rundll32.exe
      C:\Windows\SysWow64\rundll32.exe ..\bestb.ocx,D"&"l"&"l"&"R"&"eg"&"i"&"s"&"t"&"e"&"rS"&"e"&"rver
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\bestb.ocx",DllRegisterServer
        3⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:2912
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xflnljhpiwyrmjmw\ahzeap.noc",YMktaIWNO
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:944
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xflnljhpiwyrmjmw\ahzeap.noc",DllRegisterServer
            5⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            PID:2388

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3060-265-0x0000000010000000-0x0000000010027000-memory.dmp

    Filesize

    156KB

    Download

  • memory/3700-122-0x000001C33A870000-0x000001C33A872000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3700-121-0x00007FF97BC30000-0x00007FF97BC40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3700-119-0x000001C33A870000-0x000001C33A872000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3700-120-0x000001C33A870000-0x000001C33A872000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3700-115-0x00007FF97BC30000-0x00007FF97BC40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3700-118-0x00007FF97BC30000-0x00007FF97BC40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3700-117-0x00007FF97BC30000-0x00007FF97BC40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3700-116-0x00007FF97BC30000-0x00007FF97BC40000-memory.dmp

    Filesize

    64KB

    Download