emotet | 64d92f79a2d87571d428b7b19ef4f5c1680c24c8952a2f46b84f217cfba19766

General

Target

64d92f79a2d87571d428b7b19ef4f5c1680c24c8952a2f46b84f217cfba19766.xlsm
Size

46KB
MD5

363495acb4327435709de91edaef8338
SHA1

11ea485cddc9de2db0397f02f00a564a9468f032
SHA256

64d92f79a2d87571d428b7b19ef4f5c1680c24c8952a2f46b84f217cfba19766
SHA512

1502abfa4494c69541cbaf3f00b176f04a45802b35a0818f0a46cd229a99dd675a7b8746efa946ea37efd7305c18a00eaba4a48c251d19d084fcbf4e575cf10e

Score

10^/10

emotet epoch4 banker collection spyware stealer trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://eles-tech.com/css/KzMysMqFMs/

Extracted

Family

emotet

Botnet

Epoch4

C2

68.183.94.239:80

104.131.11.205:443

138.197.109.175:8080

187.84.80.182:443

79.143.187.147:443

216.158.226.206:443

167.99.115.35:8080

212.24.98.99:8080

1.234.21.73:7080

206.189.28.199:8080

158.69.222.101:443

164.68.99.3:8080

188.44.20.25:443

185.157.82.211:8080

134.122.66.193:8080

196.218.30.83:443

72.15.201.15:8080

5.9.116.246:8080

176.104.106.96:8080

153.126.146.25:7080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4684	2160	regsvr32.exe	65

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1852-275-0x0000000000400000-0x000000000045F000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4256-277-0x0000000001134179-mapping.dmp	WebBrowserPassView
behavioral2/memory/4256-281-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

resource	yara_rule
behavioral2/memory/1852-275-0x0000000000400000-0x000000000045F000-memory.dmp	Nirsoft
behavioral2/memory/4256-277-0x0000000001134179-mapping.dmp	Nirsoft
behavioral2/memory/4256-281-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1852	xqpeujyixgfqj.exe
4256	kwjyvmlo.exe

Loads dropped DLL 1 IoCs

pid	Process
4684	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2768928936-1532084270-2243561071-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	xqpeujyixgfqj.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Qgggdqiw\lsooesjbndgvg.cpp	regsvr32.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3580 set thread context of 1852	3580	regsvr32.exe	76
PID 3580 set thread context of 4256	3580	regsvr32.exe	77

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
3996	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4068	systeminfo.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2160	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3580	regsvr32.exe
3580	regsvr32.exe
3580	regsvr32.exe
3580	regsvr32.exe
4256	kwjyvmlo.exe
4256	kwjyvmlo.exe
4256	kwjyvmlo.exe
4256	kwjyvmlo.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2160	EXCEL.EXE
2160	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2160	EXCEL.EXE
2160	EXCEL.EXE
2160	EXCEL.EXE
2160	EXCEL.EXE
2160	EXCEL.EXE
2160	EXCEL.EXE
2160	EXCEL.EXE
2160	EXCEL.EXE
2160	EXCEL.EXE
2160	EXCEL.EXE
2160	EXCEL.EXE
2160	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 4684	2160	EXCEL.EXE	68
PID 2160 wrote to memory of 4684	2160	EXCEL.EXE	68
PID 2160 wrote to memory of 4684	2160	EXCEL.EXE	68
PID 4684 wrote to memory of 3580	4684	regsvr32.exe	70
PID 4684 wrote to memory of 3580	4684	regsvr32.exe	70
PID 4684 wrote to memory of 3580	4684	regsvr32.exe	70
PID 3580 wrote to memory of 4068	3580	regsvr32.exe	71
PID 3580 wrote to memory of 4068	3580	regsvr32.exe	71
PID 3580 wrote to memory of 4068	3580	regsvr32.exe	71
PID 3580 wrote to memory of 3996	3580	regsvr32.exe	74
PID 3580 wrote to memory of 3996	3580	regsvr32.exe	74
PID 3580 wrote to memory of 3996	3580	regsvr32.exe	74
PID 3580 wrote to memory of 1852	3580	regsvr32.exe	76
PID 3580 wrote to memory of 1852	3580	regsvr32.exe	76
PID 3580 wrote to memory of 1852	3580	regsvr32.exe	76
PID 3580 wrote to memory of 1852	3580	regsvr32.exe	76
PID 3580 wrote to memory of 4256	3580	regsvr32.exe	77
PID 3580 wrote to memory of 4256	3580	regsvr32.exe	77
PID 3580 wrote to memory of 4256	3580	regsvr32.exe	77
PID 3580 wrote to memory of 4256	3580	regsvr32.exe	77

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\64d92f79a2d87571d428b7b19ef4f5c1680c24c8952a2f46b84f217cfba19766.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWow64\regsvr32.exe
  C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Qgggdqiw\lsooesjbndgvg.cpp"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4068
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:3996
  - - C:\Users\Admin\AppData\Local\Temp\xqpeujyixgfqj.exe
      "C:\Users\Admin\AppData\Local\Temp\\xqpeujyixgfqj.exe" /scomma "C:\Users\Admin\AppData\Local\Temp\BF8A.tmp"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      PID:1852
  - - C:\Users\Admin\AppData\Local\Temp\kwjyvmlo.exe
      "C:\Users\Admin\AppData\Local\Temp\\kwjyvmlo.exe" /scomma "C:\Users\Admin\AppData\Local\Temp\3A49.tmp"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3A49.tmp

Filesize
682B

MD5
f272d3d884219b6eca89c9733f10a82b

SHA1
4fa157f2e6f0c8ba5c07182a64db5d0b174df3e1

SHA256
63dc85a4d92ebf20271d969915a65fdc7f8749cc0247599cdbfe5a1dd1665a47

SHA512
b5b123d763a4df7112af3d43d6a87855b7ebd5266b040cdf384c36c468277ff28727e0db527c67b4a25357b463d8ad9eeed9505d087e370fa2c8f9b91c485c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwjyvmlo.exe

Filesize
1.1MB

MD5
6dd295c9f31ea47b1490e8f95d328c21

SHA1
3337c8b3e8e6755cbb65f674fc075446bf7ef346

SHA256
05323733c0c5d08f3cfc83bc80cb67de74a20a2364fffa5a893bc2eed7600bfe

SHA512
5c199f3c5d1fa719c775c96ee1aafd9d10d7450598d84b0c650766967a815e463bc75571a23e35bdd48a0316d01553234bab85328b903159a9c842d40b7cb149

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwjyvmlo.exe

Filesize
1.1MB

MD5
6dd295c9f31ea47b1490e8f95d328c21

SHA1
3337c8b3e8e6755cbb65f674fc075446bf7ef346

SHA256
05323733c0c5d08f3cfc83bc80cb67de74a20a2364fffa5a893bc2eed7600bfe

SHA512
5c199f3c5d1fa719c775c96ee1aafd9d10d7450598d84b0c650766967a815e463bc75571a23e35bdd48a0316d01553234bab85328b903159a9c842d40b7cb149

Download Submit
C:\Users\Admin\AppData\Local\Temp\xqpeujyixgfqj.exe

Filesize
1.1MB

MD5
6dd295c9f31ea47b1490e8f95d328c21

SHA1
3337c8b3e8e6755cbb65f674fc075446bf7ef346

SHA256
05323733c0c5d08f3cfc83bc80cb67de74a20a2364fffa5a893bc2eed7600bfe

SHA512
5c199f3c5d1fa719c775c96ee1aafd9d10d7450598d84b0c650766967a815e463bc75571a23e35bdd48a0316d01553234bab85328b903159a9c842d40b7cb149

Download Submit
C:\Users\Admin\xewn.dll

Filesize
848KB

MD5
2147348766671d2c1bec6e78b1b07a7c

SHA1
bad65baa7bb7c41379e2c09fad045b973d73683c

SHA256
95020cbfd02951720069898bf265f027aa9082b8e7a3fe2468a169c087a5c450

SHA512
a6f9aef48e5fc922e8ad0948b88acc22793d644d2cf9eb81e6a9f8d550e9e6a631a99d0b90bfbe533496bca273d76b568667850343535b211c1024f636d4b9e0

Download Submit
\Users\Admin\xewn.dll

Filesize
848KB

MD5
2147348766671d2c1bec6e78b1b07a7c

SHA1
bad65baa7bb7c41379e2c09fad045b973d73683c

SHA256
95020cbfd02951720069898bf265f027aa9082b8e7a3fe2468a169c087a5c450

SHA512
a6f9aef48e5fc922e8ad0948b88acc22793d644d2cf9eb81e6a9f8d550e9e6a631a99d0b90bfbe533496bca273d76b568667850343535b211c1024f636d4b9e0

Download Submit
memory/1852-274-0x00000000002E0000-0x000000000033E000-memory.dmp

Filesize
376KB

Download
memory/1852-270-0x00000000002E0000-0x000000000033E000-memory.dmp

Filesize
376KB

Download
memory/1852-275-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2160-115-0x00007FFA71660000-0x00007FFA71670000-memory.dmp

Filesize
64KB

Download
memory/2160-114-0x00007FFA71660000-0x00007FFA71670000-memory.dmp

Filesize
64KB

Download
memory/2160-113-0x00007FFA71660000-0x00007FFA71670000-memory.dmp

Filesize
64KB

Download
memory/2160-116-0x00007FFA71660000-0x00007FFA71670000-memory.dmp

Filesize
64KB

Download
memory/3580-279-0x0000000000800000-0x000000000094A000-memory.dmp

Filesize
1.3MB

Download
memory/3580-262-0x0000000000A20000-0x0000000000A44000-memory.dmp

Filesize
144KB

Download
memory/3580-273-0x0000000000800000-0x000000000094A000-memory.dmp

Filesize
1.3MB

Download
memory/3580-268-0x00000000045C0000-0x000000000A523000-memory.dmp

Filesize
95.4MB

Download
memory/4256-276-0x00000000010D0000-0x0000000001137000-memory.dmp

Filesize
412KB

Download
memory/4256-282-0x00000000010D0000-0x0000000001137000-memory.dmp

Filesize
412KB

Download
memory/4256-281-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4684-249-0x00000000049E0000-0x0000000004A04000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads