emotet | ddfaf178cd5ea6decc275fa0a3d27bade27c40b7cd0ac8a086a615e296ce0377

General

Target

?i=1xsjvznln.xlsm
Size

83KB
MD5

0c6adea1eff64b8f701e18a8c9e5284d
SHA1

958197aca69eabbf0d6717e880ac3bb7d49a4d7a
SHA256

ddfaf178cd5ea6decc275fa0a3d27bade27c40b7cd0ac8a086a615e296ce0377
SHA512

7a01ec8855b51239dc59497bbc4e5b0da0f1d796963a6981842660fe734e05a48689ce3df35f9372068526b2217327eb5123d9a61631abec0b3a7db65c47fa02

Score

10^/10

emotet epoch5 banker suricata trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://robotically.xyz/wp-content/XtKkx/

xlm40.dropper

http://2.arthaloca.com/styles/dS5RNprosfCabLtYEwO/

Extracted

Family

emotet

Botnet

Epoch5

C2

45.138.98.34:80

69.16.218.101:8080

51.210.242.234:8080

185.148.168.220:8080

142.4.219.173:8080

54.38.242.185:443

191.252.103.16:80

104.131.62.48:8080

62.171.178.147:8080

217.182.143.207:443

168.197.250.14:80

37.44.244.177:8080

66.42.57.149:443

210.57.209.142:8080

159.69.237.188:443

116.124.128.206:8080

128.199.192.135:8080

195.154.146.35:443

185.148.168.15:8080

195.77.239.39:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3748	4528	rundll32.exe	EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.exe

flow	pid	process
67	1552	rundll32.exe
68	1552	rundll32.exe
82	1552	rundll32.exe
83	1552	rundll32.exe
84	1552	rundll32.exe
85	1552	rundll32.exe
86	1552	rundll32.exe
87	1552	rundll32.exe

Downloads MZ/PE file
Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

pid process

3748 rundll32.exe
492 rundll32.exe
4176 rundll32.exe
1552 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Vxdmoaiask\pjmoqmgg.twk rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3748	rundll32.exe
492	rundll32.exe
4176	rundll32.exe
1552	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Vxdmoaiask\pjmoqmgg.twk	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4528 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1552 rundll32.exe
1552 rundll32.exe

pid	process
1552	rundll32.exe
1552	rundll32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
4528	EXCEL.EXE
4528	EXCEL.EXE
4528	EXCEL.EXE
4528	EXCEL.EXE
4528	EXCEL.EXE
4528	EXCEL.EXE
4528	EXCEL.EXE
4528	EXCEL.EXE
4528	EXCEL.EXE
4528	EXCEL.EXE
4528	EXCEL.EXE
4528	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

EXCEL.EXErundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 4528 wrote to memory of 3748	4528	EXCEL.EXE	rundll32.exe
PID 4528 wrote to memory of 3748	4528	EXCEL.EXE	rundll32.exe
PID 4528 wrote to memory of 3748	4528	EXCEL.EXE	rundll32.exe
PID 3748 wrote to memory of 492	3748	rundll32.exe	rundll32.exe
PID 3748 wrote to memory of 492	3748	rundll32.exe	rundll32.exe
PID 3748 wrote to memory of 492	3748	rundll32.exe	rundll32.exe
PID 492 wrote to memory of 4176	492	rundll32.exe	rundll32.exe
PID 492 wrote to memory of 4176	492	rundll32.exe	rundll32.exe
PID 492 wrote to memory of 4176	492	rundll32.exe	rundll32.exe
PID 4176 wrote to memory of 1552	4176	rundll32.exe	rundll32.exe
PID 4176 wrote to memory of 1552	4176	rundll32.exe	rundll32.exe
PID 4176 wrote to memory of 1552	4176	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\_i=1xsjvznln.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\SysWow64\rundll32.exe
C:\Windows\SysWow64\rundll32.exe ..\wxeu.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\wxeu.ocx",DllRegisterServer
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:492

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Vxdmoaiask\pjmoqmgg.twk",NTiOTYXUhWIVfct
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Vxdmoaiask\pjmoqmgg.twk",DllRegisterServer
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\wxeu.ocx
Filesize
408KB

MD5
ed355114bb1c92caf6c267f44f3351ba

SHA1
ed6c65876f81a69db06fe518e2fc9249cfb5b29a

SHA256
4f06d7b11608c4990a46f91120d6e7a76e778111c6dd70a06c518b66c0cda123

SHA512
5d1e7e334cd1ae03f9d90d4c042f9321a19ce143a05ad0bbcf48893b3ed3ff91ba751e6fbdbd99c2d3161d617ae85b5d3688769857f232cb9e5c8908b22f3988

Download Submit
C:\Users\Admin\wxeu.ocx
Filesize
408KB

MD5
ed355114bb1c92caf6c267f44f3351ba

SHA1
ed6c65876f81a69db06fe518e2fc9249cfb5b29a

SHA256
4f06d7b11608c4990a46f91120d6e7a76e778111c6dd70a06c518b66c0cda123

SHA512
5d1e7e334cd1ae03f9d90d4c042f9321a19ce143a05ad0bbcf48893b3ed3ff91ba751e6fbdbd99c2d3161d617ae85b5d3688769857f232cb9e5c8908b22f3988

Download Submit
C:\Users\Admin\wxeu.ocx
Filesize
408KB

MD5
ed355114bb1c92caf6c267f44f3351ba

SHA1
ed6c65876f81a69db06fe518e2fc9249cfb5b29a

SHA256
4f06d7b11608c4990a46f91120d6e7a76e778111c6dd70a06c518b66c0cda123

SHA512
5d1e7e334cd1ae03f9d90d4c042f9321a19ce143a05ad0bbcf48893b3ed3ff91ba751e6fbdbd99c2d3161d617ae85b5d3688769857f232cb9e5c8908b22f3988

Download Submit
C:\Windows\SysWOW64\Vxdmoaiask\pjmoqmgg.twk
Filesize
408KB

MD5
ed355114bb1c92caf6c267f44f3351ba

SHA1
ed6c65876f81a69db06fe518e2fc9249cfb5b29a

SHA256
4f06d7b11608c4990a46f91120d6e7a76e778111c6dd70a06c518b66c0cda123

SHA512
5d1e7e334cd1ae03f9d90d4c042f9321a19ce143a05ad0bbcf48893b3ed3ff91ba751e6fbdbd99c2d3161d617ae85b5d3688769857f232cb9e5c8908b22f3988

Download Submit
C:\Windows\SysWOW64\Vxdmoaiask\pjmoqmgg.twk
Filesize
408KB

MD5
ed355114bb1c92caf6c267f44f3351ba

SHA1
ed6c65876f81a69db06fe518e2fc9249cfb5b29a

SHA256
4f06d7b11608c4990a46f91120d6e7a76e778111c6dd70a06c518b66c0cda123

SHA512
5d1e7e334cd1ae03f9d90d4c042f9321a19ce143a05ad0bbcf48893b3ed3ff91ba751e6fbdbd99c2d3161d617ae85b5d3688769857f232cb9e5c8908b22f3988

Download Submit
memory/492-154-0x00000000031C0000-0x00000000031E8000-memory.dmp

Filesize
160KB

Download
memory/492-145-0x0000000001130000-0x0000000001158000-memory.dmp

Filesize
160KB

Download
memory/492-162-0x00000000033A0000-0x00000000033C8000-memory.dmp

Filesize
160KB

Download
memory/492-157-0x0000000003220000-0x0000000003248000-memory.dmp

Filesize
160KB

Download
memory/492-151-0x00000000030B0000-0x00000000030D8000-memory.dmp

Filesize
160KB

Download
memory/492-148-0x0000000002FD0000-0x0000000002FF8000-memory.dmp

Filesize
160KB

Download
memory/492-143-0x0000000000000000-mapping.dmp

Download
memory/1552-179-0x0000000002C80000-0x0000000002CA8000-memory.dmp

Filesize
160KB

Download
memory/1552-185-0x0000000002E80000-0x0000000002EA8000-memory.dmp

Filesize
160KB

Download
memory/1552-188-0x0000000002FB0000-0x0000000002FD8000-memory.dmp

Filesize
160KB

Download
memory/1552-182-0x0000000002D70000-0x0000000002D98000-memory.dmp

Filesize
160KB

Download
memory/1552-191-0x0000000003010000-0x0000000003038000-memory.dmp

Filesize
160KB

Download
memory/1552-170-0x00000000024F0000-0x0000000002518000-memory.dmp

Filesize
160KB

Download
memory/1552-176-0x0000000002C20000-0x0000000002C48000-memory.dmp

Filesize
160KB

Download
memory/1552-173-0x0000000002B40000-0x0000000002B68000-memory.dmp

Filesize
160KB

Download
memory/1552-168-0x0000000000000000-mapping.dmp

Download
memory/3748-140-0x0000000002760000-0x0000000002788000-memory.dmp

Filesize
160KB

Download
memory/3748-137-0x0000000000000000-mapping.dmp

Download
memory/4176-160-0x0000000000000000-mapping.dmp

Download
memory/4176-163-0x00000000018B0000-0x00000000018D8000-memory.dmp

Filesize
160KB

Download
memory/4528-131-0x00007FFA9B690000-0x00007FFA9B6A0000-memory.dmp

Filesize
64KB

Download
memory/4528-132-0x00007FFA9B690000-0x00007FFA9B6A0000-memory.dmp

Filesize
64KB

Download
memory/4528-136-0x00007FFA990C0000-0x00007FFA990D0000-memory.dmp

Filesize
64KB

Download
memory/4528-130-0x00007FFA9B690000-0x00007FFA9B6A0000-memory.dmp

Filesize
64KB

Download
memory/4528-133-0x00007FFA9B690000-0x00007FFA9B6A0000-memory.dmp

Filesize
64KB

Download
memory/4528-134-0x00007FFA9B690000-0x00007FFA9B6A0000-memory.dmp

Filesize
64KB

Download
memory/4528-135-0x00007FFA990C0000-0x00007FFA990D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads