emotet | 9bbdb70d09509452db079c0fa78b2a2911863314c737bafde2cd3245b190c5bb

General

Target

9bbdb70d09509452db079c0fa78b2a2911863314c737bafde2cd3245b190c5bb.xls
Size

67KB
MD5

d0a899064c6be7e65cffff246739deb8
SHA1

077c3433df502bd6ae41437032537f0d4bb4c709
SHA256

9bbdb70d09509452db079c0fa78b2a2911863314c737bafde2cd3245b190c5bb
SHA512

15d79b4752ebfdf4e9526b95e708d7f7c144f0a23ccaada588804798f0ed68105fc97fb620c6a51fda456f00f58295a111e5eae0348d55affd91697265f44df1

Score

10^/10

emotet epoch5 banker suricata trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://www.clasite.com/blogs/IEEsyn/

xlm40.dropper

https://oncrete-egy.com/wp-content/V6Igzw8/

xlm40.dropper

http://opencart-destek.com/catalog/OqHwQ8xlWa5Goyo/

xlm40.dropper

http://www.pjesacac.com/components/O93XXhMN3tOtTlV/

Extracted

Family

emotet

Botnet

Epoch5

C2

194.9.172.107:8080

66.42.57.149:443

165.22.73.229:8080

202.29.239.162:443

76.189.152.228:1645

59.185.164.123:8382

115.19.43.159:30377

104.248.225.227:8080

54.38.242.185:443

103.133.214.242:8080

78.47.204.80:443

210.57.209.142:8080

103.41.204.169:8080

118.98.72.86:443

88.217.172.165:8080

87.106.97.83:7080

85.25.120.45:8080

195.77.239.39:8080

37.44.244.177:8080

36.67.23.59:443

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3708	2756	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4420	2756	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4328	2756	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3812	2756	regsvr32.exe	EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Downloads MZ/PE file
Loads dropped DLL 4 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid process

3708 regsvr32.exe
4420 regsvr32.exe
4328 regsvr32.exe
3812 regsvr32.exe

pid	process
3708	regsvr32.exe
4420	regsvr32.exe
4328	regsvr32.exe
3812	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2756 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid process

4520 regsvr32.exe
4520 regsvr32.exe
4204 regsvr32.exe
4204 regsvr32.exe
368 regsvr32.exe
368 regsvr32.exe
3684 regsvr32.exe
3684 regsvr32.exe

pid	process
4520	regsvr32.exe
4520	regsvr32.exe
4204	regsvr32.exe
4204	regsvr32.exe
368	regsvr32.exe
368	regsvr32.exe
3684	regsvr32.exe
3684	regsvr32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
2756	EXCEL.EXE
2756	EXCEL.EXE
2756	EXCEL.EXE
2756	EXCEL.EXE
2756	EXCEL.EXE
2756	EXCEL.EXE
2756	EXCEL.EXE
2756	EXCEL.EXE
2756	EXCEL.EXE
2756	EXCEL.EXE
2756	EXCEL.EXE
2756	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

EXCEL.EXEregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2756 wrote to memory of 3708	2756	EXCEL.EXE	regsvr32.exe
PID 2756 wrote to memory of 3708	2756	EXCEL.EXE	regsvr32.exe
PID 2756 wrote to memory of 4420	2756	EXCEL.EXE	regsvr32.exe
PID 2756 wrote to memory of 4420	2756	EXCEL.EXE	regsvr32.exe
PID 4420 wrote to memory of 4520	4420	regsvr32.exe	regsvr32.exe
PID 4420 wrote to memory of 4520	4420	regsvr32.exe	regsvr32.exe
PID 2756 wrote to memory of 4328	2756	EXCEL.EXE	regsvr32.exe
PID 2756 wrote to memory of 4328	2756	EXCEL.EXE	regsvr32.exe
PID 4328 wrote to memory of 4204	4328	regsvr32.exe	regsvr32.exe
PID 4328 wrote to memory of 4204	4328	regsvr32.exe	regsvr32.exe
PID 2756 wrote to memory of 3812	2756	EXCEL.EXE	regsvr32.exe
PID 2756 wrote to memory of 3812	2756	EXCEL.EXE	regsvr32.exe
PID 3812 wrote to memory of 368	3812	regsvr32.exe	regsvr32.exe
PID 3812 wrote to memory of 368	3812	regsvr32.exe	regsvr32.exe
PID 3708 wrote to memory of 3684	3708	regsvr32.exe	regsvr32.exe
PID 3708 wrote to memory of 3684	3708	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9bbdb70d09509452db079c0fa78b2a2911863314c737bafde2cd3245b190c5bb.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\uxevr1.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FsAemhFCs\IviuMiPWZiUKzIv.dll"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3684

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\uxevr2.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\HezdKghHUTSVRa\PTAB.dll"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4520

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\uxevr3.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BRNte\yFPNileKPQ.dll"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4204

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\uxevr4.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3812

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CBchLaxxEJCjG\uUIdEQdwD.dll"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\uxevr1.ocx
Filesize
373KB

MD5
0c833f3d3633f1239d5f7d27ec411b35

SHA1
f6f5c954a833f3ccc59ae9596f3365a1deff390a

SHA256
47efdef5ba81eacc1f97698b52204aeab8e3c2af3505a50a979aa03262dc8cb2

SHA512
9b677262e374d3714b6e88c574e155503bc35b9616b5abb1ad1993cf5b1a799d5d3d5a73a1598235370f86fc650e30aecee5c53bb40d48b865c8cb2608a7f050

Download Submit
C:\Users\Admin\uxevr2.ocx
Filesize
362KB

MD5
4c623633b3bd37a852fe399475421eac

SHA1
d14e86b37d5813d8b6e0fa6fac8cd44401baf741

SHA256
91b2f97eb1b6673a5ff548226b0a3c5098e017b273b9370e2a7027edb7e0d795

SHA512
23dd9aa8385d29e19d3f9e2383465170b5f54f969007c9ab44a514ce22641d0b71d5877800662f15932711edb92f7650a4f266d0b0fed7abd201bf572a3982b8

Download Submit
C:\Users\Admin\uxevr3.ocx
Filesize
362KB

MD5
526aef9990b56a7e4070e18aa4b6e1c5

SHA1
78e70634240bfafd23ee04e6b3cad5851511eff9

SHA256
391de885b1037587a4cd63d3134da5868bd7243e770df93fac556fed786d1223

SHA512
0fca2cc8ebc2c2d0a8f7f8e1d20d5ee6f5546fc06ab13e9be5b1e3407e58ad7734512d58eed5afa6dc679065d5bd018b038f4c73213a47f1dbedcc45f14c7cf9

Download Submit
C:\Users\Admin\uxevr4.ocx
Filesize
362KB

MD5
fdb54da042fa55bfef82eff0fa1193e5

SHA1
a52cd40ce448ecd5ea6e591367073a3d0756a289

SHA256
8478b3f7892206e4c2efc64597a2b7bff00d0c6cdc6b01177c5addce6748fe22

SHA512
572d3704c481088f6763da79cb6f69ff4d53c4e534f3cbf1e1d4463e0246e605b0c91a7d580cca52b7a6c41a310ba41b50bdb772e21e7a2229990176b44883a0

Download Submit
\Users\Admin\uxevr1.ocx
Filesize
373KB

MD5
0c833f3d3633f1239d5f7d27ec411b35

SHA1
f6f5c954a833f3ccc59ae9596f3365a1deff390a

SHA256
47efdef5ba81eacc1f97698b52204aeab8e3c2af3505a50a979aa03262dc8cb2

SHA512
9b677262e374d3714b6e88c574e155503bc35b9616b5abb1ad1993cf5b1a799d5d3d5a73a1598235370f86fc650e30aecee5c53bb40d48b865c8cb2608a7f050

Download Submit
\Users\Admin\uxevr2.ocx
Filesize
362KB

MD5
4c623633b3bd37a852fe399475421eac

SHA1
d14e86b37d5813d8b6e0fa6fac8cd44401baf741

SHA256
91b2f97eb1b6673a5ff548226b0a3c5098e017b273b9370e2a7027edb7e0d795

SHA512
23dd9aa8385d29e19d3f9e2383465170b5f54f969007c9ab44a514ce22641d0b71d5877800662f15932711edb92f7650a4f266d0b0fed7abd201bf572a3982b8

Download Submit
\Users\Admin\uxevr3.ocx
Filesize
362KB

MD5
526aef9990b56a7e4070e18aa4b6e1c5

SHA1
78e70634240bfafd23ee04e6b3cad5851511eff9

SHA256
391de885b1037587a4cd63d3134da5868bd7243e770df93fac556fed786d1223

SHA512
0fca2cc8ebc2c2d0a8f7f8e1d20d5ee6f5546fc06ab13e9be5b1e3407e58ad7734512d58eed5afa6dc679065d5bd018b038f4c73213a47f1dbedcc45f14c7cf9

Download Submit
\Users\Admin\uxevr4.ocx
Filesize
362KB

MD5
fdb54da042fa55bfef82eff0fa1193e5

SHA1
a52cd40ce448ecd5ea6e591367073a3d0756a289

SHA256
8478b3f7892206e4c2efc64597a2b7bff00d0c6cdc6b01177c5addce6748fe22

SHA512
572d3704c481088f6763da79cb6f69ff4d53c4e534f3cbf1e1d4463e0246e605b0c91a7d580cca52b7a6c41a310ba41b50bdb772e21e7a2229990176b44883a0

Download Submit
memory/368-318-0x0000000000000000-mapping.dmp

Download
memory/2756-126-0x00007FFA3B300000-0x00007FFA3B310000-memory.dmp

Filesize
64KB

Download
memory/2756-127-0x00007FFA3B300000-0x00007FFA3B310000-memory.dmp

Filesize
64KB

Download
memory/2756-114-0x00007FFA3E5B0000-0x00007FFA3E5C0000-memory.dmp

Filesize
64KB

Download
memory/2756-117-0x00007FFA3E5B0000-0x00007FFA3E5C0000-memory.dmp

Filesize
64KB

Download
memory/2756-116-0x00007FFA3E5B0000-0x00007FFA3E5C0000-memory.dmp

Filesize
64KB

Download
memory/2756-115-0x00007FFA3E5B0000-0x00007FFA3E5C0000-memory.dmp

Filesize
64KB

Download
memory/3684-329-0x0000000000000000-mapping.dmp

Download
memory/3708-275-0x0000000000000000-mapping.dmp

Download
memory/3708-324-0x0000000180000000-0x0000000180031000-memory.dmp

Filesize
196KB

Download
memory/3812-310-0x0000000000000000-mapping.dmp

Download
memory/4204-304-0x0000000000000000-mapping.dmp

Download
memory/4328-292-0x0000000000000000-mapping.dmp

Download
memory/4420-285-0x0000000180000000-0x0000000180031000-memory.dmp

Filesize
196KB

Download
memory/4420-282-0x0000000000000000-mapping.dmp

Download
memory/4520-290-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads