emotet | 10d164258a05b43017ea2344e234477490adaef157633778e0a2f2f558ef9385

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

untitled 9999.xls
Size

67KB
MD5

26fe1a6dbcaedcd92be80daa3f91a595
SHA1

f894d4913c99feb984e4885d46ef3935467b07b0
SHA256

10d164258a05b43017ea2344e234477490adaef157633778e0a2f2f558ef9385
SHA512

27fc4993a4f0e8ff9ad667e107a846e94d97d13de9dd2af1da0cb7377df08d3e9001dee888d0909802dff8ae7450006071378df9e8b1842a7831804af098c826

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://vipteck.com/wp-admin/user/B8d6jr4pBND2HExAmI/lJWa95VlQ/

xlm40.dropper

http://salledemode.com/tgroup.ge/x4bc2kL4BzGAeUsVi/

xlm40.dropper

https://airliftlimo.com/wp-admin/iMc/

xlm40.dropper

http://kabeonet.pl/wp-admin/VWlAz5vWJNHDb/

Extracted

Family

emotet

Botnet

Epoch4

212.24.98.99:8080

51.91.76.89:8080

94.23.45.86:4143

101.50.0.91:8080

103.43.75.120:443

212.237.17.99:8080

158.69.222.101:443

51.254.140.238:7080

1.234.2.232:8080

91.207.28.33:8080

167.172.253.162:8080

45.235.8.30:8080

115.68.227.76:8080

134.122.66.193:8080

89.29.244.7:443

197.242.150.244:8080

164.68.99.3:8080

5.9.116.246:8080

1.234.21.73:7080

131.100.24.231:80

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4652	2576	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	5044	2576	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1672	2576	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	308	2576	regsvr32.exe	EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Downloads MZ/PE file
Loads dropped DLL 6 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid process

4652 regsvr32.exe
1872 regsvr32.exe
5044 regsvr32.exe
3280 regsvr32.exe
1672 regsvr32.exe
4732 regsvr32.exe

pid	process
4652	regsvr32.exe
1872	regsvr32.exe
5044	regsvr32.exe
3280	regsvr32.exe
1672	regsvr32.exe
4732	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2576 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

pid process

1872 regsvr32.exe
1872 regsvr32.exe
3280 regsvr32.exe
3280 regsvr32.exe
4732 regsvr32.exe
4732 regsvr32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

2576 EXCEL.EXE
2576 EXCEL.EXE

pid	process
1872	regsvr32.exe
1872	regsvr32.exe
3280	regsvr32.exe
3280	regsvr32.exe
4732	regsvr32.exe
4732	regsvr32.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

EXCEL.EXE

pid	process
2576	EXCEL.EXE
2576	EXCEL.EXE
2576	EXCEL.EXE
2576	EXCEL.EXE
2576	EXCEL.EXE
2576	EXCEL.EXE
2576	EXCEL.EXE
2576	EXCEL.EXE
2576	EXCEL.EXE
2576	EXCEL.EXE
2576	EXCEL.EXE
2576	EXCEL.EXE
2576	EXCEL.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

EXCEL.EXEregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2576 wrote to memory of 4652	2576	EXCEL.EXE	regsvr32.exe
PID 2576 wrote to memory of 4652	2576	EXCEL.EXE	regsvr32.exe
PID 4652 wrote to memory of 1872	4652	regsvr32.exe	regsvr32.exe
PID 4652 wrote to memory of 1872	4652	regsvr32.exe	regsvr32.exe
PID 2576 wrote to memory of 5044	2576	EXCEL.EXE	regsvr32.exe
PID 2576 wrote to memory of 5044	2576	EXCEL.EXE	regsvr32.exe
PID 5044 wrote to memory of 3280	5044	regsvr32.exe	regsvr32.exe
PID 5044 wrote to memory of 3280	5044	regsvr32.exe	regsvr32.exe
PID 2576 wrote to memory of 1672	2576	EXCEL.EXE	regsvr32.exe
PID 2576 wrote to memory of 1672	2576	EXCEL.EXE	regsvr32.exe
PID 1672 wrote to memory of 4732	1672	regsvr32.exe	regsvr32.exe
PID 1672 wrote to memory of 4732	1672	regsvr32.exe	regsvr32.exe
PID 2576 wrote to memory of 308	2576	EXCEL.EXE	regsvr32.exe
PID 2576 wrote to memory of 308	2576	EXCEL.EXE	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\untitled 9999.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\uxevr1.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QTztN\OTDgOh.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1872

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\uxevr2.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KndcFIliCUQH\vygQuM.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3280

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\uxevr3.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BfEPDuykooCLfZA\LszYTolqJGIrUU.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4732

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\uxevr4.ocx
2⤵
- Process spawned unexpected child process
PID:308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Filesize
60KB

MD5
b9f21d8db36e88831e5352bb82c438b3

SHA1
4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

SHA256
998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

SHA512
d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Filesize
60KB

MD5
b9f21d8db36e88831e5352bb82c438b3

SHA1
4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

SHA256
998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

SHA512
d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize
330B

MD5
21f70a41bfc4b28214164c4cc3de11ce

SHA1
3e0c841e0f0c698e9f4ac799a19cc389bf3d83ff

SHA256
e676777931d61608717b07e47f2ac26b6039ff1327c5c4af52455d29730b945d

SHA512
6a444778dfb02d98c588cae9986dcc66eaf0bfd69657292c0aa2cec5feebf77a432c9a4f789708ca691107b3f91e8fc4907ae043923beae83ae2646b771f64d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize
330B

MD5
21f70a41bfc4b28214164c4cc3de11ce

SHA1
3e0c841e0f0c698e9f4ac799a19cc389bf3d83ff

SHA256
e676777931d61608717b07e47f2ac26b6039ff1327c5c4af52455d29730b945d

SHA512
6a444778dfb02d98c588cae9986dcc66eaf0bfd69657292c0aa2cec5feebf77a432c9a4f789708ca691107b3f91e8fc4907ae043923beae83ae2646b771f64d6

Download Submit
C:\Users\Admin\uxevr1.ocx
Filesize
356KB

MD5
600ef38588180fff78dcfa3e7e6883ad

SHA1
da6e5605da2adbfd86951ff74afc4c3b8aae2bef

SHA256
89714d70dfdca5a950006dfa5aee5c170b93c9805881c8691b0dfb2fc076a115

SHA512
af4f7a0ed6ffc00a0c33d543acfa304076b890a5dd1c4fea0f0d17f9a5cd83e236137e827d99338bbb2fd1c31eb31aa77e5c81474856a94e1e8cd667b712db3a

Download Submit
C:\Users\Admin\uxevr1.ocx
Filesize
356KB

MD5
600ef38588180fff78dcfa3e7e6883ad

SHA1
da6e5605da2adbfd86951ff74afc4c3b8aae2bef

SHA256
89714d70dfdca5a950006dfa5aee5c170b93c9805881c8691b0dfb2fc076a115

SHA512
af4f7a0ed6ffc00a0c33d543acfa304076b890a5dd1c4fea0f0d17f9a5cd83e236137e827d99338bbb2fd1c31eb31aa77e5c81474856a94e1e8cd667b712db3a

Download Submit
C:\Users\Admin\uxevr2.ocx
Filesize
356KB

MD5
c7a0dbdc477f258fa261db4b92205661

SHA1
5a61e64e4776f6d5683e919d789c0c835f837892

SHA256
7e2c0c0ed179fd02509c800cd8d478364c3069700f8de3acbff00ba1cb88bd38

SHA512
f2582b39932da738d385d5c733f6f26e903bb0fd421ee691eb2110b929b475938bff24addce25c47dd7ff7ea28a7bd090f890e33b1fc77738ee73a8a3f4c0aea

Download Submit
C:\Users\Admin\uxevr2.ocx
Filesize
356KB

MD5
c7a0dbdc477f258fa261db4b92205661

SHA1
5a61e64e4776f6d5683e919d789c0c835f837892

SHA256
7e2c0c0ed179fd02509c800cd8d478364c3069700f8de3acbff00ba1cb88bd38

SHA512
f2582b39932da738d385d5c733f6f26e903bb0fd421ee691eb2110b929b475938bff24addce25c47dd7ff7ea28a7bd090f890e33b1fc77738ee73a8a3f4c0aea

Download Submit
C:\Users\Admin\uxevr3.ocx
Filesize
356KB

MD5
cdd509cf216c4292446347ad2a0f7998

SHA1
7facf4f453d687269d40cf447a20b9c3fd64b141

SHA256
22468ca52a29596fadb550d79d2a07dbcbf0e1c73dbeaa1014219fcd4f3dd53d

SHA512
39df2f241f1a8dafdbcf164259de0384873a881e21c0272e96da55078e0242d2c1be3dffcc58471ee06a73d9b2ad0c39174af591b8dda792239c428aaad4ef44

Download Submit
C:\Users\Admin\uxevr3.ocx
Filesize
356KB

MD5
cdd509cf216c4292446347ad2a0f7998

SHA1
7facf4f453d687269d40cf447a20b9c3fd64b141

SHA256
22468ca52a29596fadb550d79d2a07dbcbf0e1c73dbeaa1014219fcd4f3dd53d

SHA512
39df2f241f1a8dafdbcf164259de0384873a881e21c0272e96da55078e0242d2c1be3dffcc58471ee06a73d9b2ad0c39174af591b8dda792239c428aaad4ef44

Download Submit
C:\Windows\System32\BfEPDuykooCLfZA\LszYTolqJGIrUU.dll
Filesize
356KB

MD5
cdd509cf216c4292446347ad2a0f7998

SHA1
7facf4f453d687269d40cf447a20b9c3fd64b141

SHA256
22468ca52a29596fadb550d79d2a07dbcbf0e1c73dbeaa1014219fcd4f3dd53d

SHA512
39df2f241f1a8dafdbcf164259de0384873a881e21c0272e96da55078e0242d2c1be3dffcc58471ee06a73d9b2ad0c39174af591b8dda792239c428aaad4ef44

Download Submit
C:\Windows\System32\KndcFIliCUQH\vygQuM.dll
Filesize
356KB

MD5
c7a0dbdc477f258fa261db4b92205661

SHA1
5a61e64e4776f6d5683e919d789c0c835f837892

SHA256
7e2c0c0ed179fd02509c800cd8d478364c3069700f8de3acbff00ba1cb88bd38

SHA512
f2582b39932da738d385d5c733f6f26e903bb0fd421ee691eb2110b929b475938bff24addce25c47dd7ff7ea28a7bd090f890e33b1fc77738ee73a8a3f4c0aea

Download Submit
C:\Windows\System32\QTztN\OTDgOh.dll
Filesize
356KB

MD5
600ef38588180fff78dcfa3e7e6883ad

SHA1
da6e5605da2adbfd86951ff74afc4c3b8aae2bef

SHA256
89714d70dfdca5a950006dfa5aee5c170b93c9805881c8691b0dfb2fc076a115

SHA512
af4f7a0ed6ffc00a0c33d543acfa304076b890a5dd1c4fea0f0d17f9a5cd83e236137e827d99338bbb2fd1c31eb31aa77e5c81474856a94e1e8cd667b712db3a

Download Submit
memory/308-170-0x0000000000000000-mapping.dmp

Download
memory/1672-159-0x0000000000000000-mapping.dmp

Download
memory/1872-143-0x0000000000000000-mapping.dmp

Download
memory/2576-130-0x00007FFA37A10000-0x00007FFA37A20000-memory.dmp

Filesize
64KB

Download
memory/2576-136-0x00007FFA352F0000-0x00007FFA35300000-memory.dmp

Filesize
64KB

Download
memory/2576-135-0x00007FFA352F0000-0x00007FFA35300000-memory.dmp

Filesize
64KB

Download
memory/2576-134-0x00007FFA37A10000-0x00007FFA37A20000-memory.dmp

Filesize
64KB

Download
memory/2576-133-0x00007FFA37A10000-0x00007FFA37A20000-memory.dmp

Filesize
64KB

Download
memory/2576-132-0x00007FFA37A10000-0x00007FFA37A20000-memory.dmp

Filesize
64KB

Download
memory/2576-131-0x00007FFA37A10000-0x00007FFA37A20000-memory.dmp

Filesize
64KB

Download
memory/3280-154-0x0000000000000000-mapping.dmp

Download
memory/4652-137-0x0000000000000000-mapping.dmp

Download
memory/4652-140-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download
memory/4732-165-0x0000000000000000-mapping.dmp

Download
memory/5044-145-0x0000000000000000-mapping.dmp

Download