emotet | 1e2c8ebf40d4102193dd68bcfecc15dee112321c579e9bf88bac19a13f1f8ce3

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KL-5216 report.xls
Size

67KB
MD5

06f5b0abbdbc2f81e68ead7782176ee1
SHA1

4408e9220b0a5e88f5e190958ed70c45f965d2a3
SHA256

1e2c8ebf40d4102193dd68bcfecc15dee112321c579e9bf88bac19a13f1f8ce3
SHA512

3802814eb60c2ef400bad36642a3821d32139266680b8df134e96632ee059cf743eeb1709890a0ab00b77e07607f15f4c2830b92cb129d53ad92b08b1a4bc77d

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://microlent.com/admin/3/

xlm40.dropper

http://kuluckaci.com/yarisma/cgi-bin/aIuI4Ukdtl730sP1F/

xlm40.dropper

http://mcapublicschool.com/Achievements/r4psv/

xlm40.dropper

http://moorworld.com/aspnet_client/fTDJOdTa1USKl43wFtnb/

Extracted

Family

emotet

Botnet

Epoch4

212.24.98.99:8080

51.91.76.89:8080

94.23.45.86:4143

101.50.0.91:8080

103.43.75.120:443

212.237.17.99:8080

158.69.222.101:443

51.254.140.238:7080

1.234.2.232:8080

91.207.28.33:8080

167.172.253.162:8080

45.235.8.30:8080

115.68.227.76:8080

134.122.66.193:8080

89.29.244.7:443

197.242.150.244:8080

164.68.99.3:8080

5.9.116.246:8080

1.234.21.73:7080

131.100.24.231:80

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	5000	3848	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2604	3848	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3880	3848	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	740	3848	regsvr32.exe	EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Downloads MZ/PE file
Loads dropped DLL 8 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid process

5000 regsvr32.exe
2604 regsvr32.exe
1336 regsvr32.exe
4452 regsvr32.exe
3880 regsvr32.exe
3932 regsvr32.exe
740 regsvr32.exe
2308 regsvr32.exe

pid	process
5000	regsvr32.exe
2604	regsvr32.exe
1336	regsvr32.exe
4452	regsvr32.exe
3880	regsvr32.exe
3932	regsvr32.exe
740	regsvr32.exe
2308	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3848 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid process

1336 regsvr32.exe
1336 regsvr32.exe
4452 regsvr32.exe
4452 regsvr32.exe
3932 regsvr32.exe
3932 regsvr32.exe
2308 regsvr32.exe
2308 regsvr32.exe

pid	process
1336	regsvr32.exe
1336	regsvr32.exe
4452	regsvr32.exe
4452	regsvr32.exe
3932	regsvr32.exe
3932	regsvr32.exe
2308	regsvr32.exe
2308	regsvr32.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

EXCEL.EXE

pid	process
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE
3848	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

EXCEL.EXEregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 3848 wrote to memory of 5000	3848	EXCEL.EXE	regsvr32.exe
PID 3848 wrote to memory of 5000	3848	EXCEL.EXE	regsvr32.exe
PID 3848 wrote to memory of 2604	3848	EXCEL.EXE	regsvr32.exe
PID 3848 wrote to memory of 2604	3848	EXCEL.EXE	regsvr32.exe
PID 2604 wrote to memory of 4452	2604	regsvr32.exe	regsvr32.exe
PID 2604 wrote to memory of 4452	2604	regsvr32.exe	regsvr32.exe
PID 5000 wrote to memory of 1336	5000	regsvr32.exe	regsvr32.exe
PID 5000 wrote to memory of 1336	5000	regsvr32.exe	regsvr32.exe
PID 3848 wrote to memory of 3880	3848	EXCEL.EXE	regsvr32.exe
PID 3848 wrote to memory of 3880	3848	EXCEL.EXE	regsvr32.exe
PID 3880 wrote to memory of 3932	3880	regsvr32.exe	regsvr32.exe
PID 3880 wrote to memory of 3932	3880	regsvr32.exe	regsvr32.exe
PID 3848 wrote to memory of 740	3848	EXCEL.EXE	regsvr32.exe
PID 3848 wrote to memory of 740	3848	EXCEL.EXE	regsvr32.exe
PID 740 wrote to memory of 2308	740	regsvr32.exe	regsvr32.exe
PID 740 wrote to memory of 2308	740	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\KL-5216 report.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\uxevr1.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CBQNjgXcFuG\qOfkP.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1336

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\uxevr2.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JMxJeWq\BiPCfjl.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4452

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\uxevr3.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KvwYlqypDYu\JDxaH.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3932

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\uxevr4.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\EVFEPeNvZjQAZObP\AyLSSJmsV.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\uxevr1.ocx
Filesize
356KB

MD5
f16e5996921b55a153c4766ea22d9032

SHA1
7337b69eb22e877470c9b5b33040e1103bd19ad7

SHA256
5c513bf214f90b066dabbfa3c92eafa7841934f7b682d58a1f383d3e2641fcfe

SHA512
9f43cdb30d1ecde4563b6e856fdd688377c4633e736d9287431849f47a2719b69de0ea0489dcecd9873c886de6c8ddbe5fd2d66e9a3d0c656a108d2f8eec14fd

Download Submit
C:\Users\Admin\uxevr1.ocx
Filesize
356KB

MD5
f16e5996921b55a153c4766ea22d9032

SHA1
7337b69eb22e877470c9b5b33040e1103bd19ad7

SHA256
5c513bf214f90b066dabbfa3c92eafa7841934f7b682d58a1f383d3e2641fcfe

SHA512
9f43cdb30d1ecde4563b6e856fdd688377c4633e736d9287431849f47a2719b69de0ea0489dcecd9873c886de6c8ddbe5fd2d66e9a3d0c656a108d2f8eec14fd

Download Submit
C:\Users\Admin\uxevr2.ocx
Filesize
356KB

MD5
4024be9458eabc878cd263185d7ea007

SHA1
25fba9d3cbc8543b218ea60cd2e7f9c02f13ddd2

SHA256
310135cdfe333a091d400b1939be3a1404d3d6d399632c1848105f1a70c54ef6

SHA512
4faea29137f2fb9fef01fd5434861809e251ec8254727bc49bee7aa51386ca33830de89e50c0017833a57a8773ca1deff48637905110d6d03819739e1a82ee78

Download Submit
C:\Users\Admin\uxevr2.ocx
Filesize
356KB

MD5
4024be9458eabc878cd263185d7ea007

SHA1
25fba9d3cbc8543b218ea60cd2e7f9c02f13ddd2

SHA256
310135cdfe333a091d400b1939be3a1404d3d6d399632c1848105f1a70c54ef6

SHA512
4faea29137f2fb9fef01fd5434861809e251ec8254727bc49bee7aa51386ca33830de89e50c0017833a57a8773ca1deff48637905110d6d03819739e1a82ee78

Download Submit
C:\Users\Admin\uxevr3.ocx
Filesize
356KB

MD5
0d77e48d483bc9ee864a93ace7422a94

SHA1
37aa070677816592fea7f3c645bfb13bc2a480e0

SHA256
6dc84795a6fa4389820fa39c402ff296e30c3bea5a736569c3739bbc710a8855

SHA512
154d13ce04ea3d74a63764efaf235fbbc1da34ff943b99237a2fa5a76b4fb7c535ed5182fdad70075b5ab92ab141644f4ebf30f9c343f782f56211d53557c6e6

Download Submit
C:\Users\Admin\uxevr3.ocx
Filesize
356KB

MD5
0d77e48d483bc9ee864a93ace7422a94

SHA1
37aa070677816592fea7f3c645bfb13bc2a480e0

SHA256
6dc84795a6fa4389820fa39c402ff296e30c3bea5a736569c3739bbc710a8855

SHA512
154d13ce04ea3d74a63764efaf235fbbc1da34ff943b99237a2fa5a76b4fb7c535ed5182fdad70075b5ab92ab141644f4ebf30f9c343f782f56211d53557c6e6

Download Submit
C:\Users\Admin\uxevr4.ocx
Filesize
356KB

MD5
e77c54f186a2010102c333fa3a36ce0e

SHA1
23c20f14d3e054cece17a41fce36d0c65dc35b67

SHA256
e2879e6cb0d7b3af3e7d54b84c87a30599b864c7275113a906b63d34d8b3feba

SHA512
a8e609c25c9eef1970fb0679477fc6192c7d4d2375c0e10216d1e42f071840a29bacb589790d05c18667f0642b8bcdb3605fd38993f55c24fa9b620c4f039c73

Download Submit
C:\Users\Admin\uxevr4.ocx
Filesize
356KB

MD5
e77c54f186a2010102c333fa3a36ce0e

SHA1
23c20f14d3e054cece17a41fce36d0c65dc35b67

SHA256
e2879e6cb0d7b3af3e7d54b84c87a30599b864c7275113a906b63d34d8b3feba

SHA512
a8e609c25c9eef1970fb0679477fc6192c7d4d2375c0e10216d1e42f071840a29bacb589790d05c18667f0642b8bcdb3605fd38993f55c24fa9b620c4f039c73

Download Submit
C:\Windows\System32\CBQNjgXcFuG\qOfkP.dll
Filesize
356KB

MD5
f16e5996921b55a153c4766ea22d9032

SHA1
7337b69eb22e877470c9b5b33040e1103bd19ad7

SHA256
5c513bf214f90b066dabbfa3c92eafa7841934f7b682d58a1f383d3e2641fcfe

SHA512
9f43cdb30d1ecde4563b6e856fdd688377c4633e736d9287431849f47a2719b69de0ea0489dcecd9873c886de6c8ddbe5fd2d66e9a3d0c656a108d2f8eec14fd

Download Submit
C:\Windows\System32\EVFEPeNvZjQAZObP\AyLSSJmsV.dll
Filesize
356KB

MD5
e77c54f186a2010102c333fa3a36ce0e

SHA1
23c20f14d3e054cece17a41fce36d0c65dc35b67

SHA256
e2879e6cb0d7b3af3e7d54b84c87a30599b864c7275113a906b63d34d8b3feba

SHA512
a8e609c25c9eef1970fb0679477fc6192c7d4d2375c0e10216d1e42f071840a29bacb589790d05c18667f0642b8bcdb3605fd38993f55c24fa9b620c4f039c73

Download Submit
C:\Windows\System32\JMxJeWq\BiPCfjl.dll
Filesize
356KB

MD5
4024be9458eabc878cd263185d7ea007

SHA1
25fba9d3cbc8543b218ea60cd2e7f9c02f13ddd2

SHA256
310135cdfe333a091d400b1939be3a1404d3d6d399632c1848105f1a70c54ef6

SHA512
4faea29137f2fb9fef01fd5434861809e251ec8254727bc49bee7aa51386ca33830de89e50c0017833a57a8773ca1deff48637905110d6d03819739e1a82ee78

Download Submit
C:\Windows\System32\KvwYlqypDYu\JDxaH.dll
Filesize
356KB

MD5
0d77e48d483bc9ee864a93ace7422a94

SHA1
37aa070677816592fea7f3c645bfb13bc2a480e0

SHA256
6dc84795a6fa4389820fa39c402ff296e30c3bea5a736569c3739bbc710a8855

SHA512
154d13ce04ea3d74a63764efaf235fbbc1da34ff943b99237a2fa5a76b4fb7c535ed5182fdad70075b5ab92ab141644f4ebf30f9c343f782f56211d53557c6e6

Download Submit
memory/740-170-0x0000000000000000-mapping.dmp

Download
memory/1336-150-0x0000000000000000-mapping.dmp

Download
memory/2308-176-0x0000000000000000-mapping.dmp

Download
memory/2604-143-0x0000000000000000-mapping.dmp

Download
memory/3848-135-0x00007FFA990C0000-0x00007FFA990D0000-memory.dmp

Filesize
64KB

Download
memory/3848-134-0x00007FFA9B690000-0x00007FFA9B6A0000-memory.dmp

Filesize
64KB

Download
memory/3848-133-0x00007FFA9B690000-0x00007FFA9B6A0000-memory.dmp

Filesize
64KB

Download
memory/3848-132-0x00007FFA9B690000-0x00007FFA9B6A0000-memory.dmp

Filesize
64KB

Download
memory/3848-130-0x00007FFA9B690000-0x00007FFA9B6A0000-memory.dmp

Filesize
64KB

Download
memory/3848-136-0x00007FFA990C0000-0x00007FFA990D0000-memory.dmp

Filesize
64KB

Download
memory/3848-131-0x00007FFA9B690000-0x00007FFA9B6A0000-memory.dmp

Filesize
64KB

Download
memory/3880-155-0x0000000000000000-mapping.dmp

Download
memory/3932-165-0x0000000000000000-mapping.dmp

Download
memory/4452-149-0x0000000000000000-mapping.dmp

Download
memory/5000-140-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download
memory/5000-137-0x0000000000000000-mapping.dmp

Download