Behavioral Report

General

Target

88ee09c8848b1775e3e470d64fbe64f877e9edfc172a21318acbe0f2f99ac9df.xls
Size

40KB
MD5

35cef72c5abdb47cc705de2459f6bf16
SHA1

2639ec69b35fa5633b0555bc61e4feda7ae23994
SHA256

88ee09c8848b1775e3e470d64fbe64f877e9edfc172a21318acbe0f2f99ac9df
SHA512

27c0c534eb18e19a6598b737787a4ce1fa70732d5ca6720070232fc4567b606bce4c2069cd2f15ac341e28af7095b13eb930d099b796d33be4a2b2ccab3ce043

Score

10^/10

Malware Config

Extracted

Language	xlm4.0
Source
URLs	http://jimlowry.com/9tag/Mv2ZYY61NBOf8/ http://stainedglassexpress.com/classes/veV/ xlm40.dropper http://jimlowry.com/9tag/Mv2ZYY61NBOf8/ xlm40.dropper http://stainedglassexpress.com/classes/veV/

Extracted

Family	emotet
Botnet	Epoch4
C2	131.100.24.231:80 103.132.242.26:8080 167.172.253.162:8080 149.56.131.28:8080 209.126.98.206:8080 188.44.20.25:443 212.237.17.99:8080 129.232.188.93:443 160.16.142.56:8080 46.55.222.11:443 1.234.2.232:8080 45.235.8.30:8080 185.157.82.211:8080 158.69.222.101:443 185.4.135.165:8080 27.54.89.58:8080 197.242.150.244:8080 153.126.146.25:7080 183.111.227.137:8080 103.75.201.2:443 45.118.115.99:8080 79.137.35.198:8080 172.104.251.154:8080 159.65.88.10:8080 203.114.109.124:443 101.50.0.91:8080 51.254.140.238:7080 206.189.28.199:8080 72.15.201.15:8080 150.95.66.124:8080 201.94.166.162:443 209.97.163.214:443 103.70.28.102:8080 185.8.212.130:7080 216.158.226.206:443 209.250.246.206:443 23.239.0.12:443 164.68.99.3:8080 102.222.215.74:443 134.122.66.193:8080 82.165.152.127:8080 51.91.76.89:8080 189.126.111.200:7080 146.59.226.45:443 163.44.196.120:8080 51.91.7.5:8080 58.227.42.236:80 167.99.115.35:8080 196.218.30.83:443 107.182.225.142:8080 151.106.112.196:8080 91.207.28.33:8080 94.23.45.86:4143 103.43.46.182:443 45.176.232.124:443 5.9.116.246:8080 173.212.193.249:8080 1.234.21.73:7080 212.24.98.99:8080 213.241.20.155:443 110.232.117.186:8080 77.81.247.144:8080 119.193.124.41:7080 131.100.24.231:80 103.132.242.26:8080 167.172.253.162:8080 149.56.131.28:8080 209.126.98.206:8080 188.44.20.25:443 212.237.17.99:8080 129.232.188.93:443 160.16.142.56:8080 46.55.222.11:443 1.234.2.232:8080 45.235.8.30:8080 185.157.82.211:8080 158.69.222.101:443 185.4.135.165:8080 27.54.89.58:8080 197.242.150.244:8080 153.126.146.25:7080 183.111.227.137:8080 103.75.201.2:443 45.118.115.99:8080 79.137.35.198:8080 172.104.251.154:8080 159.65.88.10:8080 203.114.109.124:443 101.50.0.91:8080 51.254.140.238:7080 206.189.28.199:8080 72.15.201.15:8080 150.95.66.124:8080 201.94.166.162:443 209.97.163.214:443 103.70.28.102:8080 185.8.212.130:7080 216.158.226.206:443 209.250.246.206:443 23.239.0.12:443 164.68.99.3:8080 102.222.215.74:443 134.122.66.193:8080 82.165.152.127:8080 51.91.76.89:8080 189.126.111.200:7080 146.59.226.45:443 163.44.196.120:8080 51.91.7.5:8080 58.227.42.236:80 167.99.115.35:8080 196.218.30.83:443 107.182.225.142:8080 151.106.112.196:8080 91.207.28.33:8080 94.23.45.86:4143 103.43.46.182:443 45.176.232.124:443 5.9.116.246:8080 173.212.193.249:8080 1.234.21.73:7080 212.24.98.99:8080 213.241.20.155:443 110.232.117.186:8080 77.81.247.144:8080 119.193.124.41:7080
eck1.plain
eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process ⋅ 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	5032	920	regsvr32.exe	EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Downloads MZ/PE file
Loads dropped DLL ⋅ 1 IoCs

Processes:

regsvr32.exe

pid process

5032 regsvr32.exe

pid	process
5032	regsvr32.exe

Checks processor information in registry ⋅ 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

TTPs:

Query Registry System Information Discovery

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry ⋅ 2 TTPs 3 IoCs

TTPs:

Query Registry System Information Discovery

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener ⋅ 1 IoCs

Processes:

EXCEL.EXE

pid process

920 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs

Processes:

regsvr32.exe

pid process

3916 regsvr32.exe
3916 regsvr32.exe

pid	process
3916	regsvr32.exe
3916	regsvr32.exe

Suspicious use of SetWindowsHookEx ⋅ 12 IoCs

Processes:

EXCEL.EXE

pid	process
920	EXCEL.EXE
920	EXCEL.EXE
920	EXCEL.EXE
920	EXCEL.EXE
920	EXCEL.EXE
920	EXCEL.EXE
920	EXCEL.EXE
920	EXCEL.EXE
920	EXCEL.EXE
920	EXCEL.EXE
920	EXCEL.EXE
920	EXCEL.EXE

Suspicious use of WriteProcessMemory ⋅ 4 IoCs

Processes:

EXCEL.EXEregsvr32.exe

description	pid	process	target process
PID 920 wrote to memory of 5032	920	EXCEL.EXE	regsvr32.exe
PID 920 wrote to memory of 5032	920	EXCEL.EXE	regsvr32.exe
PID 5032 wrote to memory of 3916	5032	regsvr32.exe	regsvr32.exe
PID 5032 wrote to memory of 3916	5032	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\88ee09c8848b1775e3e470d64fbe64f877e9edfc172a21318acbe0f2f99ac9df.xls"

Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:920

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe ..\wurod.ocx

Process spawned unexpected child process
Loads dropped DLL
Suspicious use of WriteProcessMemory

PID:5032

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PBfrpSLKbfrJRPfi\OremM.dll"

Suspicious behavior: EnumeratesProcesses

PID:3916

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\wurod.ocx
MD5
da62d4579c6b23dbe17bba881b46270c

SHA1
4eaf998fedc5f3d0d1059ca2887d9a9c2033e87a

SHA256
e73f8bf7bef8ec4200fe4b989dd8d19d64486cf2461f6adc867f0199c556065a

SHA512
0ecf5682e1817e5b9063930ea4d81621e6c125ad0578df39bfc611ac6f604c63ffdd01bbb251cfc8960a3d16a11ed4bb07accb47d0fa34dd046917d85a50020c

Download Submit
\Users\Admin\wurod.ocx
MD5
da62d4579c6b23dbe17bba881b46270c

SHA1
4eaf998fedc5f3d0d1059ca2887d9a9c2033e87a

SHA256
e73f8bf7bef8ec4200fe4b989dd8d19d64486cf2461f6adc867f0199c556065a

SHA512
0ecf5682e1817e5b9063930ea4d81621e6c125ad0578df39bfc611ac6f604c63ffdd01bbb251cfc8960a3d16a11ed4bb07accb47d0fa34dd046917d85a50020c

Download Submit
memory/920-118-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmp

Download
memory/920-119-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmp

Download
memory/920-120-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmp

Download
memory/920-121-0x00007FFE7A3C0000-0x00007FFE7A3D0000-memory.dmp

Download
memory/920-130-0x00007FFE768A0000-0x00007FFE768B0000-memory.dmp

Download
memory/920-131-0x00007FFE768A0000-0x00007FFE768B0000-memory.dmp

Download
memory/3916-277-0x0000000000000000-mapping.dmp

Download
memory/5032-268-0x0000000000000000-mapping.dmp

Download
memory/5032-271-0x0000000180000000-0x0000000180030000-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Downloads