Overview

overview

10

Static

static

8

emotet_v6

windows10_x64

10

emotet_doc

windows10_x64

10
General
Target

4a0d7e787a0bdfd806d29fe78cb56b3bd257497c59e1f197f72aa51cc91dc696.xls

Filesize

78KB

Completed

21-05-2022 18:00

Task

behavioral2

Score
10/10
MD5

ce3701bea6edec5491a8fd80388a82fa

SHA1

4af0feaecc87d1c0a272d5da53196a2789ee4085

SHA256

4a0d7e787a0bdfd806d29fe78cb56b3bd257497c59e1f197f72aa51cc91dc696

SHA256

ae8783dcf981e19e7bf760f89f7cc1758cc7273378c9f14dc7c31a5efa3ba6874a634ac2e9b2057e48c0388b863dd11ca894c85b451c390dd909b928c8541bdc

Malware Config

Extracted

Language xlm4.0
Source
URLs
xlm40.dropper

https://hostal-alfonso12.com/clases/SKtPvv/

 xlm40.dropper

http://howesitgoing.com/images/HyaDnlbl6K7tbh2Lugys/

Extracted

Family

emotet
Botnet

Epoch4
C2

131.100.24.231:80

103.132.242.26:8080

167.172.253.162:8080

149.56.131.28:8080

209.126.98.206:8080

188.44.20.25:443

212.237.17.99:8080

129.232.188.93:443

160.16.142.56:8080

46.55.222.11:443

1.234.2.232:8080

45.235.8.30:8080

185.157.82.211:8080

158.69.222.101:443

185.4.135.165:8080

27.54.89.58:8080

197.242.150.244:8080

153.126.146.25:7080

183.111.227.137:8080

103.75.201.2:443

45.118.115.99:8080

79.137.35.198:8080

172.104.251.154:8080

159.65.88.10:8080

203.114.109.124:443

101.50.0.91:8080

51.254.140.238:7080

206.189.28.199:8080

72.15.201.15:8080

150.95.66.124:8080

201.94.166.162:443

209.97.163.214:443

103.70.28.102:8080

185.8.212.130:7080

216.158.226.206:443

209.250.246.206:443

23.239.0.12:443

164.68.99.3:8080

102.222.215.74:443

134.122.66.193:8080

82.165.152.127:8080

51.91.76.89:8080

189.126.111.200:7080

146.59.226.45:443

163.44.196.120:8080

51.91.7.5:8080

58.227.42.236:80

167.99.115.35:8080

196.218.30.83:443

107.182.225.142:8080
eck1.plain
eck1.plain
Signatures 11

Filter: none

Discovery
  • Emotet

    Description

    Emotet is a trojan that is primarily spread through spam emails.

    Tags

  • Process spawned unexpected child process
    regsvr32.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process18921312regsvr32.exeEXCEL.EXE
  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Description

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

    Tags

  • Downloads MZ/PE file
  • Loads dropped DLL
    regsvr32.exe

    Reported IOCs

    pidprocess
    1892regsvr32.exe
  • Checks processor information in registry
    EXCEL.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    1312EXCEL.EXE
  • Suspicious behavior: EnumeratesProcesses
    regsvr32.exe

    Reported IOCs

    pidprocess
    4916regsvr32.exe
    4916regsvr32.exe
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    1312EXCEL.EXE
    1312EXCEL.EXE
    1312EXCEL.EXE
    1312EXCEL.EXE
    1312EXCEL.EXE
    1312EXCEL.EXE
    1312EXCEL.EXE
    1312EXCEL.EXE
    1312EXCEL.EXE
    1312EXCEL.EXE
    1312EXCEL.EXE
    1312EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXEregsvr32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1312 wrote to memory of 18921312EXCEL.EXEregsvr32.exe
    PID 1312 wrote to memory of 18921312EXCEL.EXEregsvr32.exe
    PID 1892 wrote to memory of 49161892regsvr32.exeregsvr32.exe
    PID 1892 wrote to memory of 49161892regsvr32.exeregsvr32.exe
Processes 3
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4a0d7e787a0bdfd806d29fe78cb56b3bd257497c59e1f197f72aa51cc91dc696.xls"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe ..\wurod.ocx
      Process spawned unexpected child process
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1892
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VlINXky\ckmmXCTYK.dll"
        Suspicious behavior: EnumeratesProcesses
        PID:4916
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads

                        • C:\Users\Admin\wurod.ocx

                          MD5

                          ce0df9b58979a3d476082fc2122226de

                          SHA1

                          03487b179efc56057663f40511f449d4d4f041ff

                          SHA256

                          71fad31e7b696dca9380a03d54b93bd63d8b49e2c113e38821ba1a27d612315e

                          SHA512

                          c44111591573496261698b6b1236b91c86b7764f76aa46ad138157a7746bf48b4d6990ecd58bf3fd0771c14eb8d87a5883c90647b86362dfef6e1f26fe8eab05

                          Download Submit

                        • \Users\Admin\wurod.ocx

                          MD5

                          ce0df9b58979a3d476082fc2122226de

                          SHA1

                          03487b179efc56057663f40511f449d4d4f041ff

                          SHA256

                          71fad31e7b696dca9380a03d54b93bd63d8b49e2c113e38821ba1a27d612315e

                          SHA512

                          c44111591573496261698b6b1236b91c86b7764f76aa46ad138157a7746bf48b4d6990ecd58bf3fd0771c14eb8d87a5883c90647b86362dfef6e1f26fe8eab05

                          Download Submit

                        • memory/1312-115-0x00007FFE1F3F0000-0x00007FFE1F400000-memory.dmp

                          Download

                        • memory/1312-118-0x00007FFE1F3F0000-0x00007FFE1F400000-memory.dmp

                          Download

                        • memory/1312-127-0x00007FFE1B880000-0x00007FFE1B890000-memory.dmp

                          Download

                        • memory/1312-128-0x00007FFE1B880000-0x00007FFE1B890000-memory.dmp

                          Download

                        • memory/1312-116-0x00007FFE1F3F0000-0x00007FFE1F400000-memory.dmp

                          Download

                        • memory/1312-117-0x00007FFE1F3F0000-0x00007FFE1F400000-memory.dmp

                          Download

                        • memory/1892-257-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1892-262-0x0000000180000000-0x0000000180030000-memory.dmp

                          Download

                        • memory/4916-267-0x0000000000000000-mapping.dmp

                          Download