emotet | e6e6ce18a4888eed3d079937b00cc71ccc8fddb764342b14e1e85b1e98304f95

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
30-06-2022 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BANK TRANSFER COPY ACH.xls
Size

94KB
MD5

bca774464f52e484a93f3841124758a1
SHA1

1bf6b435f6389af53744e960dac2e643eaac4192
SHA256

c45bf0bf43d9595be252f2646198e686ee50df78f2eafd8fd58f5fda324db8b5
SHA512

21c3b41f831ff41d1a81d926c85fcdec6be37699d02665d8db2826a7c360646cc338a7e4ac30871420528ae1cf4819a911c38129ef7c70b3c83221763390c257

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://www.mobiles-photostudio.com/MPS/uYUKsZhII1qQ1/

xlm40.dropper

https://www.zablimconsultancy.co.ke/musagala/pmOVrwAwG/

xlm40.dropper

http://www.kspintidana.com/wp-admin/jjiOcQAL/

xlm40.dropper

http://www.garantihaliyikama.com/wp-admin/CcxWGjZEjriZ9zMdsP/

Extracted

Family

emotet

Botnet

Epoch4

172.104.251.154:8080

51.161.73.194:443

101.50.0.91:8080

91.207.28.33:8080

119.193.124.41:7080

150.95.66.124:8080

103.132.242.26:8080

37.187.115.122:8080

172.105.226.75:8080

131.100.24.231:80

196.218.30.83:443

79.137.35.198:8080

103.75.201.2:443

82.223.21.224:8080

153.126.146.25:7080

146.59.226.45:443

209.97.163.214:443

186.194.240.217:443

197.242.150.244:8080

45.118.115.99:8080

eck1.plain

ecs1.plain

Extracted

Family

emotet

104.236.40.81:443

34.80.191.247:8080

201.73.143.120:7080

165.227.166.238:8080

103.224.242.13:8080

131.100.24.199:4143

162.243.103.246:8080

203.114.109.124:443

104.248.155.133:443

51.79.205.117:8080

136.243.32.168:443

217.79.180.211:8080

34.85.105.209:8080

69.63.64.48:8080

51.91.142.26:443

45.93.136.110:7080

144.217.88.125:443

1.234.21.73:7080

159.8.59.84:8080

49.231.16.102:8080

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2624	2912	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	204	2912	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3064	2912	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2072	2912	regsvr32.exe	EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Downloads MZ/PE file
Loads dropped DLL 8 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid process

2624 regsvr32.exe
1596 regsvr32.exe
204 regsvr32.exe
3412 regsvr32.exe
3064 regsvr32.exe
3632 regsvr32.exe
2072 regsvr32.exe
1120 regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1184 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2084 systeminfo.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2912 EXCEL.EXE

pid	process
1184	ipconfig.exe

pid	process
2084	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid	process
2624	regsvr32.exe
2624	regsvr32.exe
1596	regsvr32.exe
1596	regsvr32.exe
1596	regsvr32.exe
1596	regsvr32.exe
204	regsvr32.exe
204	regsvr32.exe
3412	regsvr32.exe
3412	regsvr32.exe
3412	regsvr32.exe
3412	regsvr32.exe
3064	regsvr32.exe
3064	regsvr32.exe
3632	regsvr32.exe
3632	regsvr32.exe
3632	regsvr32.exe
3632	regsvr32.exe
2072	regsvr32.exe
2072	regsvr32.exe
1120	regsvr32.exe
1120	regsvr32.exe
1120	regsvr32.exe
1120	regsvr32.exe
3632	regsvr32.exe
3632	regsvr32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
2912	EXCEL.EXE
2912	EXCEL.EXE
2912	EXCEL.EXE
2912	EXCEL.EXE
2912	EXCEL.EXE
2912	EXCEL.EXE
2912	EXCEL.EXE
2912	EXCEL.EXE
2912	EXCEL.EXE
2912	EXCEL.EXE
2912	EXCEL.EXE
2912	EXCEL.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

EXCEL.EXEregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2912 wrote to memory of 2624	2912	EXCEL.EXE	regsvr32.exe
PID 2912 wrote to memory of 2624	2912	EXCEL.EXE	regsvr32.exe
PID 2624 wrote to memory of 1596	2624	regsvr32.exe	regsvr32.exe
PID 2624 wrote to memory of 1596	2624	regsvr32.exe	regsvr32.exe
PID 2912 wrote to memory of 204	2912	EXCEL.EXE	regsvr32.exe
PID 2912 wrote to memory of 204	2912	EXCEL.EXE	regsvr32.exe
PID 204 wrote to memory of 3412	204	regsvr32.exe	regsvr32.exe
PID 204 wrote to memory of 3412	204	regsvr32.exe	regsvr32.exe
PID 2912 wrote to memory of 3064	2912	EXCEL.EXE	regsvr32.exe
PID 2912 wrote to memory of 3064	2912	EXCEL.EXE	regsvr32.exe
PID 3064 wrote to memory of 3632	3064	regsvr32.exe	regsvr32.exe
PID 3064 wrote to memory of 3632	3064	regsvr32.exe	regsvr32.exe
PID 2912 wrote to memory of 2072	2912	EXCEL.EXE	regsvr32.exe
PID 2912 wrote to memory of 2072	2912	EXCEL.EXE	regsvr32.exe
PID 2072 wrote to memory of 1120	2072	regsvr32.exe	regsvr32.exe
PID 2072 wrote to memory of 1120	2072	regsvr32.exe	regsvr32.exe
PID 3632 wrote to memory of 2084	3632	regsvr32.exe	systeminfo.exe
PID 3632 wrote to memory of 2084	3632	regsvr32.exe	systeminfo.exe
PID 3632 wrote to memory of 1184	3632	regsvr32.exe	ipconfig.exe
PID 3632 wrote to memory of 1184	3632	regsvr32.exe	ipconfig.exe
PID 3632 wrote to memory of 2388	3632	regsvr32.exe	nltest.exe
PID 3632 wrote to memory of 2388	3632	regsvr32.exe	nltest.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\BANK TRANSFER COPY ACH.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\sctm1.ocx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MBveYmtmNFQJr\hKWKpp.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1596
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\sctm2.ocx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:204
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\EhtEh\ZZISp.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:3412
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\sctm3.ocx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KKOHEEcHDCKwICIo\XpjdmGcpGYtaQzj.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2084
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1184
  - - C:\Windows\system32\nltest.exe
      nltest /dclist:
      4⤵
      PID:2388
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\sctm4.ocx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\HQVQjpy\Qkqxz.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\sctm1.ocx

Filesize
425KB

MD5
eaafa5852e48116275168a134b01def0

SHA1
92b20ecf953bdcf51f7e393e0ed8bd93fac94f3f

SHA256
f772a7a6db220ce231125e0c4ef0aaf8f351c61b92c57f9a8353a5598ddfb4b1

SHA512
c2fc9cdc8f2ac1a79cace7cd2e90c13a0bba7802d607c2cb343e40282ae9f3aaf22701410a886ab6dea2b4ceea1b505d7692a01bab3fbcd7faad5ea2b71071ad

Download Submit
C:\Users\Admin\sctm1.ocx

Filesize
425KB

MD5
eaafa5852e48116275168a134b01def0

SHA1
92b20ecf953bdcf51f7e393e0ed8bd93fac94f3f

SHA256
f772a7a6db220ce231125e0c4ef0aaf8f351c61b92c57f9a8353a5598ddfb4b1

SHA512
c2fc9cdc8f2ac1a79cace7cd2e90c13a0bba7802d607c2cb343e40282ae9f3aaf22701410a886ab6dea2b4ceea1b505d7692a01bab3fbcd7faad5ea2b71071ad

Download Submit
C:\Users\Admin\sctm2.ocx

Filesize
425KB

MD5
c922a603368a4d4a61bff74788da3848

SHA1
042f6d2c7f014148c2873ea1f4ac511682f030ce

SHA256
b57254b38faeb11fee2497090dc0ba83664ca4563ae2a8153e5a1b390f66ce7f

SHA512
36860237448fb934aead9546665dd1531d2b712b83b8294bb7a5b0dcc0ec55c5e9242eb3b640f6734f274d7180045235f3ade307fc7b8b6e591be4f41e9e211a

Download Submit
C:\Users\Admin\sctm2.ocx

Filesize
425KB

MD5
c922a603368a4d4a61bff74788da3848

SHA1
042f6d2c7f014148c2873ea1f4ac511682f030ce

SHA256
b57254b38faeb11fee2497090dc0ba83664ca4563ae2a8153e5a1b390f66ce7f

SHA512
36860237448fb934aead9546665dd1531d2b712b83b8294bb7a5b0dcc0ec55c5e9242eb3b640f6734f274d7180045235f3ade307fc7b8b6e591be4f41e9e211a

Download Submit
C:\Users\Admin\sctm3.ocx

Filesize
425KB

MD5
d77b83fc86cf84cc40afbc0213db0bda

SHA1
fd72eaf67c008e7949f56a7bf20b18ccff54af16

SHA256
a8b544949b7ae8534be62b24233100d48ed2f64fb155cd65d0c2c387b17a8b30

SHA512
e62b42f0054f18a09aef5d5b247ebeb3dea6e2d9b4e63cc21b8b12025a9d5e06c702650af39854eabb598df70132ea419aa1d99be47101b5769f06bf20f0b333

Download Submit
C:\Users\Admin\sctm3.ocx

Filesize
425KB

MD5
d77b83fc86cf84cc40afbc0213db0bda

SHA1
fd72eaf67c008e7949f56a7bf20b18ccff54af16

SHA256
a8b544949b7ae8534be62b24233100d48ed2f64fb155cd65d0c2c387b17a8b30

SHA512
e62b42f0054f18a09aef5d5b247ebeb3dea6e2d9b4e63cc21b8b12025a9d5e06c702650af39854eabb598df70132ea419aa1d99be47101b5769f06bf20f0b333

Download Submit
C:\Users\Admin\sctm4.ocx

Filesize
425KB

MD5
457487cae2edab5b541092d411e717c1

SHA1
dd2eb187453b841ca4e47e334c4d8e4cc8497278

SHA256
cd82f9f9405bf17eb67025649cafafaeb5a23230a0973cd46a3d64ba4c454887

SHA512
2548d604c2073f6bc0ad08a41b315b7886abd47d8c09e0a1aff28a9e3fae2c1b55a2d85dae67a0951369366c0062f87c96a476484ab357ae91c3c3fed3c6075c

Download Submit
C:\Users\Admin\sctm4.ocx

Filesize
425KB

MD5
457487cae2edab5b541092d411e717c1

SHA1
dd2eb187453b841ca4e47e334c4d8e4cc8497278

SHA256
cd82f9f9405bf17eb67025649cafafaeb5a23230a0973cd46a3d64ba4c454887

SHA512
2548d604c2073f6bc0ad08a41b315b7886abd47d8c09e0a1aff28a9e3fae2c1b55a2d85dae67a0951369366c0062f87c96a476484ab357ae91c3c3fed3c6075c

Download Submit
C:\Windows\System32\EhtEh\ZZISp.dll

Filesize
425KB

MD5
c922a603368a4d4a61bff74788da3848

SHA1
042f6d2c7f014148c2873ea1f4ac511682f030ce

SHA256
b57254b38faeb11fee2497090dc0ba83664ca4563ae2a8153e5a1b390f66ce7f

SHA512
36860237448fb934aead9546665dd1531d2b712b83b8294bb7a5b0dcc0ec55c5e9242eb3b640f6734f274d7180045235f3ade307fc7b8b6e591be4f41e9e211a

Download Submit
C:\Windows\System32\HQVQjpy\Qkqxz.dll

Filesize
425KB

MD5
457487cae2edab5b541092d411e717c1

SHA1
dd2eb187453b841ca4e47e334c4d8e4cc8497278

SHA256
cd82f9f9405bf17eb67025649cafafaeb5a23230a0973cd46a3d64ba4c454887

SHA512
2548d604c2073f6bc0ad08a41b315b7886abd47d8c09e0a1aff28a9e3fae2c1b55a2d85dae67a0951369366c0062f87c96a476484ab357ae91c3c3fed3c6075c

Download Submit
C:\Windows\System32\KKOHEEcHDCKwICIo\XpjdmGcpGYtaQzj.dll

Filesize
425KB

MD5
d77b83fc86cf84cc40afbc0213db0bda

SHA1
fd72eaf67c008e7949f56a7bf20b18ccff54af16

SHA256
a8b544949b7ae8534be62b24233100d48ed2f64fb155cd65d0c2c387b17a8b30

SHA512
e62b42f0054f18a09aef5d5b247ebeb3dea6e2d9b4e63cc21b8b12025a9d5e06c702650af39854eabb598df70132ea419aa1d99be47101b5769f06bf20f0b333

Download Submit
C:\Windows\System32\MBveYmtmNFQJr\hKWKpp.dll

Filesize
425KB

MD5
eaafa5852e48116275168a134b01def0

SHA1
92b20ecf953bdcf51f7e393e0ed8bd93fac94f3f

SHA256
f772a7a6db220ce231125e0c4ef0aaf8f351c61b92c57f9a8353a5598ddfb4b1

SHA512
c2fc9cdc8f2ac1a79cace7cd2e90c13a0bba7802d607c2cb343e40282ae9f3aaf22701410a886ab6dea2b4ceea1b505d7692a01bab3fbcd7faad5ea2b71071ad

Download Submit
memory/204-150-0x0000000000000000-mapping.dmp

Download
memory/1120-183-0x0000000000000000-mapping.dmp

Download
memory/1184-191-0x0000000000000000-mapping.dmp

Download
memory/1596-144-0x0000000000000000-mapping.dmp

Download
memory/2072-176-0x0000000000000000-mapping.dmp

Download
memory/2084-189-0x0000000000000000-mapping.dmp

Download
memory/2388-192-0x0000000000000000-mapping.dmp

Download
memory/2624-140-0x0000000000E40000-0x0000000000E94000-memory.dmp

Filesize
336KB

Download
memory/2624-137-0x0000000000000000-mapping.dmp

Download
memory/2912-136-0x00007FFA978B0000-0x00007FFA978C0000-memory.dmp

Filesize
64KB

Download
memory/2912-130-0x00007FFA99C90000-0x00007FFA99CA0000-memory.dmp

Filesize
64KB

Download
memory/2912-135-0x00007FFA978B0000-0x00007FFA978C0000-memory.dmp

Filesize
64KB

Download
memory/2912-133-0x00007FFA99C90000-0x00007FFA99CA0000-memory.dmp

Filesize
64KB

Download
memory/2912-131-0x00007FFA99C90000-0x00007FFA99CA0000-memory.dmp

Filesize
64KB

Download
memory/2912-134-0x00007FFA99C90000-0x00007FFA99CA0000-memory.dmp

Filesize
64KB

Download
memory/2912-132-0x00007FFA99C90000-0x00007FFA99CA0000-memory.dmp

Filesize
64KB

Download
memory/3064-163-0x0000000000000000-mapping.dmp

Download
memory/3412-157-0x0000000000000000-mapping.dmp

Download
memory/3632-170-0x0000000000000000-mapping.dmp

Download
memory/3632-190-0x0000000002C00000-0x0000000002C23000-memory.dmp

Filesize
140KB

Download
memory/3632-193-0x0000000002C00000-0x0000000002C23000-memory.dmp

Filesize
140KB

Download