emotet | b9c6743b8e98fc7aae2d9bb9bb21d80fb917153c7eca95982896150969e94824

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
30-06-2022 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

W-9 form.xls
Size

94KB
MD5

45d272a4368eb90569243254c9261d2e
SHA1

c078279a10fe4819f0579be8a2b590ff76c9d423
SHA256

969acc76616662a5319380f3a3bf6dc82db768ce1173a54409cb65e0d403c94a
SHA512

8abd54d77356e7fcccd897d1aa43ab5059ff317763a480eb417b19c738fed1a153b23e99430067073a4f5d258d5f5e032cbf15ee418b28917dfbfdf87fa7f14b

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://www.fcstradesolutions.com/cgi-bin/EKrh/

xlm40.dropper

https://www.reneetten.nl/Menu/jKiBaSmhgyBD3/

xlm40.dropper

https://www.financialchile.com/art/nTXsGe8VHFLC5yH/

xlm40.dropper

https://www.periodistesgolf.cat/tmp/c71/

Extracted

Family

emotet

Botnet

Epoch4

172.104.251.154:8080

51.161.73.194:443

101.50.0.91:8080

91.207.28.33:8080

119.193.124.41:7080

150.95.66.124:8080

103.132.242.26:8080

37.187.115.122:8080

172.105.226.75:8080

131.100.24.231:80

196.218.30.83:443

79.137.35.198:8080

103.75.201.2:443

82.223.21.224:8080

153.126.146.25:7080

146.59.226.45:443

209.97.163.214:443

186.194.240.217:443

197.242.150.244:8080

45.118.115.99:8080

eck1.plain

ecs1.plain

Extracted

Family

emotet

104.236.40.81:443

34.80.191.247:8080

201.73.143.120:7080

165.227.166.238:8080

103.224.242.13:8080

131.100.24.199:4143

162.243.103.246:8080

203.114.109.124:443

104.248.155.133:443

51.79.205.117:8080

136.243.32.168:443

217.79.180.211:8080

34.85.105.209:8080

69.63.64.48:8080

51.91.142.26:443

45.93.136.110:7080

144.217.88.125:443

1.234.21.73:7080

159.8.59.84:8080

49.231.16.102:8080

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1204	3944	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4528	3944	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1912	3944	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2160	3944	regsvr32.exe	EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Downloads MZ/PE file
Loads dropped DLL 6 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid process

1204 regsvr32.exe
4528 regsvr32.exe
4148 regsvr32.exe
3848 regsvr32.exe
1912 regsvr32.exe
4644 regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

3988 ipconfig.exe
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exe

pid process

4368 systeminfo.exe
2932 systeminfo.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3944 EXCEL.EXE

pid	process
3988	ipconfig.exe

pid	process
4368	systeminfo.exe
2932	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid	process
1204	regsvr32.exe
1204	regsvr32.exe
4528	regsvr32.exe
4528	regsvr32.exe
4148	regsvr32.exe
4148	regsvr32.exe
4148	regsvr32.exe
4148	regsvr32.exe
3848	regsvr32.exe
3848	regsvr32.exe
3848	regsvr32.exe
3848	regsvr32.exe
1912	regsvr32.exe
1912	regsvr32.exe
4644	regsvr32.exe
4644	regsvr32.exe
4644	regsvr32.exe
4644	regsvr32.exe
3848	regsvr32.exe
3848	regsvr32.exe
4644	regsvr32.exe
4644	regsvr32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3944	EXCEL.EXE
3944	EXCEL.EXE
3944	EXCEL.EXE
3944	EXCEL.EXE
3944	EXCEL.EXE
3944	EXCEL.EXE
3944	EXCEL.EXE
3944	EXCEL.EXE
3944	EXCEL.EXE
3944	EXCEL.EXE
3944	EXCEL.EXE
3944	EXCEL.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

EXCEL.EXEregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 3944 wrote to memory of 1204	3944	EXCEL.EXE	regsvr32.exe
PID 3944 wrote to memory of 1204	3944	EXCEL.EXE	regsvr32.exe
PID 3944 wrote to memory of 4528	3944	EXCEL.EXE	regsvr32.exe
PID 3944 wrote to memory of 4528	3944	EXCEL.EXE	regsvr32.exe
PID 1204 wrote to memory of 4148	1204	regsvr32.exe	regsvr32.exe
PID 1204 wrote to memory of 4148	1204	regsvr32.exe	regsvr32.exe
PID 4528 wrote to memory of 3848	4528	regsvr32.exe	regsvr32.exe
PID 4528 wrote to memory of 3848	4528	regsvr32.exe	regsvr32.exe
PID 3944 wrote to memory of 1912	3944	EXCEL.EXE	regsvr32.exe
PID 3944 wrote to memory of 1912	3944	EXCEL.EXE	regsvr32.exe
PID 1912 wrote to memory of 4644	1912	regsvr32.exe	regsvr32.exe
PID 1912 wrote to memory of 4644	1912	regsvr32.exe	regsvr32.exe
PID 3944 wrote to memory of 2160	3944	EXCEL.EXE	regsvr32.exe
PID 3944 wrote to memory of 2160	3944	EXCEL.EXE	regsvr32.exe
PID 3848 wrote to memory of 4368	3848	regsvr32.exe	systeminfo.exe
PID 3848 wrote to memory of 4368	3848	regsvr32.exe	systeminfo.exe
PID 4644 wrote to memory of 2932	4644	regsvr32.exe	systeminfo.exe
PID 4644 wrote to memory of 2932	4644	regsvr32.exe	systeminfo.exe
PID 4644 wrote to memory of 3988	4644	regsvr32.exe	ipconfig.exe
PID 4644 wrote to memory of 3988	4644	regsvr32.exe	ipconfig.exe
PID 4644 wrote to memory of 1624	4644	regsvr32.exe	nltest.exe
PID 4644 wrote to memory of 1624	4644	regsvr32.exe	nltest.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\W-9 form.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\sctm1.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JSToQMkSnmuSluu\mJuttn.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4148

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\sctm2.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RDoUYJ\iQVyQqU.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:4368

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\sctm3.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GfWdExRy\EmqCFOXb.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:2932

C:\Windows\system32\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:3988

C:\Windows\system32\nltest.exe
nltest /dclist:
4⤵
PID:1624

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\sctm4.ocx
2⤵
- Process spawned unexpected child process
PID:2160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\sctm1.ocx
Filesize
425KB

MD5
7b45baa55e5448f62e1812e514da76fb

SHA1
9850a1a0b3ab4fbf9def7bebdebf3bb16d432ffd

SHA256
5b94f80d25ec35fe962a252c4eb7371b26f443c08ba6aa1c380460a7f0938c6b

SHA512
92610bc434efb2bb392eccfd8ff8d5d6984b5ccfbcabf2fafa9d3b9def2ce74b001a752cc7bea0071fe022ba4f81bc37d4a1c5c9adbb0fb948739f6285ec36d4

Download Submit
C:\Users\Admin\sctm1.ocx
Filesize
425KB

MD5
7b45baa55e5448f62e1812e514da76fb

SHA1
9850a1a0b3ab4fbf9def7bebdebf3bb16d432ffd

SHA256
5b94f80d25ec35fe962a252c4eb7371b26f443c08ba6aa1c380460a7f0938c6b

SHA512
92610bc434efb2bb392eccfd8ff8d5d6984b5ccfbcabf2fafa9d3b9def2ce74b001a752cc7bea0071fe022ba4f81bc37d4a1c5c9adbb0fb948739f6285ec36d4

Download Submit
C:\Users\Admin\sctm2.ocx
Filesize
425KB

MD5
5a7a8a87c3121a4e8bc24ee2de971571

SHA1
55e0e40e6022ad6ff2f9f85914c9eb8f850378c6

SHA256
412607f434877c984333543610f15006d37c02c56f1ab3f392f1769f8c1b28fa

SHA512
eb7fa53a9d5730e6f3785f7900a6a36cf62460d25a306940aad88f8ea8d33a59c6ccba497279c28ec6bba29081152269561a09c681f8314260553c5613b14e6a

Download Submit
C:\Users\Admin\sctm2.ocx
Filesize
425KB

MD5
5a7a8a87c3121a4e8bc24ee2de971571

SHA1
55e0e40e6022ad6ff2f9f85914c9eb8f850378c6

SHA256
412607f434877c984333543610f15006d37c02c56f1ab3f392f1769f8c1b28fa

SHA512
eb7fa53a9d5730e6f3785f7900a6a36cf62460d25a306940aad88f8ea8d33a59c6ccba497279c28ec6bba29081152269561a09c681f8314260553c5613b14e6a

Download Submit
C:\Users\Admin\sctm3.ocx
Filesize
425KB

MD5
00e9e7c1230e95bc6751090ac86c92a0

SHA1
78653161ad42d7ad6a8afc9f8965db277a37b32e

SHA256
acc3a979d207030c1d38f3235491f01d76e5622f388c80b4326602126723668d

SHA512
6a66df03bf09eb4083cfd2e6979fb8643e899da76cf167e32e4b908e963c84499f0db8d7c261ba216ad640f5e550ac87aef08cb9618c8a7302c0e8e23ab759e6

Download Submit
C:\Users\Admin\sctm3.ocx
Filesize
425KB

MD5
00e9e7c1230e95bc6751090ac86c92a0

SHA1
78653161ad42d7ad6a8afc9f8965db277a37b32e

SHA256
acc3a979d207030c1d38f3235491f01d76e5622f388c80b4326602126723668d

SHA512
6a66df03bf09eb4083cfd2e6979fb8643e899da76cf167e32e4b908e963c84499f0db8d7c261ba216ad640f5e550ac87aef08cb9618c8a7302c0e8e23ab759e6

Download Submit
C:\Windows\System32\GfWdExRy\EmqCFOXb.dll
Filesize
425KB

MD5
00e9e7c1230e95bc6751090ac86c92a0

SHA1
78653161ad42d7ad6a8afc9f8965db277a37b32e

SHA256
acc3a979d207030c1d38f3235491f01d76e5622f388c80b4326602126723668d

SHA512
6a66df03bf09eb4083cfd2e6979fb8643e899da76cf167e32e4b908e963c84499f0db8d7c261ba216ad640f5e550ac87aef08cb9618c8a7302c0e8e23ab759e6

Download Submit
C:\Windows\System32\JSToQMkSnmuSluu\mJuttn.dll
Filesize
425KB

MD5
7b45baa55e5448f62e1812e514da76fb

SHA1
9850a1a0b3ab4fbf9def7bebdebf3bb16d432ffd

SHA256
5b94f80d25ec35fe962a252c4eb7371b26f443c08ba6aa1c380460a7f0938c6b

SHA512
92610bc434efb2bb392eccfd8ff8d5d6984b5ccfbcabf2fafa9d3b9def2ce74b001a752cc7bea0071fe022ba4f81bc37d4a1c5c9adbb0fb948739f6285ec36d4

Download Submit
C:\Windows\System32\RDoUYJ\iQVyQqU.dll
Filesize
425KB

MD5
5a7a8a87c3121a4e8bc24ee2de971571

SHA1
55e0e40e6022ad6ff2f9f85914c9eb8f850378c6

SHA256
412607f434877c984333543610f15006d37c02c56f1ab3f392f1769f8c1b28fa

SHA512
eb7fa53a9d5730e6f3785f7900a6a36cf62460d25a306940aad88f8ea8d33a59c6ccba497279c28ec6bba29081152269561a09c681f8314260553c5613b14e6a

Download Submit
memory/1204-137-0x0000000000000000-mapping.dmp

Download
memory/1204-140-0x00000000029B0000-0x0000000002A04000-memory.dmp

Filesize
336KB

Download
memory/1624-183-0x0000000000000000-mapping.dmp

Download
memory/1912-163-0x0000000000000000-mapping.dmp

Download
memory/2160-176-0x0000000000000000-mapping.dmp

Download
memory/2932-179-0x0000000000000000-mapping.dmp

Download
memory/3848-154-0x0000000000000000-mapping.dmp

Download
memory/3848-178-0x0000000002C70000-0x0000000002C93000-memory.dmp

Filesize
140KB

Download
memory/3848-180-0x0000000002C70000-0x0000000002C93000-memory.dmp

Filesize
140KB

Download
memory/3944-135-0x00007FFDA2EA0000-0x00007FFDA2EB0000-memory.dmp

Filesize
64KB

Download
memory/3944-130-0x00007FFDA5170000-0x00007FFDA5180000-memory.dmp

Filesize
64KB

Download
memory/3944-131-0x00007FFDA5170000-0x00007FFDA5180000-memory.dmp

Filesize
64KB

Download
memory/3944-134-0x00007FFDA5170000-0x00007FFDA5180000-memory.dmp

Filesize
64KB

Download
memory/3944-133-0x00007FFDA5170000-0x00007FFDA5180000-memory.dmp

Filesize
64KB

Download
memory/3944-136-0x00007FFDA2EA0000-0x00007FFDA2EB0000-memory.dmp

Filesize
64KB

Download
memory/3944-132-0x00007FFDA5170000-0x00007FFDA5180000-memory.dmp

Filesize
64KB

Download
memory/3988-182-0x0000000000000000-mapping.dmp

Download
memory/4148-151-0x0000000000000000-mapping.dmp

Download
memory/4368-177-0x0000000000000000-mapping.dmp

Download
memory/4528-144-0x0000000000000000-mapping.dmp

Download
memory/4644-181-0x0000000003120000-0x0000000003143000-memory.dmp

Filesize
140KB

Download
memory/4644-170-0x0000000000000000-mapping.dmp

Download
memory/4644-184-0x0000000003120000-0x0000000003143000-memory.dmp

Filesize
140KB

Download