emotet | d5821ba3ecbd546f0907ff16038f6acf26611bb361a9a9dc406595aa009eff2a

General

Target

Escanear_3006.xls
Size

95KB
MD5

dacb649a56235d4bc93fb20cafc6d335
SHA1

c1445eb63a8bba0881ad280ce868eaf925c53fcd
SHA256

d5821ba3ecbd546f0907ff16038f6acf26611bb361a9a9dc406595aa009eff2a
SHA512

4c334c865e6b6f528ee02fd585c588b8dc46b067ead3e72aba2141f36782540966757f8c6bf0d4ec25879878e863d13cea7c48deb6257379dd88a6d8fc3a38b2

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://evashopping.thietkewebsitechuanseo.com/assets/rNAyQu/

xlm40.dropper

http://www.forensisbilisim.com/wp-includes/tznAlaHXSY/

Extracted

Family

emotet

Botnet

Epoch4

C2

82.223.21.224:8080

173.212.193.249:8080

82.165.152.127:8080

151.106.112.196:8080

160.16.142.56:8080

163.44.196.120:8080

103.70.28.102:8080

164.68.99.3:8080

51.161.73.194:443

146.59.226.45:443

104.168.155.143:8080

101.50.0.91:8080

94.23.45.86:4143

167.172.253.162:8080

5.9.116.246:8080

185.4.135.165:8080

159.65.140.115:443

212.24.98.99:8080

209.97.163.214:443

206.189.28.199:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1888	2040	regsvr32.exe	EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Downloads MZ/PE file
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1888 regsvr32.exe
1136 regsvr32.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
1888	regsvr32.exe
1136	regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2040 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1136 regsvr32.exe
1784 regsvr32.exe
1784 regsvr32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

2040 EXCEL.EXE
2040 EXCEL.EXE
2040 EXCEL.EXE

pid	process
2040	EXCEL.EXE

pid	process
1136	regsvr32.exe
1784	regsvr32.exe
1784	regsvr32.exe

pid	process
2040	EXCEL.EXE
2040	EXCEL.EXE
2040	EXCEL.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

EXCEL.EXEregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2040 wrote to memory of 1888	2040	EXCEL.EXE	regsvr32.exe
PID 2040 wrote to memory of 1888	2040	EXCEL.EXE	regsvr32.exe
PID 2040 wrote to memory of 1888	2040	EXCEL.EXE	regsvr32.exe
PID 2040 wrote to memory of 1888	2040	EXCEL.EXE	regsvr32.exe
PID 2040 wrote to memory of 1888	2040	EXCEL.EXE	regsvr32.exe
PID 2040 wrote to memory of 1888	2040	EXCEL.EXE	regsvr32.exe
PID 2040 wrote to memory of 1888	2040	EXCEL.EXE	regsvr32.exe
PID 1888 wrote to memory of 1136	1888	regsvr32.exe	regsvr32.exe
PID 1888 wrote to memory of 1136	1888	regsvr32.exe	regsvr32.exe
PID 1888 wrote to memory of 1136	1888	regsvr32.exe	regsvr32.exe
PID 1888 wrote to memory of 1136	1888	regsvr32.exe	regsvr32.exe
PID 1888 wrote to memory of 1136	1888	regsvr32.exe	regsvr32.exe
PID 1888 wrote to memory of 1136	1888	regsvr32.exe	regsvr32.exe
PID 1888 wrote to memory of 1136	1888	regsvr32.exe	regsvr32.exe
PID 1136 wrote to memory of 1784	1136	regsvr32.exe	regsvr32.exe
PID 1136 wrote to memory of 1784	1136	regsvr32.exe	regsvr32.exe
PID 1136 wrote to memory of 1784	1136	regsvr32.exe	regsvr32.exe
PID 1136 wrote to memory of 1784	1136	regsvr32.exe	regsvr32.exe
PID 1136 wrote to memory of 1784	1136	regsvr32.exe	regsvr32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Escanear_3006.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\sctm1.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\system32\regsvr32.exe
/S ..\sctm1.ocx
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YFMGzieyg\RiamUlIYnuR.dll"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
589c442fc7a0c70dca927115a700d41e

SHA1
66a07dace3afbfd1aa07a47e6875beab62c4bb31

SHA256
2e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a

SHA512
1b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
cef1f8fb3e6066c2619e59a24946683c

SHA1
bde0181f279d2427f8301ee205ed2fea48c86834

SHA256
1254651aec7d505d11600e81e20ddd9db933ccee29c5b57f30c92b8137d84442

SHA512
c46beceddfecafb60a7334bf06b2889902f0ddc6d1c96de51f789487132f10c71714ea399d2cd3a93f0bd4daa051a84b3080689fb4609c6a0d66abb3b63e489f

Download Submit
C:\Users\Admin\sctm1.ocx
Filesize
548KB

MD5
3d0e93d1916cef643f06e7e8926bef81

SHA1
4fe4c80aa295d9b748e0d4452824025cb2522e19

SHA256
58458c854127df51002cc024600e190ab3d23607c8fc589630efdb723db165f0

SHA512
f8ded72b0e691ccd06dd0ef1ef26073b8c6c0d70435ce21d86d7665c3f96bf13680e411431cdd847dcbeca27e8eab2336b7443a6d4a73a31ebab4d3914915f71

Download Submit
\Users\Admin\sctm1.ocx
Filesize
548KB

MD5
3d0e93d1916cef643f06e7e8926bef81

SHA1
4fe4c80aa295d9b748e0d4452824025cb2522e19

SHA256
58458c854127df51002cc024600e190ab3d23607c8fc589630efdb723db165f0

SHA512
f8ded72b0e691ccd06dd0ef1ef26073b8c6c0d70435ce21d86d7665c3f96bf13680e411431cdd847dcbeca27e8eab2336b7443a6d4a73a31ebab4d3914915f71

Download Submit
\Users\Admin\sctm1.ocx
Filesize
548KB

MD5
3d0e93d1916cef643f06e7e8926bef81

SHA1
4fe4c80aa295d9b748e0d4452824025cb2522e19

SHA256
58458c854127df51002cc024600e190ab3d23607c8fc589630efdb723db165f0

SHA512
f8ded72b0e691ccd06dd0ef1ef26073b8c6c0d70435ce21d86d7665c3f96bf13680e411431cdd847dcbeca27e8eab2336b7443a6d4a73a31ebab4d3914915f71

Download Submit
memory/1136-67-0x0000000000480000-0x00000000004DA000-memory.dmp

Filesize
360KB

Download
memory/1136-64-0x0000000000000000-mapping.dmp

Download
memory/1136-65-0x000007FEFC341000-0x000007FEFC343000-memory.dmp

Filesize
8KB

Download
memory/1784-71-0x0000000000000000-mapping.dmp

Download
memory/1888-60-0x0000000000000000-mapping.dmp

Download
memory/2040-59-0x0000000072B1D000-0x0000000072B28000-memory.dmp

Filesize
44KB

Download
memory/2040-58-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/2040-57-0x0000000072B1D000-0x0000000072B28000-memory.dmp

Filesize
44KB

Download
memory/2040-54-0x000000002FA11000-0x000000002FA14000-memory.dmp

Filesize
12KB

Download
memory/2040-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2040-55-0x0000000071B31000-0x0000000071B33000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads