emotet | d5821ba3ecbd546f0907ff16038f6acf26611bb361a9a9dc406595aa009eff2a

General

Target

Escanear_3006.xls
Size

95KB
MD5

dacb649a56235d4bc93fb20cafc6d335
SHA1

c1445eb63a8bba0881ad280ce868eaf925c53fcd
SHA256

d5821ba3ecbd546f0907ff16038f6acf26611bb361a9a9dc406595aa009eff2a
SHA512

4c334c865e6b6f528ee02fd585c588b8dc46b067ead3e72aba2141f36782540966757f8c6bf0d4ec25879878e863d13cea7c48deb6257379dd88a6d8fc3a38b2

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://evashopping.thietkewebsitechuanseo.com/assets/rNAyQu/

xlm40.dropper

http://www.forensisbilisim.com/wp-includes/tznAlaHXSY/

Extracted

Family

emotet

Botnet

Epoch4

C2

82.223.21.224:8080

173.212.193.249:8080

82.165.152.127:8080

151.106.112.196:8080

160.16.142.56:8080

163.44.196.120:8080

103.70.28.102:8080

164.68.99.3:8080

51.161.73.194:443

146.59.226.45:443

104.168.155.143:8080

101.50.0.91:8080

94.23.45.86:4143

167.172.253.162:8080

5.9.116.246:8080

185.4.135.165:8080

159.65.140.115:443

212.24.98.99:8080

209.97.163.214:443

206.189.28.199:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3568	4576	regsvr32.exe	EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Downloads MZ/PE file
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

3568 regsvr32.exe
4168 regsvr32.exe

pid	process
3568	regsvr32.exe
4168	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4576 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

3568 regsvr32.exe
3568 regsvr32.exe
4168 regsvr32.exe
4168 regsvr32.exe
4168 regsvr32.exe
4168 regsvr32.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

EXCEL.EXE

pid process

4576 EXCEL.EXE
4576 EXCEL.EXE
4576 EXCEL.EXE
4576 EXCEL.EXE
4576 EXCEL.EXE
4576 EXCEL.EXE
4576 EXCEL.EXE
4576 EXCEL.EXE

pid	process
4576	EXCEL.EXE

pid	process
3568	regsvr32.exe
3568	regsvr32.exe
4168	regsvr32.exe
4168	regsvr32.exe
4168	regsvr32.exe
4168	regsvr32.exe

pid	process
4576	EXCEL.EXE
4576	EXCEL.EXE
4576	EXCEL.EXE
4576	EXCEL.EXE
4576	EXCEL.EXE
4576	EXCEL.EXE
4576	EXCEL.EXE
4576	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

EXCEL.EXEregsvr32.exe

description	pid	process	target process
PID 4576 wrote to memory of 3568	4576	EXCEL.EXE	regsvr32.exe
PID 4576 wrote to memory of 3568	4576	EXCEL.EXE	regsvr32.exe
PID 3568 wrote to memory of 4168	3568	regsvr32.exe	regsvr32.exe
PID 3568 wrote to memory of 4168	3568	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Escanear_3006.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\sctm1.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VmTGtvCqMig\GdRwkQSJSckGg.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\sctm1.ocx
Filesize
548KB

MD5
3d0e93d1916cef643f06e7e8926bef81

SHA1
4fe4c80aa295d9b748e0d4452824025cb2522e19

SHA256
58458c854127df51002cc024600e190ab3d23607c8fc589630efdb723db165f0

SHA512
f8ded72b0e691ccd06dd0ef1ef26073b8c6c0d70435ce21d86d7665c3f96bf13680e411431cdd847dcbeca27e8eab2336b7443a6d4a73a31ebab4d3914915f71

Download Submit
C:\Users\Admin\sctm1.ocx
Filesize
548KB

MD5
3d0e93d1916cef643f06e7e8926bef81

SHA1
4fe4c80aa295d9b748e0d4452824025cb2522e19

SHA256
58458c854127df51002cc024600e190ab3d23607c8fc589630efdb723db165f0

SHA512
f8ded72b0e691ccd06dd0ef1ef26073b8c6c0d70435ce21d86d7665c3f96bf13680e411431cdd847dcbeca27e8eab2336b7443a6d4a73a31ebab4d3914915f71

Download Submit
C:\Windows\System32\VmTGtvCqMig\GdRwkQSJSckGg.dll
Filesize
548KB

MD5
3d0e93d1916cef643f06e7e8926bef81

SHA1
4fe4c80aa295d9b748e0d4452824025cb2522e19

SHA256
58458c854127df51002cc024600e190ab3d23607c8fc589630efdb723db165f0

SHA512
f8ded72b0e691ccd06dd0ef1ef26073b8c6c0d70435ce21d86d7665c3f96bf13680e411431cdd847dcbeca27e8eab2336b7443a6d4a73a31ebab4d3914915f71

Download Submit
memory/3568-137-0x0000000000000000-mapping.dmp

Download
memory/3568-140-0x00000000020B0000-0x000000000210A000-memory.dmp

Filesize
360KB

Download
memory/4168-144-0x0000000000000000-mapping.dmp

Download
memory/4576-133-0x00007FF8985B0000-0x00007FF8985C0000-memory.dmp

Filesize
64KB

Download
memory/4576-136-0x00007FF895D30000-0x00007FF895D40000-memory.dmp

Filesize
64KB

Download
memory/4576-135-0x00007FF895D30000-0x00007FF895D40000-memory.dmp

Filesize
64KB

Download
memory/4576-134-0x00007FF8985B0000-0x00007FF8985C0000-memory.dmp

Filesize
64KB

Download
memory/4576-130-0x00007FF8985B0000-0x00007FF8985C0000-memory.dmp

Filesize
64KB

Download
memory/4576-132-0x00007FF8985B0000-0x00007FF8985C0000-memory.dmp

Filesize
64KB

Download
memory/4576-131-0x00007FF8985B0000-0x00007FF8985C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads