Overview

overview

10

Static

static

8

emotet_v6

windows10_x64

10

emotet_doc

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    07-07-2022 03:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8f956c74a4237f9509caed1ed71763c8dd55b45a9ddd3577a5a081f368181d7b.xls

  • Size

    95KB

  • MD5

    b9d665818a3876d183899a8853182047

  • SHA1

    7091faf178b38e1f8ec5bb4d2d67c7bf49281c13

  • SHA256

    8f956c74a4237f9509caed1ed71763c8dd55b45a9ddd3577a5a081f368181d7b

  • SHA512

    89908d259549320fc3df4ae7a505a94784ea3ee56eff2b80fc12dbb3c30e1bd2c33743952ecddd243f36b25aa044fada01fe7de71ff8d19b7cb9e7abe7897b59

Score
10/10
emotetepoch5bankersuricatatrojan

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://edoraseguros.com.br/cgi-bin/jQNq9wlH1GXU/
xlm40.dropper

http://earthmach.co.za/libraries/tWkZh9YrXbTd6IeX/
xlm40.dropper

http://finvest.rs/wp-admin/Hr9nVNTIHgw59S/
xlm40.dropper

http://efverstedt.se/5jjaV/w7fLEHJ20xn0qD/

Extracted

Family

emotet

Botnet

Epoch5

C2

103.71.99.57:8080

103.224.241.74:8080

157.245.111.0:8080

37.44.244.177:8080

103.41.204.169:8080

64.227.55.231:8080

103.254.12.236:7080

103.85.95.4:8080

157.230.99.206:8080

165.22.254.236:8080

85.214.67.203:8080

54.37.228.122:443

195.77.239.39:8080

128.199.217.206:443

190.145.8.4:443

165.232.185.110:8080

188.165.79.151:443

178.62.112.199:8080

54.37.106.167:8080

104.244.79.94:443
eck1.plain
ecs1.plain

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

    trojanbankeremotet
  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE W32/Emotet CnC Beacon 3

    suricata: ET MALWARE W32/Emotet CnC Beacon 3

    suricata
  • Downloads MZ/PE file
  • Loads dropped DLL 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8f956c74a4237f9509caed1ed71763c8dd55b45a9ddd3577a5a081f368181d7b.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\soci1.ocx
      2⤵
      • Process spawned unexpected child process
      PID:4160
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\soci2.ocx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4268
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FCTQlVgFbeyQexk\ymfoV.dll"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4452
    • C:\Windows\System32\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /S ..\soci3.ocx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4436
      • C:\Windows\system32\regsvr32.exe
        C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XFlFQ\HLVlBXKKC.dll"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:784
        • C:\Windows\system32\systeminfo.exe
          systeminfo
          4⤵
          • Gathers system information
          PID:1104
        • C:\Windows\system32\ipconfig.exe
          ipconfig /all
          4⤵
          • Gathers network information
          PID:3480
        • C:\Windows\system32\nltest.exe
          nltest /dclist:
          4⤵
            PID:2524
      • C:\Windows\System32\regsvr32.exe
        C:\Windows\System32\regsvr32.exe /S ..\soci4.ocx
        2⤵
        • Process spawned unexpected child process
        PID:584

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Command-Line Interface

    1
    T1059

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\soci2.ocx
      Filesize

      847KB

      MD5

      a3c495207e94f94cce6938230cca4742

      SHA1

      3572167af51c239b7545d9d491666c7646f1f357

      SHA256

      80e2a842e24aa2d79b2d1e4305a3c5edc62626b0fd06d405c9041db7b8758834

      SHA512

      02457ff3815d94dec60380adff71b641232575c5eedbb33e9cf9f2257a2fcbdfeb91be0f6af05bc0352cd8010b9a5b074de8ff85f3850b2e19023ae31229c708

      Download Submit
    • C:\Users\Admin\soci3.ocx
      Filesize

      847KB

      MD5

      8e22049bc8a5b1a69f52a30d1c23407c

      SHA1

      9f836287f890023cd25df2bb9f7045a45aff9d6b

      SHA256

      e516a2bdaade33d330a7598efb60df9c3c04cfe0f2e9ab0190015cd43a85f97c

      SHA512

      ad50a446466182dc2a91b5de8412025b5b4c243879c66b970caa6adff4c191a0476b4fe10dd7ceec614362634d25bd8bad38b0677be5d0ad9a5b807ac72f149f

      Download Submit
    • \Users\Admin\soci2.ocx
      Filesize

      847KB

      MD5

      a3c495207e94f94cce6938230cca4742

      SHA1

      3572167af51c239b7545d9d491666c7646f1f357

      SHA256

      80e2a842e24aa2d79b2d1e4305a3c5edc62626b0fd06d405c9041db7b8758834

      SHA512

      02457ff3815d94dec60380adff71b641232575c5eedbb33e9cf9f2257a2fcbdfeb91be0f6af05bc0352cd8010b9a5b074de8ff85f3850b2e19023ae31229c708

      Download Submit
    • \Users\Admin\soci3.ocx
      Filesize

      847KB

      MD5

      8e22049bc8a5b1a69f52a30d1c23407c

      SHA1

      9f836287f890023cd25df2bb9f7045a45aff9d6b

      SHA256

      e516a2bdaade33d330a7598efb60df9c3c04cfe0f2e9ab0190015cd43a85f97c

      SHA512

      ad50a446466182dc2a91b5de8412025b5b4c243879c66b970caa6adff4c191a0476b4fe10dd7ceec614362634d25bd8bad38b0677be5d0ad9a5b807ac72f149f

      Download Submit
    • memory/584-280-0x0000000000000000-mapping.dmp
      Download
    • memory/784-297-0x00000000026B0000-0x000000000861A000-memory.dmp
      Filesize

      95.4MB

      Download
    • memory/784-294-0x00000000026B0000-0x000000000861A000-memory.dmp
      Filesize

      95.4MB

      Download
    • memory/784-279-0x0000000000000000-mapping.dmp
      Download
    • memory/1104-293-0x0000000000000000-mapping.dmp
      Download
    • memory/2128-127-0x00007FFB2A3B0000-0x00007FFB2A3C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2128-114-0x00007FFB2DA60000-0x00007FFB2DA70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2128-126-0x00007FFB2A3B0000-0x00007FFB2A3C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2128-117-0x00007FFB2DA60000-0x00007FFB2DA70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2128-116-0x00007FFB2DA60000-0x00007FFB2DA70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2128-115-0x00007FFB2DA60000-0x00007FFB2DA70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2524-296-0x0000000000000000-mapping.dmp
      Download
    • memory/3480-295-0x0000000000000000-mapping.dmp
      Download
    • memory/4160-256-0x0000000000000000-mapping.dmp
      Download
    • memory/4268-260-0x0000000180000000-0x0000000180030000-memory.dmp
      Filesize

      192KB

      Download
    • memory/4268-257-0x0000000000000000-mapping.dmp
      Download
    • memory/4436-266-0x0000000000000000-mapping.dmp
      Download
    • memory/4452-265-0x0000000000000000-mapping.dmp
      Download