emotet | 17415037bc53d4ee07d078bfdaa2172ba31c3f2ee7008a0e96d2e353c38a4e23

Analysis

max time kernel
52s
max time network
60s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
07-07-2022 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MAIL_06072022.xls
Size

95KB
MD5

7972a1bdad0a36a1f0c22bef9b4bb14a
SHA1

b9b1e26bd106de667a143c680ca5add7c4d818b0
SHA256

8d1ac63a1ba57a2dbd07a31585669eea9eb1edddee008bd577822b37a987b04e
SHA512

8a0a1811410534c84e3f6a66a05c4811265c675e89cc04fd8e4d17df12489c925e87399c3b00280a2eb13461069b316072ef07d6a856780e0feffba0d514de8e

Score

10^/10

emotet epoch5 banker suricata trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://francite.net/images/XI7zS0X1nY/

xlm40.dropper

https://cointrade.world/receipts/Sa6fYJpecEVqiRf05/

xlm40.dropper

http://gedebey-tvradio.info/wp-includes/nOmdPyUpDB/

xlm40.dropper

http://haircutbar.com/cgi-bin/SpJT9OKPmUpJfkGqv/

Extracted

Family

emotet

Botnet

Epoch5

103.71.99.57:8080

103.224.241.74:8080

157.245.111.0:8080

37.44.244.177:8080

103.41.204.169:8080

64.227.55.231:8080

103.254.12.236:7080

103.85.95.4:8080

157.230.99.206:8080

165.22.254.236:8080

85.214.67.203:8080

54.37.228.122:443

195.77.239.39:8080

128.199.217.206:443

190.145.8.4:443

165.232.185.110:8080

188.165.79.151:443

178.62.112.199:8080

54.37.106.167:8080

104.244.79.94:443

eck1.plain

ecs1.plain

Extracted

Family

emotet

198.27.67.35:8080

190.107.19.180:8080

58.96.74.42:443

116.125.120.88:443

180.250.21.2:443

165.227.153.100:8080

62.141.45.103:443

134.209.164.181:8080

212.98.224.97:8080

159.65.163.220:443

128.199.93.156:7080

198.211.118.165:443

203.217.140.239:8080

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4016	2868	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3800	2868	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4428	2868	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1460	2868	regsvr32.exe	EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Downloads MZ/PE file
Loads dropped DLL 6 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid process

3800 regsvr32.exe
4428 regsvr32.exe
4196 regsvr32.exe
3344 regsvr32.exe
1460 regsvr32.exe
216 regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

4720 ipconfig.exe
1680 ipconfig.exe
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exe

pid process

4140 systeminfo.exe
1632 systeminfo.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2868 EXCEL.EXE

pid	process
4720	ipconfig.exe
1680	ipconfig.exe

pid	process
4140	systeminfo.exe
1632	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid	process
3800	regsvr32.exe
3800	regsvr32.exe
4428	regsvr32.exe
4428	regsvr32.exe
3344	regsvr32.exe
3344	regsvr32.exe
3344	regsvr32.exe
3344	regsvr32.exe
4196	regsvr32.exe
4196	regsvr32.exe
4196	regsvr32.exe
4196	regsvr32.exe
1460	regsvr32.exe
1460	regsvr32.exe
216	regsvr32.exe
216	regsvr32.exe
216	regsvr32.exe
216	regsvr32.exe
216	regsvr32.exe
216	regsvr32.exe
3344	regsvr32.exe
3344	regsvr32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
2868	EXCEL.EXE
2868	EXCEL.EXE
2868	EXCEL.EXE
2868	EXCEL.EXE
2868	EXCEL.EXE
2868	EXCEL.EXE
2868	EXCEL.EXE
2868	EXCEL.EXE
2868	EXCEL.EXE
2868	EXCEL.EXE
2868	EXCEL.EXE
2868	EXCEL.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

EXCEL.EXEregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2868 wrote to memory of 4016	2868	EXCEL.EXE	regsvr32.exe
PID 2868 wrote to memory of 4016	2868	EXCEL.EXE	regsvr32.exe
PID 2868 wrote to memory of 3800	2868	EXCEL.EXE	regsvr32.exe
PID 2868 wrote to memory of 3800	2868	EXCEL.EXE	regsvr32.exe
PID 2868 wrote to memory of 4428	2868	EXCEL.EXE	regsvr32.exe
PID 2868 wrote to memory of 4428	2868	EXCEL.EXE	regsvr32.exe
PID 3800 wrote to memory of 4196	3800	regsvr32.exe	regsvr32.exe
PID 3800 wrote to memory of 4196	3800	regsvr32.exe	regsvr32.exe
PID 4428 wrote to memory of 3344	4428	regsvr32.exe	regsvr32.exe
PID 4428 wrote to memory of 3344	4428	regsvr32.exe	regsvr32.exe
PID 2868 wrote to memory of 1460	2868	EXCEL.EXE	regsvr32.exe
PID 2868 wrote to memory of 1460	2868	EXCEL.EXE	regsvr32.exe
PID 1460 wrote to memory of 216	1460	regsvr32.exe	regsvr32.exe
PID 1460 wrote to memory of 216	1460	regsvr32.exe	regsvr32.exe
PID 216 wrote to memory of 4140	216	regsvr32.exe	systeminfo.exe
PID 216 wrote to memory of 4140	216	regsvr32.exe	systeminfo.exe
PID 3344 wrote to memory of 1632	3344	regsvr32.exe	systeminfo.exe
PID 3344 wrote to memory of 1632	3344	regsvr32.exe	systeminfo.exe
PID 3344 wrote to memory of 4720	3344	regsvr32.exe	ipconfig.exe
PID 3344 wrote to memory of 4720	3344	regsvr32.exe	ipconfig.exe
PID 216 wrote to memory of 1680	216	regsvr32.exe	ipconfig.exe
PID 216 wrote to memory of 1680	216	regsvr32.exe	ipconfig.exe
PID 216 wrote to memory of 5108	216	regsvr32.exe	nltest.exe
PID 3344 wrote to memory of 4820	3344	regsvr32.exe	nltest.exe
PID 216 wrote to memory of 5108	216	regsvr32.exe	nltest.exe
PID 3344 wrote to memory of 4820	3344	regsvr32.exe	nltest.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\MAIL_06072022.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\soci1.ocx
2⤵
- Process spawned unexpected child process
PID:4016

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\soci2.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3800

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LRkNomHMeaJRBJrt\kcakMPDqwQ.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4196

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\soci3.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PcPkkks\EflNvLPxHOk.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:1632

C:\Windows\system32\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:4720

C:\Windows\system32\nltest.exe
nltest /dclist:
4⤵
PID:4820

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\soci4.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SXwkFcjEyeglvm\eaJVDTCTd.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:4140

C:\Windows\system32\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:1680

C:\Windows\system32\nltest.exe
nltest /dclist:
4⤵
PID:5108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\soci2.ocx
Filesize
847KB

MD5
adccfa7d9a3a5d23cece9a57cbf06c87

SHA1
6d96ba3144438eeace3696c526d048d74b8b9901

SHA256
1a7cebc9d87eeaa3b1b377e4767f0f1bd2abae692109b9e102a2f8c986fb2912

SHA512
ded4e58064f6561327741cf3d239d29645deca3b52ef21a5e3f804135ad011615be726450a2125b0f31d97645f141f3438dc435d9c7d545ca60fce940b400563

Download Submit
C:\Users\Admin\soci2.ocx
Filesize
847KB

MD5
adccfa7d9a3a5d23cece9a57cbf06c87

SHA1
6d96ba3144438eeace3696c526d048d74b8b9901

SHA256
1a7cebc9d87eeaa3b1b377e4767f0f1bd2abae692109b9e102a2f8c986fb2912

SHA512
ded4e58064f6561327741cf3d239d29645deca3b52ef21a5e3f804135ad011615be726450a2125b0f31d97645f141f3438dc435d9c7d545ca60fce940b400563

Download Submit
C:\Users\Admin\soci3.ocx
Filesize
847KB

MD5
78bcd900acb9a0c582c412edfc3703a3

SHA1
f33ceaeb55abc9ceab3a60873fd265ce1c7acaef

SHA256
7364386d7edd4961b1ac4b03c3aa10808223052849cb008deb3c9e378ff09161

SHA512
a89848e8e06dd20ce583d56ded097bf9b5a542e10ae27ac174dde89394ddd34e1ae25d34ba12cd0396422edff58ceda3c3a0d0f417bf958fee5d983c5410afe9

Download Submit
C:\Users\Admin\soci3.ocx
Filesize
847KB

MD5
78bcd900acb9a0c582c412edfc3703a3

SHA1
f33ceaeb55abc9ceab3a60873fd265ce1c7acaef

SHA256
7364386d7edd4961b1ac4b03c3aa10808223052849cb008deb3c9e378ff09161

SHA512
a89848e8e06dd20ce583d56ded097bf9b5a542e10ae27ac174dde89394ddd34e1ae25d34ba12cd0396422edff58ceda3c3a0d0f417bf958fee5d983c5410afe9

Download Submit
C:\Users\Admin\soci4.ocx
Filesize
847KB

MD5
939239f35d2787d7beabee60833964e9

SHA1
a7bf30340340c6a7b19d4aae47b6062e2e3c6248

SHA256
aa90dec9d5d06e8c29ac02fc5886b39b9ca07c7607858e772e22c6d2f7706a20

SHA512
9d0f336c1d76ebb9ee448f70546bf0465d0563fa5dcb0a0f8f29fd99fa7b35902ac42329ef3df8402e4644377d5876d364e140fb5f58a5627e329ae580b53330

Download Submit
C:\Users\Admin\soci4.ocx
Filesize
847KB

MD5
939239f35d2787d7beabee60833964e9

SHA1
a7bf30340340c6a7b19d4aae47b6062e2e3c6248

SHA256
aa90dec9d5d06e8c29ac02fc5886b39b9ca07c7607858e772e22c6d2f7706a20

SHA512
9d0f336c1d76ebb9ee448f70546bf0465d0563fa5dcb0a0f8f29fd99fa7b35902ac42329ef3df8402e4644377d5876d364e140fb5f58a5627e329ae580b53330

Download Submit
C:\Windows\System32\LRkNomHMeaJRBJrt\kcakMPDqwQ.dll
Filesize
847KB

MD5
adccfa7d9a3a5d23cece9a57cbf06c87

SHA1
6d96ba3144438eeace3696c526d048d74b8b9901

SHA256
1a7cebc9d87eeaa3b1b377e4767f0f1bd2abae692109b9e102a2f8c986fb2912

SHA512
ded4e58064f6561327741cf3d239d29645deca3b52ef21a5e3f804135ad011615be726450a2125b0f31d97645f141f3438dc435d9c7d545ca60fce940b400563

Download Submit
C:\Windows\System32\PcPkkks\EflNvLPxHOk.dll
Filesize
847KB

MD5
78bcd900acb9a0c582c412edfc3703a3

SHA1
f33ceaeb55abc9ceab3a60873fd265ce1c7acaef

SHA256
7364386d7edd4961b1ac4b03c3aa10808223052849cb008deb3c9e378ff09161

SHA512
a89848e8e06dd20ce583d56ded097bf9b5a542e10ae27ac174dde89394ddd34e1ae25d34ba12cd0396422edff58ceda3c3a0d0f417bf958fee5d983c5410afe9

Download Submit
C:\Windows\System32\SXwkFcjEyeglvm\eaJVDTCTd.dll
Filesize
847KB

MD5
939239f35d2787d7beabee60833964e9

SHA1
a7bf30340340c6a7b19d4aae47b6062e2e3c6248

SHA256
aa90dec9d5d06e8c29ac02fc5886b39b9ca07c7607858e772e22c6d2f7706a20

SHA512
9d0f336c1d76ebb9ee448f70546bf0465d0563fa5dcb0a0f8f29fd99fa7b35902ac42329ef3df8402e4644377d5876d364e140fb5f58a5627e329ae580b53330

Download Submit
memory/216-179-0x0000000002C70000-0x0000000002C93000-memory.dmp

Filesize
140KB

Download
memory/216-173-0x0000000002C70000-0x0000000002C93000-memory.dmp

Filesize
140KB

Download
memory/216-166-0x0000000000000000-mapping.dmp

Download
memory/1460-160-0x0000000000000000-mapping.dmp

Download
memory/1632-172-0x0000000000000000-mapping.dmp

Download
memory/1680-176-0x0000000000000000-mapping.dmp

Download
memory/2868-130-0x00007FFC8F810000-0x00007FFC8F820000-memory.dmp

Filesize
64KB

Download
memory/2868-132-0x00007FFC8F810000-0x00007FFC8F820000-memory.dmp

Filesize
64KB

Download
memory/2868-133-0x00007FFC8F810000-0x00007FFC8F820000-memory.dmp

Filesize
64KB

Download
memory/2868-131-0x00007FFC8F810000-0x00007FFC8F820000-memory.dmp

Filesize
64KB

Download
memory/2868-136-0x00007FFC8D0F0000-0x00007FFC8D100000-memory.dmp

Filesize
64KB

Download
memory/2868-134-0x00007FFC8F810000-0x00007FFC8F820000-memory.dmp

Filesize
64KB

Download
memory/2868-135-0x00007FFC8D0F0000-0x00007FFC8D100000-memory.dmp

Filesize
64KB

Download
memory/3344-180-0x0000000002BA0000-0x0000000002BC3000-memory.dmp

Filesize
140KB

Download
memory/3344-151-0x0000000000000000-mapping.dmp

Download
memory/3344-174-0x0000000002BA0000-0x0000000002BC3000-memory.dmp

Filesize
140KB

Download
memory/3800-141-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/3800-138-0x0000000000000000-mapping.dmp

Download
memory/4016-137-0x0000000000000000-mapping.dmp

Download
memory/4140-171-0x0000000000000000-mapping.dmp

Download
memory/4196-150-0x0000000000000000-mapping.dmp

Download
memory/4428-144-0x0000000000000000-mapping.dmp

Download
memory/4720-175-0x0000000000000000-mapping.dmp

Download
memory/4820-178-0x0000000000000000-mapping.dmp

Download
memory/5108-177-0x0000000000000000-mapping.dmp

Download