emotet | 1c03d79df7fe41a414fa36ede15c1a81fb08d70ea9d2f8e29649d26cbcbf59bd

General

Target

1c03d79df7fe41a414fa36ede15c1a81fb08d70ea9d2f8e29649d26cbcbf59bd.xls
Size

95KB
MD5

668487f04471b2455f8dcb15f5e5357f
SHA1

4ed6617b64c18b25ee857093758d568343c73a87
SHA256

1c03d79df7fe41a414fa36ede15c1a81fb08d70ea9d2f8e29649d26cbcbf59bd
SHA512

aaf7e69703198cf76466c6756e719865f531a5a7dcf45b0a831c2c69a8acae70bc4fcce97890001abfeec4185730330c0c529d37c6af2b15b7552f833fe53b1a

Score

10^/10

emotet epoch5 banker suricata trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://edoraseguros.com.br/cgi-bin/jQNq9wlH1GXU/

xlm40.dropper

http://earthmach.co.za/libraries/tWkZh9YrXbTd6IeX/

xlm40.dropper

http://finvest.rs/wp-admin/Hr9nVNTIHgw59S/

xlm40.dropper

http://efverstedt.se/5jjaV/w7fLEHJ20xn0qD/

Extracted

Family

emotet

Botnet

Epoch5

C2

103.71.99.57:8080

103.224.241.74:8080

157.245.111.0:8080

37.44.244.177:8080

103.41.204.169:8080

64.227.55.231:8080

103.254.12.236:7080

103.85.95.4:8080

157.230.99.206:8080

165.22.254.236:8080

85.214.67.203:8080

54.37.228.122:443

195.77.239.39:8080

128.199.217.206:443

190.145.8.4:443

165.232.185.110:8080

188.165.79.151:443

178.62.112.199:8080

54.37.106.167:8080

104.244.79.94:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	232	1364	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	216	1364	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1480	1364	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	520	1364	regsvr32.exe	EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Downloads MZ/PE file
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

216 regsvr32.exe
1480 regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

2516 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2200 systeminfo.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1364 EXCEL.EXE

pid	process
2516	ipconfig.exe

pid	process
2200	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid	process
216	regsvr32.exe
216	regsvr32.exe
3116	regsvr32.exe
3116	regsvr32.exe
3116	regsvr32.exe
3116	regsvr32.exe
1480	regsvr32.exe
1480	regsvr32.exe
3964	regsvr32.exe
3964	regsvr32.exe
3964	regsvr32.exe
3964	regsvr32.exe
3964	regsvr32.exe
3964	regsvr32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
1364	EXCEL.EXE
1364	EXCEL.EXE
1364	EXCEL.EXE
1364	EXCEL.EXE
1364	EXCEL.EXE
1364	EXCEL.EXE
1364	EXCEL.EXE
1364	EXCEL.EXE
1364	EXCEL.EXE
1364	EXCEL.EXE
1364	EXCEL.EXE
1364	EXCEL.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

EXCEL.EXEregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1364 wrote to memory of 232	1364	EXCEL.EXE	regsvr32.exe
PID 1364 wrote to memory of 232	1364	EXCEL.EXE	regsvr32.exe
PID 1364 wrote to memory of 216	1364	EXCEL.EXE	regsvr32.exe
PID 1364 wrote to memory of 216	1364	EXCEL.EXE	regsvr32.exe
PID 216 wrote to memory of 3116	216	regsvr32.exe	regsvr32.exe
PID 216 wrote to memory of 3116	216	regsvr32.exe	regsvr32.exe
PID 1364 wrote to memory of 1480	1364	EXCEL.EXE	regsvr32.exe
PID 1364 wrote to memory of 1480	1364	EXCEL.EXE	regsvr32.exe
PID 1480 wrote to memory of 3964	1480	regsvr32.exe	regsvr32.exe
PID 1480 wrote to memory of 3964	1480	regsvr32.exe	regsvr32.exe
PID 1364 wrote to memory of 520	1364	EXCEL.EXE	regsvr32.exe
PID 1364 wrote to memory of 520	1364	EXCEL.EXE	regsvr32.exe
PID 3964 wrote to memory of 2200	3964	regsvr32.exe	systeminfo.exe
PID 3964 wrote to memory of 2200	3964	regsvr32.exe	systeminfo.exe
PID 3964 wrote to memory of 2516	3964	regsvr32.exe	ipconfig.exe
PID 3964 wrote to memory of 2516	3964	regsvr32.exe	ipconfig.exe
PID 3964 wrote to memory of 3064	3964	regsvr32.exe	nltest.exe
PID 3964 wrote to memory of 3064	3964	regsvr32.exe	nltest.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\1c03d79df7fe41a414fa36ede15c1a81fb08d70ea9d2f8e29649d26cbcbf59bd.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\soci1.ocx
2⤵
- Process spawned unexpected child process
PID:232

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\soci2.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WGnnvJNakTSTpOVu\zAyunoXynVfx.dll"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3116

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\soci3.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CCwNwzZlbIxmmiex\unlePqeUPiJrte.dll"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:2200

C:\Windows\system32\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:2516

C:\Windows\system32\nltest.exe
nltest /dclist:
4⤵
PID:3064

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\soci4.ocx
2⤵
- Process spawned unexpected child process
PID:520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\soci2.ocx
Filesize
847KB

MD5
39a5c4e3b58cfc7adb88e1fc316ec5a4

SHA1
90a0fb85835554854885ce325254b42aa304abcc

SHA256
3cbbdb7f3dfb39cda8142c83aa12d307da2b575cb4662d96ca260fdeea47dc26

SHA512
6db90259d630206d1164390a00f2b4824041c670b27bdcc3c949d6ee15f1d66cbbb17c2500f8b5300be2a4a4dddd5efd4514106df93eddb61660537b74dc434a

Download Submit
C:\Users\Admin\soci3.ocx
Filesize
847KB

MD5
e3b67a827b1bdb7e4dc6362402bb4a82

SHA1
48a88f639bebb9d22e6d075a455af3a0fa9e3e85

SHA256
6c128340bd4d4d321ddd96375afd266e30b130051e5abf931fb5121e391a6790

SHA512
2358d442a8113ca8d3e2b88e07b7e8ebeb638b62fd9c74d7dafdea1421e6c4491a679bb0f4ee09fe47683d3b0fb07f7f8483b02dec90dcd0c49028f83845cd6b

Download Submit
\Users\Admin\soci2.ocx
Filesize
847KB

MD5
39a5c4e3b58cfc7adb88e1fc316ec5a4

SHA1
90a0fb85835554854885ce325254b42aa304abcc

SHA256
3cbbdb7f3dfb39cda8142c83aa12d307da2b575cb4662d96ca260fdeea47dc26

SHA512
6db90259d630206d1164390a00f2b4824041c670b27bdcc3c949d6ee15f1d66cbbb17c2500f8b5300be2a4a4dddd5efd4514106df93eddb61660537b74dc434a

Download Submit
\Users\Admin\soci3.ocx
Filesize
847KB

MD5
e3b67a827b1bdb7e4dc6362402bb4a82

SHA1
48a88f639bebb9d22e6d075a455af3a0fa9e3e85

SHA256
6c128340bd4d4d321ddd96375afd266e30b130051e5abf931fb5121e391a6790

SHA512
2358d442a8113ca8d3e2b88e07b7e8ebeb638b62fd9c74d7dafdea1421e6c4491a679bb0f4ee09fe47683d3b0fb07f7f8483b02dec90dcd0c49028f83845cd6b

Download Submit
memory/216-287-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/216-284-0x0000000000000000-mapping.dmp

Download
memory/232-283-0x0000000000000000-mapping.dmp

Download
memory/520-308-0x0000000000000000-mapping.dmp

Download
memory/1364-128-0x00007FF8DC170000-0x00007FF8DC180000-memory.dmp

Filesize
64KB

Download
memory/1364-129-0x00007FF8DC170000-0x00007FF8DC180000-memory.dmp

Filesize
64KB

Download
memory/1364-341-0x00007FF8DFC30000-0x00007FF8DFC40000-memory.dmp

Filesize
64KB

Download
memory/1364-344-0x00007FF8DFC30000-0x00007FF8DFC40000-memory.dmp

Filesize
64KB

Download
memory/1364-116-0x00007FF8DFC30000-0x00007FF8DFC40000-memory.dmp

Filesize
64KB

Download
memory/1364-119-0x00007FF8DFC30000-0x00007FF8DFC40000-memory.dmp

Filesize
64KB

Download
memory/1364-118-0x00007FF8DFC30000-0x00007FF8DFC40000-memory.dmp

Filesize
64KB

Download
memory/1364-343-0x00007FF8DFC30000-0x00007FF8DFC40000-memory.dmp

Filesize
64KB

Download
memory/1364-117-0x00007FF8DFC30000-0x00007FF8DFC40000-memory.dmp

Filesize
64KB

Download
memory/1364-342-0x00007FF8DFC30000-0x00007FF8DFC40000-memory.dmp

Filesize
64KB

Download
memory/1480-298-0x0000000000000000-mapping.dmp

Download
memory/2200-318-0x0000000000000000-mapping.dmp

Download
memory/2516-320-0x0000000000000000-mapping.dmp

Download
memory/3064-321-0x0000000000000000-mapping.dmp

Download
memory/3116-292-0x0000000000000000-mapping.dmp

Download
memory/3964-322-0x0000000002250000-0x00000000081BE000-memory.dmp

Filesize
95.4MB

Download
memory/3964-319-0x0000000002250000-0x00000000081BE000-memory.dmp

Filesize
95.4MB

Download
memory/3964-306-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads