emotet | 7d730c7a39294b8d2e18047f0fb77418acd82b0a036495b48991692607456207

General

Target

7d730c7a39294b8d2e18047f0fb77418acd82b0a036495b48991692607456207.xls
Size

95KB
MD5

7a1a3cf5ccb7c2e15cbfb92a85ecae5f
SHA1

b1a17e354a906125632b16724e9d4391dfd64b59
SHA256

7d730c7a39294b8d2e18047f0fb77418acd82b0a036495b48991692607456207
SHA512

cc7664c9434593b06fcf0b470395b0e05df6ad3f04b26670c578a1ed4478781cfbf372ad9eab4a373e897c2cad3013c4f927ac7c3e2b290031311cb37185951a

Score

10^/10

emotet epoch5 banker suricata trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://edoraseguros.com.br/cgi-bin/jQNq9wlH1GXU/

xlm40.dropper

http://earthmach.co.za/libraries/tWkZh9YrXbTd6IeX/

xlm40.dropper

http://finvest.rs/wp-admin/Hr9nVNTIHgw59S/

xlm40.dropper

http://efverstedt.se/5jjaV/w7fLEHJ20xn0qD/

Extracted

Family

emotet

Botnet

Epoch5

C2

103.71.99.57:8080

103.224.241.74:8080

157.245.111.0:8080

37.44.244.177:8080

103.41.204.169:8080

64.227.55.231:8080

103.254.12.236:7080

103.85.95.4:8080

157.230.99.206:8080

165.22.254.236:8080

85.214.67.203:8080

54.37.228.122:443

195.77.239.39:8080

128.199.217.206:443

190.145.8.4:443

165.232.185.110:8080

188.165.79.151:443

178.62.112.199:8080

54.37.106.167:8080

104.244.79.94:443

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1328	3456	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2604	3456	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2276	3456	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	760	3456	regsvr32.exe	EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Downloads MZ/PE file
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2604 regsvr32.exe
2276 regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

3916 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3792 systeminfo.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3456 EXCEL.EXE

pid	process
3916	ipconfig.exe

pid	process
3792	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid	process
2604	regsvr32.exe
2604	regsvr32.exe
2256	regsvr32.exe
2256	regsvr32.exe
2256	regsvr32.exe
2256	regsvr32.exe
2276	regsvr32.exe
2276	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2692	regsvr32.exe
2256	regsvr32.exe
2256	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

3456 EXCEL.EXE
3456 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3456	EXCEL.EXE
3456	EXCEL.EXE
3456	EXCEL.EXE
3456	EXCEL.EXE
3456	EXCEL.EXE
3456	EXCEL.EXE
3456	EXCEL.EXE
3456	EXCEL.EXE
3456	EXCEL.EXE
3456	EXCEL.EXE
3456	EXCEL.EXE
3456	EXCEL.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

EXCEL.EXEregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 3456 wrote to memory of 1328	3456	EXCEL.EXE	regsvr32.exe
PID 3456 wrote to memory of 1328	3456	EXCEL.EXE	regsvr32.exe
PID 3456 wrote to memory of 2604	3456	EXCEL.EXE	regsvr32.exe
PID 3456 wrote to memory of 2604	3456	EXCEL.EXE	regsvr32.exe
PID 3456 wrote to memory of 2276	3456	EXCEL.EXE	regsvr32.exe
PID 3456 wrote to memory of 2276	3456	EXCEL.EXE	regsvr32.exe
PID 2604 wrote to memory of 2256	2604	regsvr32.exe	regsvr32.exe
PID 2604 wrote to memory of 2256	2604	regsvr32.exe	regsvr32.exe
PID 2276 wrote to memory of 2692	2276	regsvr32.exe	regsvr32.exe
PID 2276 wrote to memory of 2692	2276	regsvr32.exe	regsvr32.exe
PID 3456 wrote to memory of 760	3456	EXCEL.EXE	regsvr32.exe
PID 3456 wrote to memory of 760	3456	EXCEL.EXE	regsvr32.exe
PID 2256 wrote to memory of 3792	2256	regsvr32.exe	systeminfo.exe
PID 2256 wrote to memory of 3792	2256	regsvr32.exe	systeminfo.exe
PID 2256 wrote to memory of 3916	2256	regsvr32.exe	ipconfig.exe
PID 2256 wrote to memory of 3916	2256	regsvr32.exe	ipconfig.exe
PID 2256 wrote to memory of 3468	2256	regsvr32.exe	nltest.exe
PID 2256 wrote to memory of 3468	2256	regsvr32.exe	nltest.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7d730c7a39294b8d2e18047f0fb77418acd82b0a036495b48991692607456207.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\soci1.ocx
2⤵
- Process spawned unexpected child process
PID:1328

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\soci2.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OytWvL\HTubqXlsJk.dll"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:3792

C:\Windows\system32\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:3916

C:\Windows\system32\nltest.exe
nltest /dclist:
4⤵
PID:3468

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\soci3.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BvKMXXvEdLZU\lkFgVRHHYOKtL.dll"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2692

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\soci4.ocx
2⤵
- Process spawned unexpected child process
PID:760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\soci2.ocx
Filesize
847KB

MD5
39a5c4e3b58cfc7adb88e1fc316ec5a4

SHA1
90a0fb85835554854885ce325254b42aa304abcc

SHA256
3cbbdb7f3dfb39cda8142c83aa12d307da2b575cb4662d96ca260fdeea47dc26

SHA512
6db90259d630206d1164390a00f2b4824041c670b27bdcc3c949d6ee15f1d66cbbb17c2500f8b5300be2a4a4dddd5efd4514106df93eddb61660537b74dc434a

Download Submit
C:\Users\Admin\soci3.ocx
Filesize
847KB

MD5
c965a176ca78692a43458b7f01752148

SHA1
46fba3b300f3e7fe8a99fef5d63ebefb89ed0baa

SHA256
92e3e97e81f3c4929f80a91c239f2f0a79cf1714d7f648f3b3fd93c8c9c6edf7

SHA512
0b9a5b83b2c1d0470ac52c0bd8ae496c9aea6aaf25e6267373baea98a6e6451a7908e58218b3a5ea10beba8105b38b3fd352445ab592fad30885373c4b965c41

Download Submit
\Users\Admin\soci2.ocx
Filesize
847KB

MD5
39a5c4e3b58cfc7adb88e1fc316ec5a4

SHA1
90a0fb85835554854885ce325254b42aa304abcc

SHA256
3cbbdb7f3dfb39cda8142c83aa12d307da2b575cb4662d96ca260fdeea47dc26

SHA512
6db90259d630206d1164390a00f2b4824041c670b27bdcc3c949d6ee15f1d66cbbb17c2500f8b5300be2a4a4dddd5efd4514106df93eddb61660537b74dc434a

Download Submit
\Users\Admin\soci3.ocx
Filesize
847KB

MD5
c965a176ca78692a43458b7f01752148

SHA1
46fba3b300f3e7fe8a99fef5d63ebefb89ed0baa

SHA256
92e3e97e81f3c4929f80a91c239f2f0a79cf1714d7f648f3b3fd93c8c9c6edf7

SHA512
0b9a5b83b2c1d0470ac52c0bd8ae496c9aea6aaf25e6267373baea98a6e6451a7908e58218b3a5ea10beba8105b38b3fd352445ab592fad30885373c4b965c41

Download Submit
memory/760-307-0x0000000000000000-mapping.dmp

Download
memory/1328-278-0x0000000000000000-mapping.dmp

Download
memory/2256-331-0x0000000002640000-0x00000000085A4000-memory.dmp

Filesize
95.4MB

Download
memory/2256-288-0x0000000000000000-mapping.dmp

Download
memory/2276-287-0x0000000000000000-mapping.dmp

Download
memory/2604-282-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/2604-279-0x0000000000000000-mapping.dmp

Download
memory/2692-301-0x0000000000000000-mapping.dmp

Download
memory/3456-326-0x00007FF9C3760000-0x00007FF9C3770000-memory.dmp

Filesize
64KB

Download
memory/3456-128-0x00007FF9C09E0000-0x00007FF9C09F0000-memory.dmp

Filesize
64KB

Download
memory/3456-119-0x00007FF9C3760000-0x00007FF9C3770000-memory.dmp

Filesize
64KB

Download
memory/3456-116-0x00007FF9C3760000-0x00007FF9C3770000-memory.dmp

Filesize
64KB

Download
memory/3456-118-0x00007FF9C3760000-0x00007FF9C3770000-memory.dmp

Filesize
64KB

Download
memory/3456-129-0x00007FF9C09E0000-0x00007FF9C09F0000-memory.dmp

Filesize
64KB

Download
memory/3456-327-0x00007FF9C3760000-0x00007FF9C3770000-memory.dmp

Filesize
64KB

Download
memory/3456-328-0x00007FF9C3760000-0x00007FF9C3770000-memory.dmp

Filesize
64KB

Download
memory/3456-329-0x00007FF9C3760000-0x00007FF9C3770000-memory.dmp

Filesize
64KB

Download
memory/3456-117-0x00007FF9C3760000-0x00007FF9C3770000-memory.dmp

Filesize
64KB

Download
memory/3468-333-0x0000000000000000-mapping.dmp

Download
memory/3792-330-0x0000000000000000-mapping.dmp

Download
memory/3916-332-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads