emotet | 62f62c6a161565c83d720ce863721c4c182f9087a7a469ebaaccbebcd02f83df

General

Target

62f62c6a161565c83d720ce863721c4c182f9087a7a469ebaaccbebcd02f83df.xls
Size

217KB
MD5

cf2671535e8b7ca0b7d45c66d75f1b3e
SHA1

9a4c973a62ccbe6141f2a97d4b90f18b09247ac8
SHA256

62f62c6a161565c83d720ce863721c4c182f9087a7a469ebaaccbebcd02f83df
SHA512

f79d2af62801093ba24eeef176ec0b6c5d1db2c3faf6877fa97672c63db994f92a52cba8c8716b2923a0f10c553075a956185a533a4ba37fd973caecce2d9b83
SSDEEP

6144:zKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgXyY+TAQXTHGUMEyP5p6f5jQmq:DbGUMVWlbq

Score

10^/10

emotet epoch5 banker persistence trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://barkstage.es/wp-content/0E7NdYl7TZuHMJq7/

xlm40.dropper

http://contactworks.nl/images_old/NuEAhfF0PCFhvv/

xlm40.dropper

http://www.iam.ch/wp-content/cache/minify/O1OAjWnfen/

xlm40.dropper

https://www.elaboro.pl/wp-admin/J0hwyIMsk9YFIi/

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	388	3836	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1680	3836	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	96	3836	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	864	3836	regsvr32.exe	65

Downloads MZ/PE file

Loads dropped DLL 4 IoCs

pid	Process
388	regsvr32.exe
1680	regsvr32.exe
96	regsvr32.exe
864	regsvr32.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZsJhvC.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\WJJfuIvYSuf\\ZsJhvC.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xxJvPU.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\VwsiL\\xxJvPU.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AZOivBcEmna.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\GgotmuStBxyxEu\\AZOivBcEmna.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pjlIZUE.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\DmOmynsS\\pjlIZUE.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3836	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
388	regsvr32.exe
388	regsvr32.exe
356	regsvr32.exe
356	regsvr32.exe
356	regsvr32.exe
356	regsvr32.exe
1680	regsvr32.exe
1680	regsvr32.exe
3024	regsvr32.exe
3024	regsvr32.exe
96	regsvr32.exe
96	regsvr32.exe
3024	regsvr32.exe
3024	regsvr32.exe
4396	regsvr32.exe
4396	regsvr32.exe
4396	regsvr32.exe
4396	regsvr32.exe
864	regsvr32.exe
864	regsvr32.exe
2688	regsvr32.exe
2688	regsvr32.exe
2688	regsvr32.exe
2688	regsvr32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3836	EXCEL.EXE
3836	EXCEL.EXE
3836	EXCEL.EXE
3836	EXCEL.EXE
3836	EXCEL.EXE
3836	EXCEL.EXE
3836	EXCEL.EXE
3836	EXCEL.EXE
3836	EXCEL.EXE
3836	EXCEL.EXE
3836	EXCEL.EXE
3836	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 388	3836	EXCEL.EXE	70
PID 3836 wrote to memory of 388	3836	EXCEL.EXE	70
PID 388 wrote to memory of 356	388	regsvr32.exe	73
PID 388 wrote to memory of 356	388	regsvr32.exe	73
PID 3836 wrote to memory of 1680	3836	EXCEL.EXE	74
PID 3836 wrote to memory of 1680	3836	EXCEL.EXE	74
PID 1680 wrote to memory of 3024	1680	regsvr32.exe	77
PID 1680 wrote to memory of 3024	1680	regsvr32.exe	77
PID 3836 wrote to memory of 96	3836	EXCEL.EXE	78
PID 3836 wrote to memory of 96	3836	EXCEL.EXE	78
PID 96 wrote to memory of 4396	96	regsvr32.exe	79
PID 96 wrote to memory of 4396	96	regsvr32.exe	79
PID 3836 wrote to memory of 864	3836	EXCEL.EXE	80
PID 3836 wrote to memory of 864	3836	EXCEL.EXE	80
PID 864 wrote to memory of 2688	864	regsvr32.exe	81
PID 864 wrote to memory of 2688	864	regsvr32.exe	81

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\62f62c6a161565c83d720ce863721c4c182f9087a7a469ebaaccbebcd02f83df.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WJJfuIvYSuf\ZsJhvC.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:356
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VwsiL\xxJvPU.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:3024
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:96
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GgotmuStBxyxEu\AZOivBcEmna.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4396
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\DmOmynsS\pjlIZUE.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:2688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv1.ooccxx

Filesize
712KB

MD5
142ca5dd813ec2579adefffb85fe8ac0

SHA1
8cbaba538014aebbbce890601b690b9e3f818446

SHA256
4d04c7b2a1173216b49b35ffb001ea4ed98688b3e58f4e08df77eeaaeab0be36

SHA512
b08647eadc2e6a4343bd7cc0ec4c981ec28aa18eb040009e47b71f632af1ccdb7c3fe29a31c82364f03940814950a56a179b739e8fb1f055942c3cb1c126f95a

Download Submit
C:\Users\Admin\oxnv2.ooccxx

Filesize
751KB

MD5
acf613b51e6692c2c5e7b5d0f807d361

SHA1
f76fedbefb540b7b3124e34384b0c8867e1ab236

SHA256
5aa292854b95b0e73f346c4475c005c167e0e7d002e5aaf54b9760b77955aa3c

SHA512
3cedc2ab4b6fe6b8082368c72b50659cb7cebbf6458d49b466dfa5186103ebf1d86bf18c2153d70f98f9fd6b862d6a7ded4d4f5161524d3e9aa06afb3ad9183e

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
751KB

MD5
9f035429a2f9b14607e126fe1000e115

SHA1
5b285ef61858a79e43a71061370fb3001e3ded28

SHA256
346d3c52e7b8240a450ff4f26166d36401fc8c845153610dfeca47248c61f959

SHA512
fae519416a6ef5e3b113ba2996016d096942841eeeddd08cd9ce97b426dba685d8e06581110dd36ac3fa8dead999e6712da00d438f20e46b7991a2245898b9e4

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
751KB

MD5
8b83aab4f886378103cfccfa765c31f5

SHA1
bc71612569805f7e6800528ee98777fb0aeae815

SHA256
492022730e5b540bb382dd2a463fddc0605ade8e203fd760c986887f94177d4b

SHA512
e6c69e71be1a914356a23d0a3a08b0eb554031d8948aed52e2d88d1ed8ac98f8918aea7f500114c748548ebec1ba709c6661b520dc50572108033fb074879c0e

Download Submit
\Users\Admin\oxnv1.ooccxx

Filesize
712KB

MD5
142ca5dd813ec2579adefffb85fe8ac0

SHA1
8cbaba538014aebbbce890601b690b9e3f818446

SHA256
4d04c7b2a1173216b49b35ffb001ea4ed98688b3e58f4e08df77eeaaeab0be36

SHA512
b08647eadc2e6a4343bd7cc0ec4c981ec28aa18eb040009e47b71f632af1ccdb7c3fe29a31c82364f03940814950a56a179b739e8fb1f055942c3cb1c126f95a

Download Submit
\Users\Admin\oxnv2.ooccxx

Filesize
751KB

MD5
acf613b51e6692c2c5e7b5d0f807d361

SHA1
f76fedbefb540b7b3124e34384b0c8867e1ab236

SHA256
5aa292854b95b0e73f346c4475c005c167e0e7d002e5aaf54b9760b77955aa3c

SHA512
3cedc2ab4b6fe6b8082368c72b50659cb7cebbf6458d49b466dfa5186103ebf1d86bf18c2153d70f98f9fd6b862d6a7ded4d4f5161524d3e9aa06afb3ad9183e

Download Submit
\Users\Admin\oxnv3.ooccxx

Filesize
751KB

MD5
9f035429a2f9b14607e126fe1000e115

SHA1
5b285ef61858a79e43a71061370fb3001e3ded28

SHA256
346d3c52e7b8240a450ff4f26166d36401fc8c845153610dfeca47248c61f959

SHA512
fae519416a6ef5e3b113ba2996016d096942841eeeddd08cd9ce97b426dba685d8e06581110dd36ac3fa8dead999e6712da00d438f20e46b7991a2245898b9e4

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
751KB

MD5
8b83aab4f886378103cfccfa765c31f5

SHA1
bc71612569805f7e6800528ee98777fb0aeae815

SHA256
492022730e5b540bb382dd2a463fddc0605ade8e203fd760c986887f94177d4b

SHA512
e6c69e71be1a914356a23d0a3a08b0eb554031d8948aed52e2d88d1ed8ac98f8918aea7f500114c748548ebec1ba709c6661b520dc50572108033fb074879c0e

Download Submit
memory/388-279-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/3836-129-0x00007FFE96150000-0x00007FFE96160000-memory.dmp

Filesize
64KB

Download
memory/3836-119-0x00007FFE99890000-0x00007FFE998A0000-memory.dmp

Filesize
64KB

Download
memory/3836-128-0x00007FFE96150000-0x00007FFE96160000-memory.dmp

Filesize
64KB

Download
memory/3836-118-0x00007FFE99890000-0x00007FFE998A0000-memory.dmp

Filesize
64KB

Download
memory/3836-117-0x00007FFE99890000-0x00007FFE998A0000-memory.dmp

Filesize
64KB

Download
memory/3836-116-0x00007FFE99890000-0x00007FFE998A0000-memory.dmp

Filesize
64KB

Download
memory/3836-364-0x00007FFE99890000-0x00007FFE998A0000-memory.dmp

Filesize
64KB

Download
memory/3836-365-0x00007FFE99890000-0x00007FFE998A0000-memory.dmp

Filesize
64KB

Download
memory/3836-366-0x00007FFE99890000-0x00007FFE998A0000-memory.dmp

Filesize
64KB

Download
memory/3836-367-0x00007FFE99890000-0x00007FFE998A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads