emotet | f235fa15b3d945d5b4b7625beba2afef778b451ef39c00978a9c889862221a19

General

Target

f235fa15b3d945d5b4b7625beba2afef778b451ef39c00978a9c889862221a19.xls
Size

217KB
MD5

cb7a96d7601d75a6f15fea1271eebe77
SHA1

e852b45765fd98423f2e21e8ac613cbf18805cc5
SHA256

f235fa15b3d945d5b4b7625beba2afef778b451ef39c00978a9c889862221a19
SHA512

0ab889ea6416513a7df3dd3989fa0866645a316627d3c17a96b38910bc496497e78fecbb9520cbe941268a2797d5df24e4bc879415bb8b7b3818f9173cc604f6
SSDEEP

6144:zKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgXyY+TAQXTHGUMEyP5p6f5jQmG:DbGUMVWlbG

Score

10^/10

emotet epoch5 banker persistence trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://barkstage.es/wp-content/0E7NdYl7TZuHMJq7/

xlm40.dropper

http://contactworks.nl/images_old/NuEAhfF0PCFhvv/

xlm40.dropper

http://www.iam.ch/wp-content/cache/minify/O1OAjWnfen/

xlm40.dropper

https://www.elaboro.pl/wp-admin/J0hwyIMsk9YFIi/

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3472	2712	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3328	2712	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4232	2712	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1560	2712	regsvr32.exe	65

Downloads MZ/PE file

Loads dropped DLL 3 IoCs

pid	Process
3472	regsvr32.exe
3328	regsvr32.exe
1560	regsvr32.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkJrSfHORswIjGMM.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\BGojgANs\\pkJrSfHORswIjGMM.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mAalTHTU.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\QeWHCSbwLZEKK\\mAalTHTU.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CsvaIdpCbZFLk.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\NwgqMnU\\CsvaIdpCbZFLk.dll\""	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2712	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3472	regsvr32.exe
3472	regsvr32.exe
3960	regsvr32.exe
3960	regsvr32.exe
3328	regsvr32.exe
3328	regsvr32.exe
3960	regsvr32.exe
3960	regsvr32.exe
4972	regsvr32.exe
4972	regsvr32.exe
4972	regsvr32.exe
4972	regsvr32.exe
1560	regsvr32.exe
1560	regsvr32.exe
2232	regsvr32.exe
2232	regsvr32.exe
2232	regsvr32.exe
2232	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2712	EXCEL.EXE
2712	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2712	EXCEL.EXE
2712	EXCEL.EXE
2712	EXCEL.EXE
2712	EXCEL.EXE
2712	EXCEL.EXE
2712	EXCEL.EXE
2712	EXCEL.EXE
2712	EXCEL.EXE
2712	EXCEL.EXE
2712	EXCEL.EXE
2712	EXCEL.EXE
2712	EXCEL.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 3472	2712	EXCEL.EXE	68
PID 2712 wrote to memory of 3472	2712	EXCEL.EXE	68
PID 3472 wrote to memory of 3960	3472	regsvr32.exe	69
PID 3472 wrote to memory of 3960	3472	regsvr32.exe	69
PID 2712 wrote to memory of 3328	2712	EXCEL.EXE	70
PID 2712 wrote to memory of 3328	2712	EXCEL.EXE	70
PID 3328 wrote to memory of 4972	3328	regsvr32.exe	71
PID 3328 wrote to memory of 4972	3328	regsvr32.exe	71
PID 2712 wrote to memory of 4232	2712	EXCEL.EXE	72
PID 2712 wrote to memory of 4232	2712	EXCEL.EXE	72
PID 2712 wrote to memory of 1560	2712	EXCEL.EXE	73
PID 2712 wrote to memory of 1560	2712	EXCEL.EXE	73
PID 1560 wrote to memory of 2232	1560	regsvr32.exe	74
PID 1560 wrote to memory of 2232	1560	regsvr32.exe	74

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f235fa15b3d945d5b4b7625beba2afef778b451ef39c00978a9c889862221a19.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BGojgANs\pkJrSfHORswIjGMM.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:3960
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QeWHCSbwLZEKK\mAalTHTU.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4972
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  PID:4232
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NwgqMnU\CsvaIdpCbZFLk.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:2232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv1.ooccxx

Filesize
751KB

MD5
c961652ea59fde02f109427d33e8acf1

SHA1
12380a31941674b2d10d48ee53851a75bac015f1

SHA256
1b47bf2373561d6de3c931d15b8f88dee5f02d9f038038c36b428053d0018d56

SHA512
5bcd104d9b2df8caae5be365d7ecabfe7675cfd12b5e546f958078559926729fed28af350460b144c85fa7699af85f80553d25cade506323f9a1b42349bea136

Download Submit
C:\Users\Admin\oxnv2.ooccxx

Filesize
751KB

MD5
30309b198dc4eaef6fdb67d4ad0e06f5

SHA1
c2bd25dff9646387f3903b54f7f38dba208e1c9f

SHA256
ec1f157dd5ec8624021bc505782145fc24c65f48b84dcd90f1423c8f77271d23

SHA512
c323d6b2f66181f9e42de0a49d75a8e4b58727d5cc27820cbc434a16ca3075de255c24a1342e5988f90b363751eaf96490e2cf64aee8e67e88dcb21bef7a1773

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
751KB

MD5
42d74f413c13fadff8cdae64de269fed

SHA1
b4d8431bca068219b8b514b708215e47d9cce0ed

SHA256
6abe834bdf2740ddaeb54868d472ae19dbf12e3fbbb7f265d2e796953ebe9a16

SHA512
88f6606662c9a395ec9a49f5369817dc5f8b67f3009e7a85ba1b30ce4a4e3746529fabe5d29d1d1bd99c05c8f0abfce11cb498548a7dcea6bd6ab80ddbabf2ad

Download Submit
\Users\Admin\oxnv1.ooccxx

Filesize
751KB

MD5
c961652ea59fde02f109427d33e8acf1

SHA1
12380a31941674b2d10d48ee53851a75bac015f1

SHA256
1b47bf2373561d6de3c931d15b8f88dee5f02d9f038038c36b428053d0018d56

SHA512
5bcd104d9b2df8caae5be365d7ecabfe7675cfd12b5e546f958078559926729fed28af350460b144c85fa7699af85f80553d25cade506323f9a1b42349bea136

Download Submit
\Users\Admin\oxnv2.ooccxx

Filesize
751KB

MD5
30309b198dc4eaef6fdb67d4ad0e06f5

SHA1
c2bd25dff9646387f3903b54f7f38dba208e1c9f

SHA256
ec1f157dd5ec8624021bc505782145fc24c65f48b84dcd90f1423c8f77271d23

SHA512
c323d6b2f66181f9e42de0a49d75a8e4b58727d5cc27820cbc434a16ca3075de255c24a1342e5988f90b363751eaf96490e2cf64aee8e67e88dcb21bef7a1773

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
751KB

MD5
42d74f413c13fadff8cdae64de269fed

SHA1
b4d8431bca068219b8b514b708215e47d9cce0ed

SHA256
6abe834bdf2740ddaeb54868d472ae19dbf12e3fbbb7f265d2e796953ebe9a16

SHA512
88f6606662c9a395ec9a49f5369817dc5f8b67f3009e7a85ba1b30ce4a4e3746529fabe5d29d1d1bd99c05c8f0abfce11cb498548a7dcea6bd6ab80ddbabf2ad

Download Submit
memory/2712-343-0x00007FFA0D4D0000-0x00007FFA0D4E0000-memory.dmp

Filesize
64KB

Download
memory/2712-118-0x00007FFA0D4D0000-0x00007FFA0D4E0000-memory.dmp

Filesize
64KB

Download
memory/2712-117-0x00007FFA0D4D0000-0x00007FFA0D4E0000-memory.dmp

Filesize
64KB

Download
memory/2712-344-0x00007FFA0D4D0000-0x00007FFA0D4E0000-memory.dmp

Filesize
64KB

Download
memory/2712-342-0x00007FFA0D4D0000-0x00007FFA0D4E0000-memory.dmp

Filesize
64KB

Download
memory/2712-127-0x00007FFA09D90000-0x00007FFA09DA0000-memory.dmp

Filesize
64KB

Download
memory/2712-116-0x00007FFA0D4D0000-0x00007FFA0D4E0000-memory.dmp

Filesize
64KB

Download
memory/2712-115-0x00007FFA0D4D0000-0x00007FFA0D4E0000-memory.dmp

Filesize
64KB

Download
memory/2712-128-0x00007FFA09D90000-0x00007FFA09DA0000-memory.dmp

Filesize
64KB

Download
memory/2712-341-0x00007FFA0D4D0000-0x00007FFA0D4E0000-memory.dmp

Filesize
64KB

Download
memory/3472-138-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads