emotet | dfb3f80bfb984d61bb524dd5f4b271d8fbe2df1c2edccc7737a330c3876433a9

General

Target

dfb3f80bfb984d61bb524dd5f4b271d8fbe2df1c2edccc7737a330c3876433a9.xls
Size

217KB
MD5

ab868bbdf36decbf040bcefbf1ce5883
SHA1

95d8a07982d0aeeecd7ef6e79bce720eb8296a32
SHA256

dfb3f80bfb984d61bb524dd5f4b271d8fbe2df1c2edccc7737a330c3876433a9
SHA512

94dcbd8021b49709ad863789c286d9cae68bd76c4046356619723b5a1aa4959eea374b09a52156bb9ebe846e72e23af348d8419155c01aaa4759f7ad751b650c
SSDEEP

6144:OKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgIyY+TAQXTHGUMEyP5p6f5jQmb:bbGUMVWlbb

Score

10^/10

emotet epoch5 banker persistence trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://aprendeconmireia.com/images/wBu/

xlm40.dropper

http://updailymail.com/cgi-bin/gBYmfqRi2utIS2n/

xlm40.dropper

https://akuntansi.itny.ac.id/asset/9aVFvYeaSKOhGBSLx/

xlm40.dropper

http://swiftwebbox.com/cgi-bin/vNqoMtQilpysJYRwtGu/

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4676	2764	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4716	2764	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1100	2764	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4780	2764	regsvr32.exe	65

Downloads MZ/PE file

Loads dropped DLL 4 IoCs

pid	Process
4676	regsvr32.exe
4716	regsvr32.exe
1100	regsvr32.exe
4780	regsvr32.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TLsBCEHENHbR.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\QlTQXKhW\\TLsBCEHENHbR.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YOzAIwZYTLO.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\MUGrtHVL\\YOzAIwZYTLO.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkQEDzgMwNE.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\DSAShlsJyEvDmOyLJ\\pkQEDzgMwNE.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YECfD.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\NaYXzr\\YECfD.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2764	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4676	regsvr32.exe
4676	regsvr32.exe
4616	regsvr32.exe
4616	regsvr32.exe
4616	regsvr32.exe
4616	regsvr32.exe
4716	regsvr32.exe
4716	regsvr32.exe
4772	regsvr32.exe
4772	regsvr32.exe
4772	regsvr32.exe
4772	regsvr32.exe
1100	regsvr32.exe
1100	regsvr32.exe
892	regsvr32.exe
892	regsvr32.exe
892	regsvr32.exe
892	regsvr32.exe
4780	regsvr32.exe
4780	regsvr32.exe
3276	regsvr32.exe
3276	regsvr32.exe
3276	regsvr32.exe
3276	regsvr32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2764	EXCEL.EXE
2764	EXCEL.EXE
2764	EXCEL.EXE
2764	EXCEL.EXE
2764	EXCEL.EXE
2764	EXCEL.EXE
2764	EXCEL.EXE
2764	EXCEL.EXE
2764	EXCEL.EXE
2764	EXCEL.EXE
2764	EXCEL.EXE
2764	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 4676	2764	EXCEL.EXE	68
PID 2764 wrote to memory of 4676	2764	EXCEL.EXE	68
PID 4676 wrote to memory of 4616	4676	regsvr32.exe	69
PID 4676 wrote to memory of 4616	4676	regsvr32.exe	69
PID 2764 wrote to memory of 4716	2764	EXCEL.EXE	71
PID 2764 wrote to memory of 4716	2764	EXCEL.EXE	71
PID 4716 wrote to memory of 4772	4716	regsvr32.exe	72
PID 4716 wrote to memory of 4772	4716	regsvr32.exe	72
PID 2764 wrote to memory of 1100	2764	EXCEL.EXE	73
PID 2764 wrote to memory of 1100	2764	EXCEL.EXE	73
PID 1100 wrote to memory of 892	1100	regsvr32.exe	74
PID 1100 wrote to memory of 892	1100	regsvr32.exe	74
PID 2764 wrote to memory of 4780	2764	EXCEL.EXE	75
PID 2764 wrote to memory of 4780	2764	EXCEL.EXE	75
PID 4780 wrote to memory of 3276	4780	regsvr32.exe	76
PID 4780 wrote to memory of 3276	4780	regsvr32.exe	76

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\dfb3f80bfb984d61bb524dd5f4b271d8fbe2df1c2edccc7737a330c3876433a9.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\DSAShlsJyEvDmOyLJ\pkQEDzgMwNE.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4616
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NaYXzr\YECfD.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4772
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QlTQXKhW\TLsBCEHENHbR.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:892
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MUGrtHVL\YOzAIwZYTLO.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:3276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv1.ooccxx

Filesize
712KB

MD5
458cadcc1a286e1220e1732cd56c953b

SHA1
7fb83d6c1dc919fa33e8688cc36b729a25d8ce02

SHA256
d22de1b6d8568328a4fefe706d13c998bbbea7c5ed57ac90a9df61283cad012f

SHA512
0cf2fdbac00f7ef49922cb859ff35c986b1a4f21e72ed229e182cd76cf94627a63189182270135678bbb28686749ad0c013210c6de4e8aa7fc6d77f9cb7aa687

Download Submit
C:\Users\Admin\oxnv2.ooccxx

Filesize
712KB

MD5
394586e00f9d1d77ff6df5c9b84c6eb7

SHA1
2d3ceabb4d78da687ae9c17e41425f62101be9b0

SHA256
e8fe925e6bfc81c3782178cbfa66d549056107a99726cadcf35531c5e1808ee5

SHA512
58683e0e42a9db25b750ce927d924cb33ea6287df75da40876ac97646605b4b90b9e21e480b92a386dd1a67f2b20d0b1a3d29c2b14a4453bfb8cac1388308d8b

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
712KB

MD5
050cd7c1e9ef09093c7c58bf403dc77b

SHA1
27486d06bd819004f287c48849c0c21a1bfbfc80

SHA256
d2c174df4dbf6df6fc7153fe9d755d94351a25bfcf624666f191f578b4cbe78e

SHA512
e4a9cdfecbdfe133591b144772a07a8ab69bfb3ef0f76929bcf0ace9bfe7f42235adadde269a2d2a9794e3a606650e4012407a916798473161d8aa5b37824279

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
712KB

MD5
935415dbec010f8a11091316206f0f18

SHA1
183ba725a567c9f756bac9992617d14581f8c435

SHA256
6114aad0b0650bc7817daf2113176df4cc98acf6747bb16f870fce9489279ded

SHA512
910064e4749c562f0ce05278f08d187affe90cf6474babc1f8abe85723c8b879cdbbfb99da1d106603a694f8e57e1a49ae11204902ec52aa80cbfdcad95e9847

Download Submit
\Users\Admin\oxnv1.ooccxx

Filesize
712KB

MD5
458cadcc1a286e1220e1732cd56c953b

SHA1
7fb83d6c1dc919fa33e8688cc36b729a25d8ce02

SHA256
d22de1b6d8568328a4fefe706d13c998bbbea7c5ed57ac90a9df61283cad012f

SHA512
0cf2fdbac00f7ef49922cb859ff35c986b1a4f21e72ed229e182cd76cf94627a63189182270135678bbb28686749ad0c013210c6de4e8aa7fc6d77f9cb7aa687

Download Submit
\Users\Admin\oxnv2.ooccxx

Filesize
712KB

MD5
394586e00f9d1d77ff6df5c9b84c6eb7

SHA1
2d3ceabb4d78da687ae9c17e41425f62101be9b0

SHA256
e8fe925e6bfc81c3782178cbfa66d549056107a99726cadcf35531c5e1808ee5

SHA512
58683e0e42a9db25b750ce927d924cb33ea6287df75da40876ac97646605b4b90b9e21e480b92a386dd1a67f2b20d0b1a3d29c2b14a4453bfb8cac1388308d8b

Download Submit
\Users\Admin\oxnv3.ooccxx

Filesize
712KB

MD5
050cd7c1e9ef09093c7c58bf403dc77b

SHA1
27486d06bd819004f287c48849c0c21a1bfbfc80

SHA256
d2c174df4dbf6df6fc7153fe9d755d94351a25bfcf624666f191f578b4cbe78e

SHA512
e4a9cdfecbdfe133591b144772a07a8ab69bfb3ef0f76929bcf0ace9bfe7f42235adadde269a2d2a9794e3a606650e4012407a916798473161d8aa5b37824279

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
712KB

MD5
935415dbec010f8a11091316206f0f18

SHA1
183ba725a567c9f756bac9992617d14581f8c435

SHA256
6114aad0b0650bc7817daf2113176df4cc98acf6747bb16f870fce9489279ded

SHA512
910064e4749c562f0ce05278f08d187affe90cf6474babc1f8abe85723c8b879cdbbfb99da1d106603a694f8e57e1a49ae11204902ec52aa80cbfdcad95e9847

Download Submit
memory/2764-133-0x00007FFC8E0F0000-0x00007FFC8E100000-memory.dmp

Filesize
64KB

Download
memory/2764-120-0x00007FFC91840000-0x00007FFC91850000-memory.dmp

Filesize
64KB

Download
memory/2764-132-0x00007FFC8E0F0000-0x00007FFC8E100000-memory.dmp

Filesize
64KB

Download
memory/2764-123-0x00007FFC91840000-0x00007FFC91850000-memory.dmp

Filesize
64KB

Download
memory/2764-122-0x00007FFC91840000-0x00007FFC91850000-memory.dmp

Filesize
64KB

Download
memory/2764-121-0x00007FFC91840000-0x00007FFC91850000-memory.dmp

Filesize
64KB

Download
memory/4676-283-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads