emotet | 062962eeeac6ed19568bf2e87cbe5b0fabbed58693abcd960a8318d555b7b02e

General

Target

062962eeeac6ed19568bf2e87cbe5b0fabbed58693abcd960a8318d555b7b02e.xls
Size

217KB
MD5

38974743e58570162942f86ca199b6ca
SHA1

f6dd023d595b389a3f1689500449fec36d1fcdd7
SHA256

062962eeeac6ed19568bf2e87cbe5b0fabbed58693abcd960a8318d555b7b02e
SHA512

51f14f53c8f15eed3c3e5cda3020d477c9094f4b018a2217487b42e6fcdb045305f9d0ad4c41f9722bdf8266197028deeac3fbf6ffa5d0b364a51042861bed00
SSDEEP

6144:zKpb8rGYrMPe3q7Q0XV5xtuEsi8/dglyY+TAQXTHGUMEyP5p6f5jQmI:JbGUMVWlbI

Score

10^/10

emotet epoch5 banker persistence trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://aquariorecords.com.br/wp-content/A8G3ownNApEj1L4hF/

xlm40.dropper

http://ftp.pricoat.com.mx/Fichas/3ybJLLXu5zqqn8Sx/

xlm40.dropper

http://armannahalpersian.ir/3H5qqUOB/

xlm40.dropper

http://alagi.ge/application/irnz5Rs8qWvQrf/

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4728	4940	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4296	4940	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3920	4940	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2348	4940	regsvr32.exe	65

Downloads MZ/PE file

Loads dropped DLL 3 IoCs

pid	Process
4296	regsvr32.exe
3920	regsvr32.exe
2348	regsvr32.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MPNyEjNHhjfdRzzR.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\KHazC\\MPNyEjNHhjfdRzzR.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gswsMJ.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\EaBVQhKTsKazgh\\gswsMJ.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UTtSUMJgyjrF.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\MmKuFqMqWgV\\UTtSUMJgyjrF.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4940	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4296	regsvr32.exe
4296	regsvr32.exe
4668	regsvr32.exe
4668	regsvr32.exe
3920	regsvr32.exe
3920	regsvr32.exe
4668	regsvr32.exe
4668	regsvr32.exe
2656	regsvr32.exe
2656	regsvr32.exe
2348	regsvr32.exe
2348	regsvr32.exe
2656	regsvr32.exe
2656	regsvr32.exe
2308	regsvr32.exe
2308	regsvr32.exe
2308	regsvr32.exe
2308	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4940	EXCEL.EXE
4940	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4940	EXCEL.EXE
4940	EXCEL.EXE
4940	EXCEL.EXE
4940	EXCEL.EXE
4940	EXCEL.EXE
4940	EXCEL.EXE
4940	EXCEL.EXE
4940	EXCEL.EXE
4940	EXCEL.EXE
4940	EXCEL.EXE
4940	EXCEL.EXE
4940	EXCEL.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 4728	4940	EXCEL.EXE	68
PID 4940 wrote to memory of 4728	4940	EXCEL.EXE	68
PID 4940 wrote to memory of 4296	4940	EXCEL.EXE	69
PID 4940 wrote to memory of 4296	4940	EXCEL.EXE	69
PID 4296 wrote to memory of 4668	4296	regsvr32.exe	70
PID 4296 wrote to memory of 4668	4296	regsvr32.exe	70
PID 4940 wrote to memory of 3920	4940	EXCEL.EXE	71
PID 4940 wrote to memory of 3920	4940	EXCEL.EXE	71
PID 3920 wrote to memory of 2656	3920	regsvr32.exe	73
PID 3920 wrote to memory of 2656	3920	regsvr32.exe	73
PID 4940 wrote to memory of 2348	4940	EXCEL.EXE	74
PID 4940 wrote to memory of 2348	4940	EXCEL.EXE	74
PID 2348 wrote to memory of 2308	2348	regsvr32.exe	75
PID 2348 wrote to memory of 2308	2348	regsvr32.exe	75

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\062962eeeac6ed19568bf2e87cbe5b0fabbed58693abcd960a8318d555b7b02e.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  PID:4728
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MmKuFqMqWgV\UTtSUMJgyjrF.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4668
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\EaBVQhKTsKazgh\gswsMJ.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:2656
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KHazC\MPNyEjNHhjfdRzzR.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:2308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv2.ooccxx

Filesize
751KB

MD5
21f24ab6c1b5f4ebb823aa74ec6a25ce

SHA1
0bcf469065bc71f7e9a479ecbc37cef2985c6b2b

SHA256
8cf9e7890e439e850729d0b5ee2a997266a828b63512206e83e5ef87606e839b

SHA512
02733598142476451f28018f0e7ee0499db506dd4204c8ba6c22d71a7047301143213f042cb39c14a21483249e5c4bd74292f6c70e6801eb7502f2db05be3445

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
751KB

MD5
0f0c404da171eeccfc412fc9dec627cb

SHA1
cb6d473a0eee1099491aac4f9aac1ae87ddefc81

SHA256
f07b35a5d8bdb491c901aae56b5385a0b8231419d5e6f4fde1b76865bd217b69

SHA512
1a4f44b0044108b5705a6f0651d6981a0567c6ff798f3693e8025238c4224104516f917621f8b642dc969e882827f29f6b33e9e2083c346d36b96708c3fc7ddc

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
751KB

MD5
e7a6aa92cea08cc0a8f008b2cdd4af34

SHA1
fef494c5a4c2dc0e11bda0f6d0cef47796f2ceb6

SHA256
ecffea0a39ad06dc6c5e2ea33ec0df1f543b590215640376070d2fc9b33be181

SHA512
72886c18b0824c1a96fb0b094a8311edc025738f14f3bd82ae9753a8f4748b7c83d880035e72e2f0c2bf08a186ba0d5698ae4a25ba14aaaf8a132aeb53a1ff76

Download Submit
\Users\Admin\oxnv2.ooccxx

Filesize
751KB

MD5
21f24ab6c1b5f4ebb823aa74ec6a25ce

SHA1
0bcf469065bc71f7e9a479ecbc37cef2985c6b2b

SHA256
8cf9e7890e439e850729d0b5ee2a997266a828b63512206e83e5ef87606e839b

SHA512
02733598142476451f28018f0e7ee0499db506dd4204c8ba6c22d71a7047301143213f042cb39c14a21483249e5c4bd74292f6c70e6801eb7502f2db05be3445

Download Submit
\Users\Admin\oxnv3.ooccxx

Filesize
751KB

MD5
0f0c404da171eeccfc412fc9dec627cb

SHA1
cb6d473a0eee1099491aac4f9aac1ae87ddefc81

SHA256
f07b35a5d8bdb491c901aae56b5385a0b8231419d5e6f4fde1b76865bd217b69

SHA512
1a4f44b0044108b5705a6f0651d6981a0567c6ff798f3693e8025238c4224104516f917621f8b642dc969e882827f29f6b33e9e2083c346d36b96708c3fc7ddc

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
751KB

MD5
e7a6aa92cea08cc0a8f008b2cdd4af34

SHA1
fef494c5a4c2dc0e11bda0f6d0cef47796f2ceb6

SHA256
ecffea0a39ad06dc6c5e2ea33ec0df1f543b590215640376070d2fc9b33be181

SHA512
72886c18b0824c1a96fb0b094a8311edc025738f14f3bd82ae9753a8f4748b7c83d880035e72e2f0c2bf08a186ba0d5698ae4a25ba14aaaf8a132aeb53a1ff76

Download Submit
memory/4296-258-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/4940-120-0x00007FF9D0A10000-0x00007FF9D0A20000-memory.dmp

Filesize
64KB

Download
memory/4940-133-0x00007FF9CDEC0000-0x00007FF9CDED0000-memory.dmp

Filesize
64KB

Download
memory/4940-132-0x00007FF9CDEC0000-0x00007FF9CDED0000-memory.dmp

Filesize
64KB

Download
memory/4940-123-0x00007FF9D0A10000-0x00007FF9D0A20000-memory.dmp

Filesize
64KB

Download
memory/4940-122-0x00007FF9D0A10000-0x00007FF9D0A20000-memory.dmp

Filesize
64KB

Download
memory/4940-121-0x00007FF9D0A10000-0x00007FF9D0A20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads