emotet | 568f5736e8fd914744ac7bdee235405bdab7510696ed814e38012909a3f7758f

General

Target

568f5736e8fd914744ac7bdee235405bdab7510696ed814e38012909a3f7758f.xls
Size

217KB
MD5

b83e18e69a44493b6f9db4340db0c97d
SHA1

25c5a79691ab3035e538fbbb212d4c344dc3d612
SHA256

568f5736e8fd914744ac7bdee235405bdab7510696ed814e38012909a3f7758f
SHA512

1176d5270ec7897e2c1c60f95913f77132675e17920cca975ba36e4f3bb63f88c22133533642bb1c69e03057a604ada213dd397ef0fcc3f918c6926852d6e643
SSDEEP

6144:zKpb8rGYrMPe3q7Q0XV5xtuEsi8/dglyY+TAQXTHGUMEyP5p6f5jQm7pnT:1bGUMVWlbZ

Score

10^/10

emotet epoch4 banker persistence trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://app.clubdedocentes.com/storage/DCcq9ekgH99sI/

xlm40.dropper

http://linhkiendoc.com/app/payments/qoy5JqpLqrbsKl/

xlm40.dropper

http://sourcecool.com/throng/iOD/

xlm40.dropper

http://www.stickers-et-deco.com/Adapter/lYw/

Extracted

Family

emotet

Botnet

Epoch4

C2

45.235.8.30:8080

94.23.45.86:4143

119.59.103.152:8080

169.60.181.70:8080

164.68.99.3:8080

172.105.226.75:8080

107.170.39.149:8080

206.189.28.199:8080

1.234.2.232:8080

188.44.20.25:443

186.194.240.217:443

103.43.75.120:443

149.28.143.92:443

159.89.202.34:443

209.97.163.214:443

183.111.227.137:8080

129.232.188.93:443

139.59.126.41:443

110.232.117.186:8080

139.59.56.73:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4728	5104	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1628	5104	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1824	5104	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1400	5104	regsvr32.exe	65

Downloads MZ/PE file

Loads dropped DLL 2 IoCs

pid	Process
4728	regsvr32.exe
1400	regsvr32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PNAYkVsiMN.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\RLAVZHSxixKUooK\\PNAYkVsiMN.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gHwVCSvoHYhbw.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\VLhWsOwozxyDaErf\\gHwVCSvoHYhbw.dll\""	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5104	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4728	regsvr32.exe
4728	regsvr32.exe
4920	regsvr32.exe
4920	regsvr32.exe
4920	regsvr32.exe
4920	regsvr32.exe
1400	regsvr32.exe
1400	regsvr32.exe
1624	regsvr32.exe
1624	regsvr32.exe
1624	regsvr32.exe
1624	regsvr32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
5104	EXCEL.EXE
5104	EXCEL.EXE
5104	EXCEL.EXE
5104	EXCEL.EXE
5104	EXCEL.EXE
5104	EXCEL.EXE
5104	EXCEL.EXE
5104	EXCEL.EXE
5104	EXCEL.EXE
5104	EXCEL.EXE
5104	EXCEL.EXE
5104	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 4728	5104	EXCEL.EXE	70
PID 5104 wrote to memory of 4728	5104	EXCEL.EXE	70
PID 4728 wrote to memory of 4920	4728	regsvr32.exe	73
PID 4728 wrote to memory of 4920	4728	regsvr32.exe	73
PID 5104 wrote to memory of 1628	5104	EXCEL.EXE	76
PID 5104 wrote to memory of 1628	5104	EXCEL.EXE	76
PID 5104 wrote to memory of 1824	5104	EXCEL.EXE	77
PID 5104 wrote to memory of 1824	5104	EXCEL.EXE	77
PID 5104 wrote to memory of 1400	5104	EXCEL.EXE	78
PID 5104 wrote to memory of 1400	5104	EXCEL.EXE	78
PID 1400 wrote to memory of 1624	1400	regsvr32.exe	79
PID 1400 wrote to memory of 1624	1400	regsvr32.exe	79

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\568f5736e8fd914744ac7bdee235405bdab7510696ed814e38012909a3f7758f.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RLAVZHSxixKUooK\PNAYkVsiMN.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4920
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  PID:1628
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  PID:1824
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VLhWsOwozxyDaErf\gHwVCSvoHYhbw.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:1624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv1.ooccxx

Filesize
745KB

MD5
cbb4d045b5975525356b7d0da3db4796

SHA1
22f36c3148918eca776997f27e81d8c1e9ab145d

SHA256
3e131fb692a29149b7eeb65912e4dcb0079d1b5063e5e863f3ef9e64e4816b7d

SHA512
8eda2bfba567017e2c9dd941cb8dd1b9316cf097ed5d67e89c04846c345c8048d66c339267c3c6ee78b5d1fc42eb1bcc8a168105eb465d5088c5a286fcbde13a

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
745KB

MD5
1c98508b72ba2fb0d55b0a6bd7721fb7

SHA1
bb92f92e3232c1e0604bf8dd8fae05a94e4335d0

SHA256
446e2b5a95236e1d5f463621621a7cdb03f6c3f1823145da747fdc1138c0c28c

SHA512
6e56d08bdf78e7499aa14fbcf3edd6b27c7aa2e76c3da20ad942055ddbf3f0de5f8ded697ed5004b68d7f03a642f96eb966a47810c273a63577c77472c18d54d

Download Submit
\Users\Admin\oxnv1.ooccxx

Filesize
745KB

MD5
cbb4d045b5975525356b7d0da3db4796

SHA1
22f36c3148918eca776997f27e81d8c1e9ab145d

SHA256
3e131fb692a29149b7eeb65912e4dcb0079d1b5063e5e863f3ef9e64e4816b7d

SHA512
8eda2bfba567017e2c9dd941cb8dd1b9316cf097ed5d67e89c04846c345c8048d66c339267c3c6ee78b5d1fc42eb1bcc8a168105eb465d5088c5a286fcbde13a

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
745KB

MD5
1c98508b72ba2fb0d55b0a6bd7721fb7

SHA1
bb92f92e3232c1e0604bf8dd8fae05a94e4335d0

SHA256
446e2b5a95236e1d5f463621621a7cdb03f6c3f1823145da747fdc1138c0c28c

SHA512
6e56d08bdf78e7499aa14fbcf3edd6b27c7aa2e76c3da20ad942055ddbf3f0de5f8ded697ed5004b68d7f03a642f96eb966a47810c273a63577c77472c18d54d

Download Submit
memory/4728-274-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download
memory/5104-115-0x00007FFC75C00000-0x00007FFC75C10000-memory.dmp

Filesize
64KB

Download
memory/5104-128-0x00007FFC722E0000-0x00007FFC722F0000-memory.dmp

Filesize
64KB

Download
memory/5104-127-0x00007FFC722E0000-0x00007FFC722F0000-memory.dmp

Filesize
64KB

Download
memory/5104-118-0x00007FFC75C00000-0x00007FFC75C10000-memory.dmp

Filesize
64KB

Download
memory/5104-117-0x00007FFC75C00000-0x00007FFC75C10000-memory.dmp

Filesize
64KB

Download
memory/5104-116-0x00007FFC75C00000-0x00007FFC75C10000-memory.dmp

Filesize
64KB

Download
memory/5104-331-0x00007FFC75C00000-0x00007FFC75C10000-memory.dmp

Filesize
64KB

Download
memory/5104-332-0x00007FFC75C00000-0x00007FFC75C10000-memory.dmp

Filesize
64KB

Download
memory/5104-333-0x00007FFC75C00000-0x00007FFC75C10000-memory.dmp

Filesize
64KB

Download
memory/5104-334-0x00007FFC75C00000-0x00007FFC75C10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads