emotet | b2bf30b087250863e894893f77158eb6c2290fa7d58a28e57159d52b2c5c0175

General

Target

b2bf30b087250863e894893f77158eb6c2290fa7d58a28e57159d52b2c5c0175.xls
Size

217KB
MD5

e0fc028f8b26c9f9a2acf3d9041b32cf
SHA1

5e2d7dd7389206f0acfcd9595cb271abc9a35542
SHA256

b2bf30b087250863e894893f77158eb6c2290fa7d58a28e57159d52b2c5c0175
SHA512

b9aab7dcc1e16d986d1c3795e3c7ac67285b8f31bf4c580f8baa55174bf54c6400737386cf74d90f9588ab03fbc0de56e79357dd20beaeb7f4b9c3dba5790494
SSDEEP

6144:zKpb8rGYrMPe3q7Q0XV5xtuEsi8/dglyY+TAQXTHGUMEyP5p6f5jQmI:JbGUMVWlbI

Score

10^/10

emotet epoch5 banker persistence trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://aquariorecords.com.br/wp-content/A8G3ownNApEj1L4hF/

xlm40.dropper

http://ftp.pricoat.com.mx/Fichas/3ybJLLXu5zqqn8Sx/

xlm40.dropper

http://armannahalpersian.ir/3H5qqUOB/

xlm40.dropper

http://alagi.ge/application/irnz5Rs8qWvQrf/

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4900	2344	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4492	2344	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4472	2344	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1880	2344	regsvr32.exe	65

Downloads MZ/PE file

Loads dropped DLL 3 IoCs

pid	Process
4492	regsvr32.exe
4472	regsvr32.exe
1880	regsvr32.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kfUFyDZkiScl.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\EHxMurFEWZfkifUy\\kfUFyDZkiScl.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jKOQmP.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\ZbEaScfosC\\jKOQmP.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qQLW.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\ELmkMhLGvts\\qQLW.dll\""	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2344	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4492	regsvr32.exe
4492	regsvr32.exe
4512	regsvr32.exe
4512	regsvr32.exe
4512	regsvr32.exe
4512	regsvr32.exe
4472	regsvr32.exe
4472	regsvr32.exe
4364	regsvr32.exe
4364	regsvr32.exe
4364	regsvr32.exe
4364	regsvr32.exe
1880	regsvr32.exe
1880	regsvr32.exe
1224	regsvr32.exe
1224	regsvr32.exe
1224	regsvr32.exe
1224	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2344	EXCEL.EXE
2344	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2344	EXCEL.EXE
2344	EXCEL.EXE
2344	EXCEL.EXE
2344	EXCEL.EXE
2344	EXCEL.EXE
2344	EXCEL.EXE
2344	EXCEL.EXE
2344	EXCEL.EXE
2344	EXCEL.EXE
2344	EXCEL.EXE
2344	EXCEL.EXE
2344	EXCEL.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 4900	2344	EXCEL.EXE	68
PID 2344 wrote to memory of 4900	2344	EXCEL.EXE	68
PID 2344 wrote to memory of 4492	2344	EXCEL.EXE	72
PID 2344 wrote to memory of 4492	2344	EXCEL.EXE	72
PID 4492 wrote to memory of 4512	4492	regsvr32.exe	74
PID 4492 wrote to memory of 4512	4492	regsvr32.exe	74
PID 2344 wrote to memory of 4472	2344	EXCEL.EXE	75
PID 2344 wrote to memory of 4472	2344	EXCEL.EXE	75
PID 4472 wrote to memory of 4364	4472	regsvr32.exe	77
PID 4472 wrote to memory of 4364	4472	regsvr32.exe	77
PID 2344 wrote to memory of 1880	2344	EXCEL.EXE	78
PID 2344 wrote to memory of 1880	2344	EXCEL.EXE	78
PID 1880 wrote to memory of 1224	1880	regsvr32.exe	80
PID 1880 wrote to memory of 1224	1880	regsvr32.exe	80

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\b2bf30b087250863e894893f77158eb6c2290fa7d58a28e57159d52b2c5c0175.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  PID:4900
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\EHxMurFEWZfkifUy\kfUFyDZkiScl.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4512
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZbEaScfosC\jKOQmP.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4364
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ELmkMhLGvts\qQLW.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:1224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv2.ooccxx

Filesize
751KB

MD5
3c809bce2c5bae8822a0262290f7bc3d

SHA1
789de8c798ed92745948e70e4a1b5a3c902751ba

SHA256
159c107eb00bf488e1011c78f37acd05cea796a61b9b325401d2ddc0a3ae2d7e

SHA512
5a3fdc94743ad86bbfbc502c36538dd8a47e02999d741124088732cc9b6690623e2918b221ef7ec5ce2bd7a92631615cb62ec3c3e47574eedde80d6a40bb531f

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
751KB

MD5
a2d031cf0f8eb50b6d89ada2db501b0b

SHA1
9e1fb3523535e7434c6b19650eceec1cdcf2ef57

SHA256
4478dc3cf8b152ae41f4beda3516b586e7312f7c9d6d6692049b9f58ba9314fa

SHA512
b61a380f5a47fc8cc583e76ccaae7149bdb68c93b104a83468743a6bbcc229a4e4e7cfb4855d84a9d58d38a98b84479a455310537055eb54246a9458794de1dd

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
751KB

MD5
b2fd6a483da316db307fbfe40af348b3

SHA1
0f1cf6641eda06fbead950205df031341a01e72d

SHA256
73a06b1602799ce82db078a8fb7399b076309d8e9eada9b7840917f033c19229

SHA512
6a98a118a8c404da1c4245e88f125b790ab03ef25b899d49a415770e487b0883761ac918a37ef0661026b9bca5f9f5fa294564748628f56e52a97d3bad722c0b

Download Submit
\Users\Admin\oxnv2.ooccxx

Filesize
751KB

MD5
3c809bce2c5bae8822a0262290f7bc3d

SHA1
789de8c798ed92745948e70e4a1b5a3c902751ba

SHA256
159c107eb00bf488e1011c78f37acd05cea796a61b9b325401d2ddc0a3ae2d7e

SHA512
5a3fdc94743ad86bbfbc502c36538dd8a47e02999d741124088732cc9b6690623e2918b221ef7ec5ce2bd7a92631615cb62ec3c3e47574eedde80d6a40bb531f

Download Submit
\Users\Admin\oxnv3.ooccxx

Filesize
751KB

MD5
a2d031cf0f8eb50b6d89ada2db501b0b

SHA1
9e1fb3523535e7434c6b19650eceec1cdcf2ef57

SHA256
4478dc3cf8b152ae41f4beda3516b586e7312f7c9d6d6692049b9f58ba9314fa

SHA512
b61a380f5a47fc8cc583e76ccaae7149bdb68c93b104a83468743a6bbcc229a4e4e7cfb4855d84a9d58d38a98b84479a455310537055eb54246a9458794de1dd

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
751KB

MD5
b2fd6a483da316db307fbfe40af348b3

SHA1
0f1cf6641eda06fbead950205df031341a01e72d

SHA256
73a06b1602799ce82db078a8fb7399b076309d8e9eada9b7840917f033c19229

SHA512
6a98a118a8c404da1c4245e88f125b790ab03ef25b899d49a415770e487b0883761ac918a37ef0661026b9bca5f9f5fa294564748628f56e52a97d3bad722c0b

Download Submit
memory/2344-130-0x00007FFEF20A0000-0x00007FFEF20B0000-memory.dmp

Filesize
64KB

Download
memory/2344-333-0x00007FFEF57F0000-0x00007FFEF5800000-memory.dmp

Filesize
64KB

Download
memory/2344-332-0x00007FFEF57F0000-0x00007FFEF5800000-memory.dmp

Filesize
64KB

Download
memory/2344-331-0x00007FFEF57F0000-0x00007FFEF5800000-memory.dmp

Filesize
64KB

Download
memory/2344-118-0x00007FFEF57F0000-0x00007FFEF5800000-memory.dmp

Filesize
64KB

Download
memory/2344-334-0x00007FFEF57F0000-0x00007FFEF5800000-memory.dmp

Filesize
64KB

Download
memory/2344-131-0x00007FFEF20A0000-0x00007FFEF20B0000-memory.dmp

Filesize
64KB

Download
memory/2344-121-0x00007FFEF57F0000-0x00007FFEF5800000-memory.dmp

Filesize
64KB

Download
memory/2344-120-0x00007FFEF57F0000-0x00007FFEF5800000-memory.dmp

Filesize
64KB

Download
memory/2344-119-0x00007FFEF57F0000-0x00007FFEF5800000-memory.dmp

Filesize
64KB

Download
memory/4492-261-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads