emotet | dc664ca4ea13b3d8dd1bd6aae5ed913b908bad26e1461182496f53cf82df1b70

General

Target

dc664ca4ea13b3d8dd1bd6aae5ed913b908bad26e1461182496f53cf82df1b70.xls
Size

217KB
MD5

5f19d68ca7f85fc05af539464f77d18d
SHA1

1eafce6b42c6f4b1153055e9c49bfbf4a224956d
SHA256

dc664ca4ea13b3d8dd1bd6aae5ed913b908bad26e1461182496f53cf82df1b70
SHA512

8bf4b37ba08f31329c73dd6a669eabb793e389661185752c6a68ccea4f08265721ed6507a01b2954c9afa47e9de01fe18d1fb1e46ca1ed8be3e194f848261f71
SSDEEP

6144:zKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgXyY+TAQXTHGUMEyP5p6f5jQmq:DbGUMVWlbq

Score

10^/10

emotet epoch5 banker persistence trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://barkstage.es/wp-content/0E7NdYl7TZuHMJq7/

xlm40.dropper

http://contactworks.nl/images_old/NuEAhfF0PCFhvv/

xlm40.dropper

http://www.iam.ch/wp-content/cache/minify/O1OAjWnfen/

xlm40.dropper

https://www.elaboro.pl/wp-admin/J0hwyIMsk9YFIi/

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain

eck1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1220	1524	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1092	1524	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2404	1524	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3360	1524	regsvr32.exe	65

Downloads MZ/PE file

Loads dropped DLL 3 IoCs

pid	Process
1092	regsvr32.exe
2404	regsvr32.exe
3360	regsvr32.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vKkMMBCNDoLnN.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\GdbdcafLqI\\vKkMMBCNDoLnN.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KLks.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\VoIcIPZRPAOAA\\KLks.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MMdTMPsGyaPgU.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\GEPIwS\\MMdTMPsGyaPgU.dll\""	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1524	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1092	regsvr32.exe
1092	regsvr32.exe
1600	regsvr32.exe
1600	regsvr32.exe
2404	regsvr32.exe
2404	regsvr32.exe
1600	regsvr32.exe
1600	regsvr32.exe
1400	regsvr32.exe
1400	regsvr32.exe
1400	regsvr32.exe
1400	regsvr32.exe
3360	regsvr32.exe
3360	regsvr32.exe
2576	regsvr32.exe
2576	regsvr32.exe
2576	regsvr32.exe
2576	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1524	EXCEL.EXE
1524	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1524	EXCEL.EXE
1524	EXCEL.EXE
1524	EXCEL.EXE
1524	EXCEL.EXE
1524	EXCEL.EXE
1524	EXCEL.EXE
1524	EXCEL.EXE
1524	EXCEL.EXE
1524	EXCEL.EXE
1524	EXCEL.EXE
1524	EXCEL.EXE
1524	EXCEL.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 1220	1524	EXCEL.EXE	74
PID 1524 wrote to memory of 1220	1524	EXCEL.EXE	74
PID 1524 wrote to memory of 1092	1524	EXCEL.EXE	75
PID 1524 wrote to memory of 1092	1524	EXCEL.EXE	75
PID 1092 wrote to memory of 1600	1092	regsvr32.exe	76
PID 1092 wrote to memory of 1600	1092	regsvr32.exe	76
PID 1524 wrote to memory of 2404	1524	EXCEL.EXE	77
PID 1524 wrote to memory of 2404	1524	EXCEL.EXE	77
PID 2404 wrote to memory of 1400	2404	regsvr32.exe	78
PID 2404 wrote to memory of 1400	2404	regsvr32.exe	78
PID 1524 wrote to memory of 3360	1524	EXCEL.EXE	79
PID 1524 wrote to memory of 3360	1524	EXCEL.EXE	79
PID 3360 wrote to memory of 2576	3360	regsvr32.exe	80
PID 3360 wrote to memory of 2576	3360	regsvr32.exe	80

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\dc664ca4ea13b3d8dd1bd6aae5ed913b908bad26e1461182496f53cf82df1b70.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  PID:1220
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GdbdcafLqI\vKkMMBCNDoLnN.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:1600
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VoIcIPZRPAOAA\KLks.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:1400
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GEPIwS\MMdTMPsGyaPgU.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:2576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv2.ooccxx

Filesize
751KB

MD5
9ab34d3de7c813d5d1185224a1ca623a

SHA1
5787b9085e9d908b8aaa0b3a8b788e1599728b90

SHA256
2102a1499757826c38d4b4108d128a33d151a37bfc027936b2f6966dea3be061

SHA512
cd0069bd1eefc25ec2a3472fcd967900248490adde41c5c74f87b430f601fddc094b066120b44d501770f251972a90495113c2e3b71d8fa8ffe835f653b1ecfc

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
751KB

MD5
d5c2bef19e9c844f3f2b9daf53aafb1d

SHA1
4e4f4759a86a3661c844150b1e09f58d294700be

SHA256
3b6be6397366f82af040c0e19d42e022aff0a0fa28c8f5d743377661aa9d282a

SHA512
daebc123e55ed520cc8fb9619c10b398f6192cccae84a949819bc1c01d40a1967357edc15fa2fe6a3de6917e7f7029efe4b86e8d26c2ea52f502f9f809bc0ebc

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
751KB

MD5
0137d529b5713fcb4cee7705167c761b

SHA1
37138a21ce7a8123d4e5d1c33e59c8104e20735f

SHA256
26b0a767e6d46bc9bdee1145059f2d440be78e32a58167545b73d9e01249d9d7

SHA512
485e87aab7eec3bdb39ca0a416d3d66968289893db97defb19517ded9fd77e6f11fa40cb26786da977f7e032a10841c767a486d2e69cb25642e223b2e9868945

Download Submit
\Users\Admin\oxnv2.ooccxx

Filesize
751KB

MD5
9ab34d3de7c813d5d1185224a1ca623a

SHA1
5787b9085e9d908b8aaa0b3a8b788e1599728b90

SHA256
2102a1499757826c38d4b4108d128a33d151a37bfc027936b2f6966dea3be061

SHA512
cd0069bd1eefc25ec2a3472fcd967900248490adde41c5c74f87b430f601fddc094b066120b44d501770f251972a90495113c2e3b71d8fa8ffe835f653b1ecfc

Download Submit
\Users\Admin\oxnv3.ooccxx

Filesize
751KB

MD5
d5c2bef19e9c844f3f2b9daf53aafb1d

SHA1
4e4f4759a86a3661c844150b1e09f58d294700be

SHA256
3b6be6397366f82af040c0e19d42e022aff0a0fa28c8f5d743377661aa9d282a

SHA512
daebc123e55ed520cc8fb9619c10b398f6192cccae84a949819bc1c01d40a1967357edc15fa2fe6a3de6917e7f7029efe4b86e8d26c2ea52f502f9f809bc0ebc

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
751KB

MD5
0137d529b5713fcb4cee7705167c761b

SHA1
37138a21ce7a8123d4e5d1c33e59c8104e20735f

SHA256
26b0a767e6d46bc9bdee1145059f2d440be78e32a58167545b73d9e01249d9d7

SHA512
485e87aab7eec3bdb39ca0a416d3d66968289893db97defb19517ded9fd77e6f11fa40cb26786da977f7e032a10841c767a486d2e69cb25642e223b2e9868945

Download Submit
memory/1092-263-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/1524-117-0x00007FFDBC450000-0x00007FFDBC460000-memory.dmp

Filesize
64KB

Download
memory/1524-118-0x00007FFDBC450000-0x00007FFDBC460000-memory.dmp

Filesize
64KB

Download
memory/1524-336-0x00007FFDBC450000-0x00007FFDBC460000-memory.dmp

Filesize
64KB

Download
memory/1524-128-0x00007FFDB8D00000-0x00007FFDB8D10000-memory.dmp

Filesize
64KB

Download
memory/1524-119-0x00007FFDBC450000-0x00007FFDBC460000-memory.dmp

Filesize
64KB

Download
memory/1524-129-0x00007FFDB8D00000-0x00007FFDB8D10000-memory.dmp

Filesize
64KB

Download
memory/1524-335-0x00007FFDBC450000-0x00007FFDBC460000-memory.dmp

Filesize
64KB

Download
memory/1524-334-0x00007FFDBC450000-0x00007FFDBC460000-memory.dmp

Filesize
64KB

Download
memory/1524-116-0x00007FFDBC450000-0x00007FFDBC460000-memory.dmp

Filesize
64KB

Download
memory/1524-333-0x00007FFDBC450000-0x00007FFDBC460000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads