emotet | 809ba1c715b22d611ee90fabbdb4819437cbdae58224f5ef7daff7023d17158f

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2022, 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

100332231936368353296.xls
Size

217KB
MD5

ecb89787e578cde32cf11bb1031d3d00
SHA1

fbdb93e0053d680b7eec0f8d72b535f97a28fdfe
SHA256

809ba1c715b22d611ee90fabbdb4819437cbdae58224f5ef7daff7023d17158f
SHA512

7edcef81d03895cc9eada9758bce5989dc11a46347d00a79f012bc7991e64004de1242ef0ae16a52d97a794b7e5a6d7b2dbda73d8c2c24994761d5c6d18dd2c3
SSDEEP

6144:zKpb8rGYrMPe3q7Q0XV5xtuEsi8/dg3yY+TAQXTHGUMEyP5p6f5jQmQ:TbGUMVWlbQ

Score

10^/10

emotet epoch4 banker persistence trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://wijsneusmedia.nl/cgi-bin/DvxmZndf0/

xlm40.dropper

http://brittknight.com/PHP/Aqxf09OugZ/

xlm40.dropper

http://nlasandbox.com/facebookpage/JFqg2Aqkl3UPZi6xGz/

xlm40.dropper

http://www.campusconindigital.org/moodle/LumMe/

Extracted

Family

emotet

Botnet

Epoch4

45.235.8.30:8080

94.23.45.86:4143

119.59.103.152:8080

169.60.181.70:8080

164.68.99.3:8080

172.105.226.75:8080

107.170.39.149:8080

206.189.28.199:8080

1.234.2.232:8080

188.44.20.25:443

186.194.240.217:443

103.43.75.120:443

149.28.143.92:443

159.89.202.34:443

209.97.163.214:443

183.111.227.137:8080

129.232.188.93:443

139.59.126.41:443

110.232.117.186:8080

139.59.56.73:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4888	4616	regsvr32.exe	80
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2068	4616	regsvr32.exe	80
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4700	4616	regsvr32.exe	80
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2728	4616	regsvr32.exe	80

Downloads MZ/PE file

Loads dropped DLL 6 IoCs

pid	Process
4888	regsvr32.exe
1168	regsvr32.exe
4700	regsvr32.exe
1444	regsvr32.exe
2728	regsvr32.exe
1548	regsvr32.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ijSMBnMG.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\TnYmKhddkiZfC\\ijSMBnMG.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cXzeORIENarS.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\LfsaTWsJgVQM\\cXzeORIENarS.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LcNBcURbHJSHVt.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\VnRnxMiftBM\\LcNBcURbHJSHVt.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4616	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4888	regsvr32.exe
4888	regsvr32.exe
1168	regsvr32.exe
1168	regsvr32.exe
1168	regsvr32.exe
1168	regsvr32.exe
4700	regsvr32.exe
4700	regsvr32.exe
1444	regsvr32.exe
1444	regsvr32.exe
1444	regsvr32.exe
1444	regsvr32.exe
2728	regsvr32.exe
2728	regsvr32.exe
1548	regsvr32.exe
1548	regsvr32.exe
1548	regsvr32.exe
1548	regsvr32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4616	EXCEL.EXE
4616	EXCEL.EXE
4616	EXCEL.EXE
4616	EXCEL.EXE
4616	EXCEL.EXE
4616	EXCEL.EXE
4616	EXCEL.EXE
4616	EXCEL.EXE
4616	EXCEL.EXE
4616	EXCEL.EXE
4616	EXCEL.EXE
4616	EXCEL.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 4888	4616	EXCEL.EXE	86
PID 4616 wrote to memory of 4888	4616	EXCEL.EXE	86
PID 4888 wrote to memory of 1168	4888	regsvr32.exe	88
PID 4888 wrote to memory of 1168	4888	regsvr32.exe	88
PID 4616 wrote to memory of 2068	4616	EXCEL.EXE	89
PID 4616 wrote to memory of 2068	4616	EXCEL.EXE	89
PID 4616 wrote to memory of 4700	4616	EXCEL.EXE	90
PID 4616 wrote to memory of 4700	4616	EXCEL.EXE	90
PID 4700 wrote to memory of 1444	4700	regsvr32.exe	93
PID 4700 wrote to memory of 1444	4700	regsvr32.exe	93
PID 4616 wrote to memory of 2728	4616	EXCEL.EXE	95
PID 4616 wrote to memory of 2728	4616	EXCEL.EXE	95
PID 2728 wrote to memory of 1548	2728	regsvr32.exe	96
PID 2728 wrote to memory of 1548	2728	regsvr32.exe	96

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\100332231936368353296.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VnRnxMiftBM\LcNBcURbHJSHVt.dll"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:1168
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  PID:2068
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TnYmKhddkiZfC\ijSMBnMG.dll"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:1444
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LfsaTWsJgVQM\cXzeORIENarS.dll"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv1.ooccxx

Filesize
529KB

MD5
859184b1b2b36fb88731fd96ee965d1b

SHA1
a5a953f3f23d19a071611dcbd1e8b55e3d2858d8

SHA256
8c654363589fc90b3bb33d98b6c5dfc2f826b0ad1d79ce41a5f04d5dd0df2f00

SHA512
079fc418292eee683a891e302124969268557d9c758230a92f23521f59f40ffaef6c2220d2679f65c5bedba325821ddb08c6aa67e9c469e84f6e6f846f09f614

Download Submit
C:\Users\Admin\oxnv1.ooccxx

Filesize
529KB

MD5
859184b1b2b36fb88731fd96ee965d1b

SHA1
a5a953f3f23d19a071611dcbd1e8b55e3d2858d8

SHA256
8c654363589fc90b3bb33d98b6c5dfc2f826b0ad1d79ce41a5f04d5dd0df2f00

SHA512
079fc418292eee683a891e302124969268557d9c758230a92f23521f59f40ffaef6c2220d2679f65c5bedba325821ddb08c6aa67e9c469e84f6e6f846f09f614

Download Submit
C:\Users\Admin\oxnv2.ooccxx

Filesize
804B

MD5
74f2e7475fc2aff75631977a91e77a87

SHA1
eb245732bf55919f143223a478dc41f6e371cb98

SHA256
be26113f6feb7710055e186eb079c48b095a81014252df7172c0a715aa326e16

SHA512
a4bcf8be0d6ef875cee4b23e90f062888d6b8b5a7220108a514ab274bcf0c352d8ec5a38caf99a0a631cdd04a5d00a98dcd8a00e9ee1de2c882e95ad20756747

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
529KB

MD5
81b3c456b852b93219e820755515ba9f

SHA1
0f0cea00e35a1e1262422f637c43428f4197356c

SHA256
eea560547bb375f2cfd26aa931f9a180f77fe556c077b57ae10814c4f37a4419

SHA512
4c80f788613835a2ce34cf9494a0d510e327977865bd5147a241f5ca21551897d6568dcbce58131c2c7d7ab24e5811f6829ec5187a6d83583c2269831a72bf54

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
529KB

MD5
81b3c456b852b93219e820755515ba9f

SHA1
0f0cea00e35a1e1262422f637c43428f4197356c

SHA256
eea560547bb375f2cfd26aa931f9a180f77fe556c077b57ae10814c4f37a4419

SHA512
4c80f788613835a2ce34cf9494a0d510e327977865bd5147a241f5ca21551897d6568dcbce58131c2c7d7ab24e5811f6829ec5187a6d83583c2269831a72bf54

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
529KB

MD5
2f46c1daaf178d67a677ae1b1c1d46f3

SHA1
bb11749c2ff78664b6ce7a171dd8e18ea503dd22

SHA256
98964a68a1ce52e5834dce4b8f77bb2fe827a1b13ed872de01b44d7568ea56b9

SHA512
3d7951bd65cb70473466ec6bfec2306e8fad36a64e8ba59fc25fa81f2bca0e954c4b954a609b6940fb403d170c1e47dbdc2cf3612a989e80720dd99b5cbe704a

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
529KB

MD5
2f46c1daaf178d67a677ae1b1c1d46f3

SHA1
bb11749c2ff78664b6ce7a171dd8e18ea503dd22

SHA256
98964a68a1ce52e5834dce4b8f77bb2fe827a1b13ed872de01b44d7568ea56b9

SHA512
3d7951bd65cb70473466ec6bfec2306e8fad36a64e8ba59fc25fa81f2bca0e954c4b954a609b6940fb403d170c1e47dbdc2cf3612a989e80720dd99b5cbe704a

Download Submit
C:\Windows\System32\LfsaTWsJgVQM\cXzeORIENarS.dll

Filesize
529KB

MD5
2f46c1daaf178d67a677ae1b1c1d46f3

SHA1
bb11749c2ff78664b6ce7a171dd8e18ea503dd22

SHA256
98964a68a1ce52e5834dce4b8f77bb2fe827a1b13ed872de01b44d7568ea56b9

SHA512
3d7951bd65cb70473466ec6bfec2306e8fad36a64e8ba59fc25fa81f2bca0e954c4b954a609b6940fb403d170c1e47dbdc2cf3612a989e80720dd99b5cbe704a

Download Submit
C:\Windows\System32\TnYmKhddkiZfC\ijSMBnMG.dll

Filesize
529KB

MD5
81b3c456b852b93219e820755515ba9f

SHA1
0f0cea00e35a1e1262422f637c43428f4197356c

SHA256
eea560547bb375f2cfd26aa931f9a180f77fe556c077b57ae10814c4f37a4419

SHA512
4c80f788613835a2ce34cf9494a0d510e327977865bd5147a241f5ca21551897d6568dcbce58131c2c7d7ab24e5811f6829ec5187a6d83583c2269831a72bf54

Download Submit
C:\Windows\System32\VnRnxMiftBM\LcNBcURbHJSHVt.dll

Filesize
529KB

MD5
859184b1b2b36fb88731fd96ee965d1b

SHA1
a5a953f3f23d19a071611dcbd1e8b55e3d2858d8

SHA256
8c654363589fc90b3bb33d98b6c5dfc2f826b0ad1d79ce41a5f04d5dd0df2f00

SHA512
079fc418292eee683a891e302124969268557d9c758230a92f23521f59f40ffaef6c2220d2679f65c5bedba325821ddb08c6aa67e9c469e84f6e6f846f09f614

Download Submit
memory/4616-136-0x00007FFB32DD0000-0x00007FFB32DE0000-memory.dmp

Filesize
64KB

Download
memory/4616-138-0x00007FFB30520000-0x00007FFB30530000-memory.dmp

Filesize
64KB

Download
memory/4616-137-0x00007FFB30520000-0x00007FFB30530000-memory.dmp

Filesize
64KB

Download
memory/4616-132-0x00007FFB32DD0000-0x00007FFB32DE0000-memory.dmp

Filesize
64KB

Download
memory/4616-135-0x00007FFB32DD0000-0x00007FFB32DE0000-memory.dmp

Filesize
64KB

Download
memory/4616-133-0x00007FFB32DD0000-0x00007FFB32DE0000-memory.dmp

Filesize
64KB

Download
memory/4616-134-0x00007FFB32DD0000-0x00007FFB32DE0000-memory.dmp

Filesize
64KB

Download
memory/4888-142-0x0000000002180000-0x00000000021AF000-memory.dmp

Filesize
188KB

Download