emotet | e8085fda85865155aa942efb04e789962791ca7d0338216674a8e28c1e1a60ae

General

Target

e8085fda85865155aa942efb04e789962791ca7d0338216674a8e28c1e1a60ae.xls
Size

217KB
MD5

bc33b79e5ae05e7611a77449a9538610
SHA1

9cac3606f7e4d5a693d53e4b0ba239a26d27a536
SHA256

e8085fda85865155aa942efb04e789962791ca7d0338216674a8e28c1e1a60ae
SHA512

f5ab02ba498e0a2ef0b0c3753ea7eea15a894efb63a3bee81eeb4ef0b489c5a260fe3d2a5cceb19be630ec629769e744c5a83ad8d03db4d91700c864b4d1d9c5
SSDEEP

6144:OKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgIyY+TAQXTHGUMEyP5p6f5jQmG:bbGUMVWlbG

Score

10^/10

emotet epoch4 banker persistence trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://cursosinterativos.com.br/semprichickoff2/pEl/

xlm40.dropper

http://mulmatdol.com/adm/Fa/

xlm40.dropper

http://www.tugarden.com/docs/csv_import/rf6bMPAtbBPiDK/

xlm40.dropper

http://www.darularqompatean.com/asq/IcVMFfwR65Yf8fMd5G/

Extracted

Family

emotet

Botnet

Epoch4

C2

45.235.8.30:8080

94.23.45.86:4143

119.59.103.152:8080

169.60.181.70:8080

164.68.99.3:8080

172.105.226.75:8080

107.170.39.149:8080

206.189.28.199:8080

1.234.2.232:8080

188.44.20.25:443

186.194.240.217:443

103.43.75.120:443

149.28.143.92:443

159.89.202.34:443

209.97.163.214:443

183.111.227.137:8080

129.232.188.93:443

139.59.126.41:443

110.232.117.186:8080

139.59.56.73:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4444	2672	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4904	2672	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	5008	2672	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	356	2672	regsvr32.exe	65

Downloads MZ/PE file

Loads dropped DLL 4 IoCs

pid	Process
4444	regsvr32.exe
4904	regsvr32.exe
5008	regsvr32.exe
356	regsvr32.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FUHAwukwtEuAYyE.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\FKauITcIwaLOcAL\\FUHAwukwtEuAYyE.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spekMdLmAaqsi.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\CgIbBMNBtlEeH\\spekMdLmAaqsi.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BiMEsWNjzHTltTUa.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\VHybpjKgUGKjDII\\BiMEsWNjzHTltTUa.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uauqEHiUfXeRD.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\TlyYlhaUMWpDLPP\\uauqEHiUfXeRD.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2672	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4444	regsvr32.exe
4444	regsvr32.exe
4704	regsvr32.exe
4704	regsvr32.exe
4704	regsvr32.exe
4704	regsvr32.exe
4904	regsvr32.exe
4904	regsvr32.exe
5112	regsvr32.exe
5112	regsvr32.exe
5008	regsvr32.exe
5008	regsvr32.exe
5112	regsvr32.exe
5112	regsvr32.exe
5052	regsvr32.exe
5052	regsvr32.exe
5052	regsvr32.exe
5052	regsvr32.exe
356	regsvr32.exe
356	regsvr32.exe
1272	regsvr32.exe
1272	regsvr32.exe
1272	regsvr32.exe
1272	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2672	EXCEL.EXE
2672	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2672	EXCEL.EXE
2672	EXCEL.EXE
2672	EXCEL.EXE
2672	EXCEL.EXE
2672	EXCEL.EXE
2672	EXCEL.EXE
2672	EXCEL.EXE
2672	EXCEL.EXE
2672	EXCEL.EXE
2672	EXCEL.EXE
2672	EXCEL.EXE
2672	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 4444	2672	EXCEL.EXE	69
PID 2672 wrote to memory of 4444	2672	EXCEL.EXE	69
PID 4444 wrote to memory of 4704	4444	regsvr32.exe	70
PID 4444 wrote to memory of 4704	4444	regsvr32.exe	70
PID 2672 wrote to memory of 4904	2672	EXCEL.EXE	71
PID 2672 wrote to memory of 4904	2672	EXCEL.EXE	71
PID 4904 wrote to memory of 5112	4904	regsvr32.exe	72
PID 4904 wrote to memory of 5112	4904	regsvr32.exe	72
PID 2672 wrote to memory of 5008	2672	EXCEL.EXE	73
PID 2672 wrote to memory of 5008	2672	EXCEL.EXE	73
PID 5008 wrote to memory of 5052	5008	regsvr32.exe	74
PID 5008 wrote to memory of 5052	5008	regsvr32.exe	74
PID 2672 wrote to memory of 356	2672	EXCEL.EXE	75
PID 2672 wrote to memory of 356	2672	EXCEL.EXE	75
PID 356 wrote to memory of 1272	356	regsvr32.exe	76
PID 356 wrote to memory of 1272	356	regsvr32.exe	76

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\e8085fda85865155aa942efb04e789962791ca7d0338216674a8e28c1e1a60ae.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VHybpjKgUGKjDII\BiMEsWNjzHTltTUa.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4704
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TlyYlhaUMWpDLPP\uauqEHiUfXeRD.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:5112
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FKauITcIwaLOcAL\FUHAwukwtEuAYyE.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:5052
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:356
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CgIbBMNBtlEeH\spekMdLmAaqsi.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:1272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv1.ooccxx

Filesize
529KB

MD5
475b778563790430f30ddf9b05c6e0a3

SHA1
47977ed3b8ab508059c2a4acb27b041108de75ea

SHA256
c426f9d6c8f8410d37431d93c7eee26b18eb052ab0334b138f010347bfc1d983

SHA512
98b144798f18723348138074d15e9e36b96401fb61ef6d69a43a4b3997e8cbfbb9ebdf0b996e3d0aedc4d64a5e16a86cbdfe831fa30675abf714104492e5bbda

Download Submit
C:\Users\Admin\oxnv2.ooccxx

Filesize
529KB

MD5
9936fa6576f6ba02d1d96357f3aac9cc

SHA1
3c7222a2023c0ee5f8428c63f78d563a79de1af2

SHA256
371f264c56935dbd1fab2eb7091c1540179eafc2fb271cccd4430262d36492f8

SHA512
31947107cf8072009f8f21c172cfc25905d2f90e37d1e0aff5f5455df3ea4756487cd92261a9e6f9d5b5a0b614e8270dfe31a4ba03fb03794e7688a11a604796

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
529KB

MD5
9403aff61752fe527cc2a37668159a83

SHA1
0ac191c7305313fdcb88cc7f4748fcf6a77aeb3f

SHA256
9eb753b1a1a3f74e9ad3de4edc0950c06aae8922477127eedc7949c73793ecce

SHA512
dc4525a8f3c528d78a019292e10c0a8f885eb503ac37620f81ad178c018a24306d104c84b8f1a6700bff840d07cadaee1cada4c2edaa17792af1041cd369119d

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
529KB

MD5
427fea29b64e5664dee117bb2241ca97

SHA1
b1a2439b2da6cbf77cd33362104972051a76648d

SHA256
14677b1d0f14aa9dda095744ddc26f92e85535df3262b82d831ec4d1c164fe6a

SHA512
4f06d75ccde8e7210cdd51c7a6a54b0cbdc6cacfa4097b19d2f3bd2972971d580c63d6b17f7e526bd5e5d10973aeae1cf597bc3f473d9be573b00a8021a45ad0

Download Submit
\Users\Admin\oxnv1.ooccxx

Filesize
529KB

MD5
475b778563790430f30ddf9b05c6e0a3

SHA1
47977ed3b8ab508059c2a4acb27b041108de75ea

SHA256
c426f9d6c8f8410d37431d93c7eee26b18eb052ab0334b138f010347bfc1d983

SHA512
98b144798f18723348138074d15e9e36b96401fb61ef6d69a43a4b3997e8cbfbb9ebdf0b996e3d0aedc4d64a5e16a86cbdfe831fa30675abf714104492e5bbda

Download Submit
\Users\Admin\oxnv2.ooccxx

Filesize
529KB

MD5
9936fa6576f6ba02d1d96357f3aac9cc

SHA1
3c7222a2023c0ee5f8428c63f78d563a79de1af2

SHA256
371f264c56935dbd1fab2eb7091c1540179eafc2fb271cccd4430262d36492f8

SHA512
31947107cf8072009f8f21c172cfc25905d2f90e37d1e0aff5f5455df3ea4756487cd92261a9e6f9d5b5a0b614e8270dfe31a4ba03fb03794e7688a11a604796

Download Submit
\Users\Admin\oxnv3.ooccxx

Filesize
529KB

MD5
9403aff61752fe527cc2a37668159a83

SHA1
0ac191c7305313fdcb88cc7f4748fcf6a77aeb3f

SHA256
9eb753b1a1a3f74e9ad3de4edc0950c06aae8922477127eedc7949c73793ecce

SHA512
dc4525a8f3c528d78a019292e10c0a8f885eb503ac37620f81ad178c018a24306d104c84b8f1a6700bff840d07cadaee1cada4c2edaa17792af1041cd369119d

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
529KB

MD5
427fea29b64e5664dee117bb2241ca97

SHA1
b1a2439b2da6cbf77cd33362104972051a76648d

SHA256
14677b1d0f14aa9dda095744ddc26f92e85535df3262b82d831ec4d1c164fe6a

SHA512
4f06d75ccde8e7210cdd51c7a6a54b0cbdc6cacfa4097b19d2f3bd2972971d580c63d6b17f7e526bd5e5d10973aeae1cf597bc3f473d9be573b00a8021a45ad0

Download Submit
memory/2672-120-0x00007FFCC7A70000-0x00007FFCC7A80000-memory.dmp

Filesize
64KB

Download
memory/2672-123-0x00007FFCC7A70000-0x00007FFCC7A80000-memory.dmp

Filesize
64KB

Download
memory/2672-133-0x00007FFCC4B10000-0x00007FFCC4B20000-memory.dmp

Filesize
64KB

Download
memory/2672-132-0x00007FFCC4B10000-0x00007FFCC4B20000-memory.dmp

Filesize
64KB

Download
memory/2672-122-0x00007FFCC7A70000-0x00007FFCC7A80000-memory.dmp

Filesize
64KB

Download
memory/2672-121-0x00007FFCC7A70000-0x00007FFCC7A80000-memory.dmp

Filesize
64KB

Download
memory/4444-278-0x0000000002550000-0x000000000257F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads