emotet | 64ff2f53597a590af0608eb012ffd3320f647949019b806da2cbf6fed1eae264

Analysis

max time kernel
145s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2022, 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03112022.xls
Size

217KB
MD5

2cbd1cdca247f0f28fc63a5c0e0b13d5
SHA1

966e13dfaa1080606d3f47e8cb6c3abd5568b847
SHA256

64ff2f53597a590af0608eb012ffd3320f647949019b806da2cbf6fed1eae264
SHA512

5f5379a66fa9aacb0563c25ed18dd56e605836b4a4813dc8694df1097183878d2d072ef6530832c0319b7f611ab2c96e68265b52d9e29996fcc6ab3ea62ebad6
SSDEEP

6144:OKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgJyY+TAQXTHGUMEyP5p6f5jQm1:4bGUMVWlb1

Score

10^/10

emotet banker persistence trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://ruitaiwz.com/wp-admin/sV1NeVxLDiHJ1xm/

xlm40.dropper

http://wordpress.xinmoshiwang.com/list/cRIH9Bd/

xlm40.dropper

http://cultura.educad.pe/wp-content/A86I7QxwuEZV/

xlm40.dropper

http://voinet.ca/cgi-bin/RXDWHpi8dHHZf8/

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	752	892	regsvr32.exe	76
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2188	892	regsvr32.exe	76
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4524	892	regsvr32.exe	76
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3036	892	regsvr32.exe	76

Downloads MZ/PE file

Loads dropped DLL 6 IoCs

pid	Process
752	regsvr32.exe
1684	regsvr32.exe
2188	regsvr32.exe
3664	regsvr32.exe
4524	regsvr32.exe
2376	regsvr32.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ufMjPVUgl.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\DNlXf\\ufMjPVUgl.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AoyfyWMqOv.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\ZUqyz\\AoyfyWMqOv.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipEIoowHaP.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\JOrsE\\ipEIoowHaP.dll\""	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
892	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
752	regsvr32.exe
752	regsvr32.exe
1684	regsvr32.exe
1684	regsvr32.exe
1684	regsvr32.exe
1684	regsvr32.exe
2188	regsvr32.exe
2188	regsvr32.exe
3664	regsvr32.exe
3664	regsvr32.exe
3664	regsvr32.exe
3664	regsvr32.exe
4524	regsvr32.exe
4524	regsvr32.exe
2376	regsvr32.exe
2376	regsvr32.exe
2376	regsvr32.exe
2376	regsvr32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
892	EXCEL.EXE
892	EXCEL.EXE
892	EXCEL.EXE
892	EXCEL.EXE
892	EXCEL.EXE
892	EXCEL.EXE
892	EXCEL.EXE
892	EXCEL.EXE
892	EXCEL.EXE
892	EXCEL.EXE
892	EXCEL.EXE
892	EXCEL.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 752	892	EXCEL.EXE	86
PID 892 wrote to memory of 752	892	EXCEL.EXE	86
PID 752 wrote to memory of 1684	752	regsvr32.exe	87
PID 752 wrote to memory of 1684	752	regsvr32.exe	87
PID 892 wrote to memory of 2188	892	EXCEL.EXE	90
PID 892 wrote to memory of 2188	892	EXCEL.EXE	90
PID 2188 wrote to memory of 3664	2188	regsvr32.exe	91
PID 2188 wrote to memory of 3664	2188	regsvr32.exe	91
PID 892 wrote to memory of 4524	892	EXCEL.EXE	92
PID 892 wrote to memory of 4524	892	EXCEL.EXE	92
PID 4524 wrote to memory of 2376	4524	regsvr32.exe	93
PID 4524 wrote to memory of 2376	4524	regsvr32.exe	93
PID 892 wrote to memory of 3036	892	EXCEL.EXE	94
PID 892 wrote to memory of 3036	892	EXCEL.EXE	94

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\03112022.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:892
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\DNlXf\ufMjPVUgl.dll"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:1684
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZUqyz\AoyfyWMqOv.dll"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:3664
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JOrsE\ipEIoowHaP.dll"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:2376
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe /S ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  PID:3036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv1.ooccxx

Filesize
727KB

MD5
2817cc6c71db526b978c3188c0869ebb

SHA1
a11b5d81591c4f6b57d2a2aac94db70c3f8eca8d

SHA256
22fe1991115d9ed9aaf7e6994b0fe0965a9f1d5ce035b43e57bed7f7e23f1069

SHA512
f1c461f8b735b3d32ca9f9432ae3eed764f02eb8de311af408bc243e61e8ec6632bf4723d9e16ac07abdfb6572da440e690357671462e6d9f8a97f5e7585578d

Download Submit
C:\Users\Admin\oxnv1.ooccxx

Filesize
727KB

MD5
2817cc6c71db526b978c3188c0869ebb

SHA1
a11b5d81591c4f6b57d2a2aac94db70c3f8eca8d

SHA256
22fe1991115d9ed9aaf7e6994b0fe0965a9f1d5ce035b43e57bed7f7e23f1069

SHA512
f1c461f8b735b3d32ca9f9432ae3eed764f02eb8de311af408bc243e61e8ec6632bf4723d9e16ac07abdfb6572da440e690357671462e6d9f8a97f5e7585578d

Download Submit
C:\Users\Admin\oxnv2.ooccxx

Filesize
727KB

MD5
d9b469ea18de530d3bb94a10220c4d82

SHA1
af5a16c5e4c418c7491b684c0f21aa636a4751c0

SHA256
8d3bb8fd36d20868dbb952eff9dd1c6ee326064dacdb44ea4e0b81dc68a4b138

SHA512
0f8190ba901c7f46e770e151a7628d964faa48276fec17b92553a51ef4c55995ac30e16a401d7aa190d146e538470572fb392c59999556c66895bc7cebea497a

Download Submit
C:\Users\Admin\oxnv2.ooccxx

Filesize
727KB

MD5
d9b469ea18de530d3bb94a10220c4d82

SHA1
af5a16c5e4c418c7491b684c0f21aa636a4751c0

SHA256
8d3bb8fd36d20868dbb952eff9dd1c6ee326064dacdb44ea4e0b81dc68a4b138

SHA512
0f8190ba901c7f46e770e151a7628d964faa48276fec17b92553a51ef4c55995ac30e16a401d7aa190d146e538470572fb392c59999556c66895bc7cebea497a

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
727KB

MD5
87a7519ba6ac25838a41e2d0fa606d02

SHA1
9e2f2255c42909fa4f94c92024c0ef3a3843cecd

SHA256
443ee26c33be809e9443abeb41658e4811d68da4e705eba9ac5941110fdc4f9a

SHA512
db0ac2bd3dc6b4a1d975cc8a39ff913e414983ddc3cdbbaee39f83ed5e2f8ca5e043290de1e709e451061f22d83d37f2ac70f72d759b57dcc99976799f1840d1

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
727KB

MD5
87a7519ba6ac25838a41e2d0fa606d02

SHA1
9e2f2255c42909fa4f94c92024c0ef3a3843cecd

SHA256
443ee26c33be809e9443abeb41658e4811d68da4e705eba9ac5941110fdc4f9a

SHA512
db0ac2bd3dc6b4a1d975cc8a39ff913e414983ddc3cdbbaee39f83ed5e2f8ca5e043290de1e709e451061f22d83d37f2ac70f72d759b57dcc99976799f1840d1

Download Submit
C:\Windows\System32\DNlXf\ufMjPVUgl.dll

Filesize
727KB

MD5
2817cc6c71db526b978c3188c0869ebb

SHA1
a11b5d81591c4f6b57d2a2aac94db70c3f8eca8d

SHA256
22fe1991115d9ed9aaf7e6994b0fe0965a9f1d5ce035b43e57bed7f7e23f1069

SHA512
f1c461f8b735b3d32ca9f9432ae3eed764f02eb8de311af408bc243e61e8ec6632bf4723d9e16ac07abdfb6572da440e690357671462e6d9f8a97f5e7585578d

Download Submit
C:\Windows\System32\JOrsE\ipEIoowHaP.dll

Filesize
727KB

MD5
87a7519ba6ac25838a41e2d0fa606d02

SHA1
9e2f2255c42909fa4f94c92024c0ef3a3843cecd

SHA256
443ee26c33be809e9443abeb41658e4811d68da4e705eba9ac5941110fdc4f9a

SHA512
db0ac2bd3dc6b4a1d975cc8a39ff913e414983ddc3cdbbaee39f83ed5e2f8ca5e043290de1e709e451061f22d83d37f2ac70f72d759b57dcc99976799f1840d1

Download Submit
C:\Windows\System32\ZUqyz\AoyfyWMqOv.dll

Filesize
727KB

MD5
d9b469ea18de530d3bb94a10220c4d82

SHA1
af5a16c5e4c418c7491b684c0f21aa636a4751c0

SHA256
8d3bb8fd36d20868dbb952eff9dd1c6ee326064dacdb44ea4e0b81dc68a4b138

SHA512
0f8190ba901c7f46e770e151a7628d964faa48276fec17b92553a51ef4c55995ac30e16a401d7aa190d146e538470572fb392c59999556c66895bc7cebea497a

Download Submit
memory/752-142-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/892-138-0x00007FF9E17C0000-0x00007FF9E17D0000-memory.dmp

Filesize
64KB

Download
memory/892-132-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/892-137-0x00007FF9E17C0000-0x00007FF9E17D0000-memory.dmp

Filesize
64KB

Download
memory/892-136-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/892-135-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/892-134-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/892-133-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download