emotet | 2c96ce99a90ecb02a596bec5d3b2b47246da523147f20ec80a18457a12a6c2af

General

Target

cd99b899c5a3d6ddb22969605b079375da897362b4d599fc9eebb1e21115a31d.xls
Size

216KB
MD5

d3b182de8c99553a9f2b6d0f3f030a4f
SHA1

d5bd989ffde2f67133b6404f9f234d13e618c206
SHA256

cd99b899c5a3d6ddb22969605b079375da897362b4d599fc9eebb1e21115a31d
SHA512

3abe78e4fca03e90d59818cded37a9feff6f7ade11cee1ef07c7ccd70cc4e250f7d835161409f0e8ba97cff4a678ef234298cb293ecac60e1ec0667a8904e484
SSDEEP

6144:WKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgUyY+TAQXTHGUMEyP5p6f5jQm+:XbGUMVWlb+

Score

10^/10

emotet banker persistence trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://sat7ate.com/wordpress/ZAf5j4MG8Hwnig/

xlm40.dropper

http://www.spinbalence.com/Adapter/moycMR/

xlm40.dropper

http://www.3d-stickers.com/Content/Afa1PcRuxh/

xlm40.dropper

http://navylin.com/bsavxiv/axHQYKl/

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3936	2344	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4872	2344	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4384	2344	regsvr32.exe	65
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	912	2344	regsvr32.exe	65

Downloads MZ/PE file

Loads dropped DLL 4 IoCs

pid	Process
3936	regsvr32.exe
4872	regsvr32.exe
4384	regsvr32.exe
912	regsvr32.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSclcHkSjGscVss.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\JIjupctk\\MSclcHkSjGscVss.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nCymNgzEgPqbQjr.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\EUEHlacz\\nCymNgzEgPqbQjr.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HfNXuWCmXqyXps.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\CeNAkZLlnjfWTGbHb\\HfNXuWCmXqyXps.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZXTvztjBCzqxnvGY.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\FKBYrCWSBNamxPW\\ZXTvztjBCzqxnvGY.dll\""	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2344	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3936	regsvr32.exe
3936	regsvr32.exe
4972	regsvr32.exe
4972	regsvr32.exe
4872	regsvr32.exe
4872	regsvr32.exe
4972	regsvr32.exe
4972	regsvr32.exe
4540	regsvr32.exe
4540	regsvr32.exe
4384	regsvr32.exe
4384	regsvr32.exe
4540	regsvr32.exe
4540	regsvr32.exe
4564	regsvr32.exe
4564	regsvr32.exe
4564	regsvr32.exe
4564	regsvr32.exe
912	regsvr32.exe
912	regsvr32.exe
760	regsvr32.exe
760	regsvr32.exe
760	regsvr32.exe
760	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2344	EXCEL.EXE
2344	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2344	EXCEL.EXE
2344	EXCEL.EXE
2344	EXCEL.EXE
2344	EXCEL.EXE
2344	EXCEL.EXE
2344	EXCEL.EXE
2344	EXCEL.EXE
2344	EXCEL.EXE
2344	EXCEL.EXE
2344	EXCEL.EXE
2344	EXCEL.EXE
2344	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 3936	2344	EXCEL.EXE	70
PID 2344 wrote to memory of 3936	2344	EXCEL.EXE	70
PID 3936 wrote to memory of 4972	3936	regsvr32.exe	72
PID 3936 wrote to memory of 4972	3936	regsvr32.exe	72
PID 2344 wrote to memory of 4872	2344	EXCEL.EXE	73
PID 2344 wrote to memory of 4872	2344	EXCEL.EXE	73
PID 4872 wrote to memory of 4540	4872	regsvr32.exe	75
PID 4872 wrote to memory of 4540	4872	regsvr32.exe	75
PID 2344 wrote to memory of 4384	2344	EXCEL.EXE	76
PID 2344 wrote to memory of 4384	2344	EXCEL.EXE	76
PID 4384 wrote to memory of 4564	4384	regsvr32.exe	77
PID 4384 wrote to memory of 4564	4384	regsvr32.exe	77
PID 2344 wrote to memory of 912	2344	EXCEL.EXE	78
PID 2344 wrote to memory of 912	2344	EXCEL.EXE	78
PID 912 wrote to memory of 760	912	regsvr32.exe	79
PID 912 wrote to memory of 760	912	regsvr32.exe	79

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\cd99b899c5a3d6ddb22969605b079375da897362b4d599fc9eebb1e21115a31d.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FKBYrCWSBNamxPW\ZXTvztjBCzqxnvGY.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4972
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JIjupctk\MSclcHkSjGscVss.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4540
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\EUEHlacz\nCymNgzEgPqbQjr.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4564
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CeNAkZLlnjfWTGbHb\HfNXuWCmXqyXps.dll"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv1.ooccxx

Filesize
664KB

MD5
8c84b4ba29bb16d397078676e71a3669

SHA1
c842411a6772049e2cc7c0fcb35d7d6ceff6a426

SHA256
35241dbb8590472043d87a90eba13916e02147da646581752ca0122c881ec03c

SHA512
5ade5d795e95bfda8e58fef9fdc890cc8adcb86d6f84759755a10e3725ec6f9bcc099e214c6e0987419631c33616e3908f128103c770c4d1b3030332ac6ed0ee

Download Submit
C:\Users\Admin\oxnv2.ooccxx

Filesize
664KB

MD5
6d12fd007ef6f0fd67b5be282170a65f

SHA1
f1752518fd33ecc5bb25089a1e0b371c36a409c4

SHA256
9af8e583a3402c8ec31dc6b8ae12415037a12d28ac895b36a14d747241b825db

SHA512
4d830a68e112bb5554a44b753ba8905d8ad4dccf0ad69f4714ddcabaf188ca15570dbd62ad7b2793774b79b3e30ed32f6f08c2326375ddcdac6e305bc64461ed

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
664KB

MD5
6abdd2f691f1579d2be698a1b4caf600

SHA1
3626ae221718fe548253d0f23055e0f8e331050e

SHA256
db3c9289cedf46fd3d7e257dbc531e614326f6ac9f61a08787a02a16ed4630a4

SHA512
cd30c0aa4e24f25fbcbab2ca1cd596455db67038355c9baa6fb59396107d17675a5454efa98aecd04c782bd869604c1f6b634a1cc4714596c5c462fc68f592dd

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
664KB

MD5
10511caff5ffcf8706a8e3e688272d1d

SHA1
1b39593e12686b5380e8aca3dc6be03f8b7e8608

SHA256
434af3754ec6394f999482d9779506a5753984d819866343b79e66676c53349d

SHA512
ccca2067104281c56ad53e563b2979294b1462d5d41d0728ec4e5dd4d795de00c32b2ba3e076b57e83e90aee8ddabc9080b983df363b5c66f3946ba9e88e581b

Download Submit
\Users\Admin\oxnv1.ooccxx

Filesize
664KB

MD5
8c84b4ba29bb16d397078676e71a3669

SHA1
c842411a6772049e2cc7c0fcb35d7d6ceff6a426

SHA256
35241dbb8590472043d87a90eba13916e02147da646581752ca0122c881ec03c

SHA512
5ade5d795e95bfda8e58fef9fdc890cc8adcb86d6f84759755a10e3725ec6f9bcc099e214c6e0987419631c33616e3908f128103c770c4d1b3030332ac6ed0ee

Download Submit
\Users\Admin\oxnv2.ooccxx

Filesize
664KB

MD5
6d12fd007ef6f0fd67b5be282170a65f

SHA1
f1752518fd33ecc5bb25089a1e0b371c36a409c4

SHA256
9af8e583a3402c8ec31dc6b8ae12415037a12d28ac895b36a14d747241b825db

SHA512
4d830a68e112bb5554a44b753ba8905d8ad4dccf0ad69f4714ddcabaf188ca15570dbd62ad7b2793774b79b3e30ed32f6f08c2326375ddcdac6e305bc64461ed

Download Submit
\Users\Admin\oxnv3.ooccxx

Filesize
664KB

MD5
6abdd2f691f1579d2be698a1b4caf600

SHA1
3626ae221718fe548253d0f23055e0f8e331050e

SHA256
db3c9289cedf46fd3d7e257dbc531e614326f6ac9f61a08787a02a16ed4630a4

SHA512
cd30c0aa4e24f25fbcbab2ca1cd596455db67038355c9baa6fb59396107d17675a5454efa98aecd04c782bd869604c1f6b634a1cc4714596c5c462fc68f592dd

Download Submit
\Users\Admin\oxnv4.ooccxx

Filesize
664KB

MD5
10511caff5ffcf8706a8e3e688272d1d

SHA1
1b39593e12686b5380e8aca3dc6be03f8b7e8608

SHA256
434af3754ec6394f999482d9779506a5753984d819866343b79e66676c53349d

SHA512
ccca2067104281c56ad53e563b2979294b1462d5d41d0728ec4e5dd4d795de00c32b2ba3e076b57e83e90aee8ddabc9080b983df363b5c66f3946ba9e88e581b

Download Submit
memory/2344-131-0x00007FFEF20A0000-0x00007FFEF20B0000-memory.dmp

Filesize
64KB

Download
memory/2344-121-0x00007FFEF57F0000-0x00007FFEF5800000-memory.dmp

Filesize
64KB

Download
memory/2344-130-0x00007FFEF20A0000-0x00007FFEF20B0000-memory.dmp

Filesize
64KB

Download
memory/2344-120-0x00007FFEF57F0000-0x00007FFEF5800000-memory.dmp

Filesize
64KB

Download
memory/2344-118-0x00007FFEF57F0000-0x00007FFEF5800000-memory.dmp

Filesize
64KB

Download
memory/2344-119-0x00007FFEF57F0000-0x00007FFEF5800000-memory.dmp

Filesize
64KB

Download
memory/3936-260-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads