emotet | 65f6bf1299c82659d54482d0d08ed38dcdf61826f7df7fb68301620933e61e16

General

Target

Scan-02112022.xls
Size

216KB
MD5

bf5319e9d582876aaaa4df46e74e74ee
SHA1

99b2f1ba3cfd48f344fe0552ff4308b1877f7542
SHA256

65f6bf1299c82659d54482d0d08ed38dcdf61826f7df7fb68301620933e61e16
SHA512

64f7434d8f6f820f270f57806c3eb7679a64ea123d79326db560684215afc9b1118efc4aa084edf5bdab8ef8af95e73f2cfdde68b6516791374a528dda46ce1d
SSDEEP

6144:bKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgDyY+TAQXTHGUMEyP5p6f5jQmP:fbGUMVWlbP

Score

10^/10

emotet banker persistence trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://helpeve.com/multiwp/cxpkaAkAKPRUs4KL/

xlm40.dropper

http://hsweixintp.com/wp-admin/3c2etiFC2RwmHfTS/

xlm40.dropper

http://9hym.com/images/SXVIe4tbJw8ZCfa4TEt/

xlm40.dropper

http://yuanliao.raluking.com/overemotionality/Vfc9v1ebcmaEguw/

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2060	1756	regsvr32.exe	79
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4264	1756	regsvr32.exe	79
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3128	1756	regsvr32.exe	79
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	5112	1756	regsvr32.exe	79

Downloads MZ/PE file

Loads dropped DLL 3 IoCs

pid	Process
4264	regsvr32.exe
2328	regsvr32.exe
5112	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vmHTYsOL.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\RluPak\\vmHTYsOL.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1756	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4264	regsvr32.exe
4264	regsvr32.exe
2328	regsvr32.exe
2328	regsvr32.exe
2328	regsvr32.exe
2328	regsvr32.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1756	EXCEL.EXE
1756	EXCEL.EXE
1756	EXCEL.EXE
1756	EXCEL.EXE
1756	EXCEL.EXE
1756	EXCEL.EXE
1756	EXCEL.EXE
1756	EXCEL.EXE
1756	EXCEL.EXE
1756	EXCEL.EXE
1756	EXCEL.EXE
1756	EXCEL.EXE
1756	EXCEL.EXE
1756	EXCEL.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2060	1756	EXCEL.EXE	82
PID 1756 wrote to memory of 2060	1756	EXCEL.EXE	82
PID 1756 wrote to memory of 4264	1756	EXCEL.EXE	90
PID 1756 wrote to memory of 4264	1756	EXCEL.EXE	90
PID 4264 wrote to memory of 2328	4264	regsvr32.exe	91
PID 4264 wrote to memory of 2328	4264	regsvr32.exe	91
PID 1756 wrote to memory of 3128	1756	EXCEL.EXE	92
PID 1756 wrote to memory of 3128	1756	EXCEL.EXE	92
PID 1756 wrote to memory of 5112	1756	EXCEL.EXE	95
PID 1756 wrote to memory of 5112	1756	EXCEL.EXE	95

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Scan-02112022.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  PID:2060
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RluPak\vmHTYsOL.dll"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:2328
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  PID:3128
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  PID:5112

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\8a1da72bc00a415382c581549b4d1c3e /t 3444 /p 1756
1⤵
PID:1096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv2.ooccxx

Filesize
664KB

MD5
923e4443db85282c068bb32ffc40bed6

SHA1
ef03548d260c87d9678c253a46f3e957b5d96c38

SHA256
85e183783ee8c75802c61fbc0bf5f1b753decb872911bea33cd07efa5537bd81

SHA512
45e15859834ab238e914c3e58b69f4eac702f02f2c4a78a7038a2374c9bc4f3258c7d25cdd86f6787266c4a7a740af85c2aeb062b15e26802e1343f7778a5a0d

Download Submit
C:\Users\Admin\oxnv2.ooccxx

Filesize
664KB

MD5
923e4443db85282c068bb32ffc40bed6

SHA1
ef03548d260c87d9678c253a46f3e957b5d96c38

SHA256
85e183783ee8c75802c61fbc0bf5f1b753decb872911bea33cd07efa5537bd81

SHA512
45e15859834ab238e914c3e58b69f4eac702f02f2c4a78a7038a2374c9bc4f3258c7d25cdd86f6787266c4a7a740af85c2aeb062b15e26802e1343f7778a5a0d

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
664KB

MD5
7b23b9056d5dc48edd901b384bc9d88c

SHA1
deb237acc3bcb4400190c4950629e2068e45ffa2

SHA256
512f98422e38c7aaf620704c218fd894beb45eff366cf2eb4fe5218c25019362

SHA512
a88ca76f131524094aac88a31986f6894c008aa33727bd262e9e4d46eab08af2a41e06ffe990bf26fb8bbe2b6c117dc46ededfd52e2139d747d9befacb4c60c7

Download Submit
C:\Users\Admin\oxnv4.ooccxx

Filesize
664KB

MD5
7b23b9056d5dc48edd901b384bc9d88c

SHA1
deb237acc3bcb4400190c4950629e2068e45ffa2

SHA256
512f98422e38c7aaf620704c218fd894beb45eff366cf2eb4fe5218c25019362

SHA512
a88ca76f131524094aac88a31986f6894c008aa33727bd262e9e4d46eab08af2a41e06ffe990bf26fb8bbe2b6c117dc46ededfd52e2139d747d9befacb4c60c7

Download Submit
C:\Windows\System32\RluPak\vmHTYsOL.dll

Filesize
664KB

MD5
923e4443db85282c068bb32ffc40bed6

SHA1
ef03548d260c87d9678c253a46f3e957b5d96c38

SHA256
85e183783ee8c75802c61fbc0bf5f1b753decb872911bea33cd07efa5537bd81

SHA512
45e15859834ab238e914c3e58b69f4eac702f02f2c4a78a7038a2374c9bc4f3258c7d25cdd86f6787266c4a7a740af85c2aeb062b15e26802e1343f7778a5a0d

Download Submit
memory/1756-135-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

Filesize
64KB

Download
memory/1756-138-0x00007FFAB5780000-0x00007FFAB5790000-memory.dmp

Filesize
64KB

Download
memory/1756-137-0x00007FFAB5780000-0x00007FFAB5790000-memory.dmp

Filesize
64KB

Download
memory/1756-136-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

Filesize
64KB

Download
memory/1756-134-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

Filesize
64KB

Download
memory/1756-133-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

Filesize
64KB

Download
memory/1756-132-0x00007FFAB7CB0000-0x00007FFAB7CC0000-memory.dmp

Filesize
64KB

Download
memory/4264-143-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads