emotet | 536bccbb81866177513ddc2fba026f19cb41575e9007a899a148cd63d6835b47

Analysis

max time kernel
140s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2022 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment details.xls
Size

216KB
MD5

2486374800299563ab8934122234242a
SHA1

47bfe94aa96ef43231890f04ccd286b0888e10c8
SHA256

ef2ce641a4e9f270eea626e8e4800b0b97b4a436c40e7af30aeb6f02566b809c
SHA512

74e52e1e1317908447340cbba32949321ed435f17a524224af80236ecdf67187c83908cca514e82a49b9abe9495125ba741e01ed8f30663124c13fce339c63e5
SSDEEP

6144:bKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgAyY+TAQXTHGUMEyP5p6f5jQmK:GbGUMVWlbK

Score

10^/10

emotet banker persistence trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://audioselec.com/about/dDw5ggtyMojggTqhc/

xlm40.dropper

https://geringer-muehle.de/wp-admin/G/

xlm40.dropper

http://intolove.co.uk/wp-admin/FbGhiWtrEzrQ/

xlm40.dropper

http://isc.net.ua/themes/3rU/

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4148	2952	regsvr32.exe	79
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4624	2952	regsvr32.exe	79
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3844	2952	regsvr32.exe	79
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4436	2952	regsvr32.exe	79

Downloads MZ/PE file

Loads dropped DLL 6 IoCs

pid	Process
4148	regsvr32.exe
2160	regsvr32.exe
4624	regsvr32.exe
2348	regsvr32.exe
3844	regsvr32.exe
4656	regsvr32.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XQrToWe.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\PSSJMEeLUnu\\XQrToWe.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nDJBd.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\ECjiYjJlxnC\\nDJBd.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CuowTvdtxS.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\JEFch\\CuowTvdtxS.dll\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2952	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4148	regsvr32.exe
4148	regsvr32.exe
2160	regsvr32.exe
2160	regsvr32.exe
4624	regsvr32.exe
4624	regsvr32.exe
2160	regsvr32.exe
2160	regsvr32.exe
2348	regsvr32.exe
2348	regsvr32.exe
3844	regsvr32.exe
3844	regsvr32.exe
2348	regsvr32.exe
2348	regsvr32.exe
4656	regsvr32.exe
4656	regsvr32.exe
4656	regsvr32.exe
4656	regsvr32.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2952	EXCEL.EXE
2952	EXCEL.EXE
2952	EXCEL.EXE
2952	EXCEL.EXE
2952	EXCEL.EXE
2952	EXCEL.EXE
2952	EXCEL.EXE
2952	EXCEL.EXE
2952	EXCEL.EXE
2952	EXCEL.EXE
2952	EXCEL.EXE
2952	EXCEL.EXE
2952	EXCEL.EXE
2952	EXCEL.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 4148	2952	EXCEL.EXE	85
PID 2952 wrote to memory of 4148	2952	EXCEL.EXE	85
PID 4148 wrote to memory of 2160	4148	regsvr32.exe	86
PID 4148 wrote to memory of 2160	4148	regsvr32.exe	86
PID 2952 wrote to memory of 4624	2952	EXCEL.EXE	88
PID 2952 wrote to memory of 4624	2952	EXCEL.EXE	88
PID 4624 wrote to memory of 2348	4624	regsvr32.exe	90
PID 4624 wrote to memory of 2348	4624	regsvr32.exe	90
PID 2952 wrote to memory of 3844	2952	EXCEL.EXE	91
PID 2952 wrote to memory of 3844	2952	EXCEL.EXE	91
PID 3844 wrote to memory of 4656	3844	regsvr32.exe	92
PID 3844 wrote to memory of 4656	3844	regsvr32.exe	92
PID 2952 wrote to memory of 4436	2952	EXCEL.EXE	93
PID 2952 wrote to memory of 4436	2952	EXCEL.EXE	93

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Payment details.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv1.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JEFch\CuowTvdtxS.dll"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:2160
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv2.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PSSJMEeLUnu\XQrToWe.dll"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:2348
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv3.ooccxx
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Windows\system32\regsvr32.exe
    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ECjiYjJlxnC\nDJBd.dll"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4656
- C:\Windows\System32\regsvr32.exe
  C:\Windows\System32\regsvr32.exe ..\oxnv4.ooccxx
  2⤵
  - Process spawned unexpected child process
  PID:4436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\oxnv1.ooccxx

Filesize
629KB

MD5
787d1e80a09d49c0bfc307de504958e3

SHA1
cc829bbc09d009693df57f6ccca4f96191793561

SHA256
2336fef81abb09cdca09c7c5b0e3eab2b00ebbb9768410852a71be43fa5a2265

SHA512
d6bf7c88da889df3f814839292fb594ead0c9b54cebdd752b31639446fab18528a3fd28adc4a2bf5dc119fd62fe544a817457a9838670607c15953b7f08d12e2

Download Submit
C:\Users\Admin\oxnv1.ooccxx

Filesize
629KB

MD5
787d1e80a09d49c0bfc307de504958e3

SHA1
cc829bbc09d009693df57f6ccca4f96191793561

SHA256
2336fef81abb09cdca09c7c5b0e3eab2b00ebbb9768410852a71be43fa5a2265

SHA512
d6bf7c88da889df3f814839292fb594ead0c9b54cebdd752b31639446fab18528a3fd28adc4a2bf5dc119fd62fe544a817457a9838670607c15953b7f08d12e2

Download Submit
C:\Users\Admin\oxnv2.ooccxx

Filesize
629KB

MD5
04dffc46734fc6a96a6e19731b165e1a

SHA1
347ad4ca88d5b6ec3807e92cba274ecf12d40f64

SHA256
5c3c3d5880a96d6f21b86ed97d7edc4fdde99e2d78926bd52a1b89c950b39b85

SHA512
dfb753a46e88b47cd727f171b18194c08bfbc41bf66bfa9a7b0270782ebc9cdbed08f514272ac95656477bb7625f3afdd5831a0b11dc3d2dfebfc5bf57d0c2f5

Download Submit
C:\Users\Admin\oxnv2.ooccxx

Filesize
629KB

MD5
04dffc46734fc6a96a6e19731b165e1a

SHA1
347ad4ca88d5b6ec3807e92cba274ecf12d40f64

SHA256
5c3c3d5880a96d6f21b86ed97d7edc4fdde99e2d78926bd52a1b89c950b39b85

SHA512
dfb753a46e88b47cd727f171b18194c08bfbc41bf66bfa9a7b0270782ebc9cdbed08f514272ac95656477bb7625f3afdd5831a0b11dc3d2dfebfc5bf57d0c2f5

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
629KB

MD5
597a6cfa3f690e6f7a83abe961522860

SHA1
0170a62569cbd03aa16bc0a1c90616cca4d986af

SHA256
85ea4bb7c87f7620502c5952481b3e6bc4ca01ac3386160eb733927894a65863

SHA512
9b93d9649df3b180444332cdee132772acc265498d2928488e91a90f53758d54632cc10c094f91f5f9f53fa73bf8777e5d457435e19de6847450734c711db06b

Download Submit
C:\Users\Admin\oxnv3.ooccxx

Filesize
629KB

MD5
597a6cfa3f690e6f7a83abe961522860

SHA1
0170a62569cbd03aa16bc0a1c90616cca4d986af

SHA256
85ea4bb7c87f7620502c5952481b3e6bc4ca01ac3386160eb733927894a65863

SHA512
9b93d9649df3b180444332cdee132772acc265498d2928488e91a90f53758d54632cc10c094f91f5f9f53fa73bf8777e5d457435e19de6847450734c711db06b

Download Submit
C:\Windows\System32\ECjiYjJlxnC\nDJBd.dll

Filesize
629KB

MD5
597a6cfa3f690e6f7a83abe961522860

SHA1
0170a62569cbd03aa16bc0a1c90616cca4d986af

SHA256
85ea4bb7c87f7620502c5952481b3e6bc4ca01ac3386160eb733927894a65863

SHA512
9b93d9649df3b180444332cdee132772acc265498d2928488e91a90f53758d54632cc10c094f91f5f9f53fa73bf8777e5d457435e19de6847450734c711db06b

Download Submit
C:\Windows\System32\JEFch\CuowTvdtxS.dll

Filesize
629KB

MD5
787d1e80a09d49c0bfc307de504958e3

SHA1
cc829bbc09d009693df57f6ccca4f96191793561

SHA256
2336fef81abb09cdca09c7c5b0e3eab2b00ebbb9768410852a71be43fa5a2265

SHA512
d6bf7c88da889df3f814839292fb594ead0c9b54cebdd752b31639446fab18528a3fd28adc4a2bf5dc119fd62fe544a817457a9838670607c15953b7f08d12e2

Download Submit
C:\Windows\System32\PSSJMEeLUnu\XQrToWe.dll

Filesize
629KB

MD5
04dffc46734fc6a96a6e19731b165e1a

SHA1
347ad4ca88d5b6ec3807e92cba274ecf12d40f64

SHA256
5c3c3d5880a96d6f21b86ed97d7edc4fdde99e2d78926bd52a1b89c950b39b85

SHA512
dfb753a46e88b47cd727f171b18194c08bfbc41bf66bfa9a7b0270782ebc9cdbed08f514272ac95656477bb7625f3afdd5831a0b11dc3d2dfebfc5bf57d0c2f5

Download Submit
memory/2160-145-0x0000000000000000-mapping.dmp

Download
memory/2348-156-0x0000000000000000-mapping.dmp

Download
memory/2952-137-0x00007FFDF4E50000-0x00007FFDF4E60000-memory.dmp

Filesize
64KB

Download
memory/2952-177-0x00007FFDF6EB0000-0x00007FFDF6EC0000-memory.dmp

Filesize
64KB

Download
memory/2952-176-0x00007FFDF6EB0000-0x00007FFDF6EC0000-memory.dmp

Filesize
64KB

Download
memory/2952-132-0x00007FFDF6EB0000-0x00007FFDF6EC0000-memory.dmp

Filesize
64KB

Download
memory/2952-138-0x00007FFDF4E50000-0x00007FFDF4E60000-memory.dmp

Filesize
64KB

Download
memory/2952-174-0x00007FFDF6EB0000-0x00007FFDF6EC0000-memory.dmp

Filesize
64KB

Download
memory/2952-136-0x00007FFDF6EB0000-0x00007FFDF6EC0000-memory.dmp

Filesize
64KB

Download
memory/2952-135-0x00007FFDF6EB0000-0x00007FFDF6EC0000-memory.dmp

Filesize
64KB

Download
memory/2952-134-0x00007FFDF6EB0000-0x00007FFDF6EC0000-memory.dmp

Filesize
64KB

Download
memory/2952-175-0x00007FFDF6EB0000-0x00007FFDF6EC0000-memory.dmp

Filesize
64KB

Download
memory/2952-133-0x00007FFDF6EB0000-0x00007FFDF6EC0000-memory.dmp

Filesize
64KB

Download
memory/3844-158-0x0000000000000000-mapping.dmp

Download
memory/4148-139-0x0000000000000000-mapping.dmp

Download
memory/4148-142-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download
memory/4436-172-0x0000000000000000-mapping.dmp

Download
memory/4624-150-0x0000000000000000-mapping.dmp

Download
memory/4656-167-0x0000000000000000-mapping.dmp

Download